Visualizza messaggio singolo
Vecchio 07-09-2006, 10.38.23   #5
Davide71
Forum supporter
 
L'avatar di Davide71
 
Registrato: 25-02-2001
Loc.: Capitale Mondiale del MARMO e delle "polveri sottili" :(
Messaggi: 1.813
Davide71 promette bene
malware

ciao,

devi eliminarlo:

Data: 12/12/2005
Nome: Trojan.Win32.Agent.TA
Tipologia: Trojan - BHO
Stato: X
Nomefile: iewatch.exe - kaboom.dll
Startup: IEAgent update check - {CC56A1F3-9B83-45FF-8CB6-D58959492F0F}
Dimensione: 19968 byte
Descrizione: Arriva con un email di spam invitando a collegarsi al sito: http://www.funnymoviesgallerie.com/72364 o bebotamovies.com per guardare un filmato. Eseguendo il filmato, viene richiesto di installare un codec (VideoCodec3_05b.exe) per la riproduzione, il quale installa iewatch.exe e kaboom.dll.
iewatch.exe si connette al sito http://joywebsurfer.com (oppure da 192.168.0.2) per prelevare il file ieagent_setup.exe in modo da aggiornare il trojan con una nuova release.
Il file kaboom.dll (45056 byte) è un BHO e si connette ai siti:
http://joywebsurfer.com
http://mucho-cool.com
http://epromosystems.com
Vi sono altre varianti del file iewatch.exe lunghe: 23040 byte




Da sophos altre info:

Troj/Agent-IF is a Trojan for the Windows platform.

Troj/Agent-IF is capable of spying on a user's browsing habits, modifying Microsoft Internet Explorer settings, downloading further executables and displaying popup advertisements.

When Troj/Agent-IF is installed the following files are created:

<Temp>\wmpl.exe
<System>\gtrack.dll
<System>\kaboom.dll

The files gtrack.dll and kaboom.dll are registered as COM objects and Browser Helper Objects (BHOs) for Microsoft Internet Explorer, creating registry entries under:

HKCR\CLSID\(4BC9A7AC-2329-49D0-B07F-5FE484029DC2)
HKCR\CLSID\(A853979C-2A9A-4ACB-8975-5740A7E26CB4)
HKCR\Interface\(BAA919E5-FD47-4D7E-95AB-5B2CDA493358)
HKCR\Interface\(D861BD5E-E1E7-4E5E-AB15-CB347FBDBC6D)
HKCR\Kaboom.IEagent\
HKCR\Kaboom.IEagent.1\
HKCR\TypeLib\(023E6659-1A0A-4724-9273-66EA06A82C98)
HKCR\TypeLib\(E0C0FC76-CC5E-46E2-B77A-4C2ADD965B9F)
HKCR\Watcher.GoogleTracker\
HKCR\Watcher.GoogleTracker.1\
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Exp lorer\Browser Helper Objects\(4BC9A7AC-2329-49D0-B07F-5FE484029DC2)
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Exp lorer\Browser Helper Objects\(A853979C-2A9A-4ACB-8975-5740A7E26CB4)

Registry entries are created under:

Troj/Agent-IF is a Trojan for the Windows platform.

Troj/Agent-IF is capable of spying on a user's browsing habits, modifying Microsoft Internet Explorer settings, downloading further executables and displaying popup advertisements.

When Troj/Agent-IF is installed the following files are created:

<Temp>\wmpl.exe
<System>\gtrack.dll
<System>\kaboom.dll

The files gtrack.dll and kaboom.dll are registered as COM objects and Browser Helper Objects (BHOs) for Microsoft Internet Explorer, creating registry entries under:

HKCR\CLSID\(4BC9A7AC-2329-49D0-B07F-5FE484029DC2)
HKCR\CLSID\(A853979C-2A9A-4ACB-8975-5740A7E26CB4)
HKCR\Interface\(BAA919E5-FD47-4D7E-95AB-5B2CDA493358)
HKCR\Interface\(D861BD5E-E1E7-4E5E-AB15-CB347FBDBC6D)
HKCR\Kaboom.IEagent\
HKCR\Kaboom.IEagent.1\
HKCR\TypeLib\(023E6659-1A0A-4724-9273-66EA06A82C98)
HKCR\TypeLib\(E0C0FC76-CC5E-46E2-B77A-4C2ADD965B9F)
HKCR\Watcher.GoogleTracker\
HKCR\Watcher.GoogleTracker.1\
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Exp lorer\Browser Helper Objects\(4BC9A7AC-2329-49D0-B07F-5FE484029DC2)
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Exp lorer\Browser Helper Objects\(A853979C-2A9A-4ACB-8975-5740A7E26CB4)

Registry entries are created under:

HKLM\SOFTWARE\Microsoft\SUW\


ciao.
___________________________________

Un saluto ed un grazie per l'attenzione.
Davide71 non è collegato   Rispondi citando