Trojan.PWS.Agent.SGD( Trojan-GameThief.Win32.OnLineGames.tpnr, PWS-Mmorpg.gen trojan, TR/Agent.14336.49, Trojan.Siggen.337 )
SINTOMAS: If you have at least one of the following files on your computer, you are infected:%windir%\system32\system.exe (size: 7,5KB) %windir%\system32\drivers\hbkernel32.sys (size: 17,6KB) (where %windir% stands for c:\windows of c:\winnt, depending on the operating system) DESCRIÇÃO TÉCNICA: The malware drops the following files:1) %windir%\system32\hbqqxx.dll - this .dll will be injected in all the running processes and it will try to steal sensitive information, such as user accounts and passwords for the Tencent QQ instant messaging program 2) %windir%\system32\system.exe 3) %windir%\system32\drivers\hbkernel32.sys - a service named HBKernel32 will be created and will be started at every system startup - will set the registry key: HKLM\System\CurrentControlSet\Services\HBKernel32 ImagePath -> %windir%\system32\drivers\HBKernel32.sys - the NTSetValueKey entry in the System Service Descriptor Table will be hooked to point to code from this file 4) c:\documents and settings\%user_name%\ - this is a batch script that will delete the original malware file after it completes its tasks After dropping these files, the trojan will run system.exe and selfdel.bat. System.exe will perform the following registry operations: - will add itself to the registry key to run at every system startup: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run HBService32 -> System.exe - will set HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows AppInit_DLLs -> HBmhly.dll, HB1000Y.dll, HBWOOOL.dll, HBXY2.dll, HBJXSJ.dll, HBSO2.dll, HBFS2.dll, HBXY3.dll, HBSHQ.dll, HBFY.dll, HBWULIN2.dll, HBW2I.dll, HBKDXY.dll, HBWORLD2.dll, HBASKTAO.dll, HBZHUXIAN.dll, HBWOW.dll, HBZERO.dll, HBBO.dll, HBCONQUER.dll, HBSOUL.dll, HBCHIBI.dll, HBDNF.dll, HBWARLORDS.dll, HBTL.dll, HBPICKCHINA.dll, HBCT.dll, HBGC.dll, HBHM.dll, HBHX2.dll, HBQQHX.dll, HBTW2.dll, HBQQSG.dll, HBQQFFO.dll, HBZT.dll, HBMIR2.dll, HBRXJH.dll, HBYY.dll, HBMXD.dll, HBSQ.dll, HBTJ.dll, HBFHZL.dll, HBWLQX.dll, HBLYFX.dll, HBR2.dll, HBCHD.dll, HBTZ.dll, HBQQXX.dll, HBWD.dll, HBZG.dll, HBPPBL.dll, HBXMJ.dll, HBJTLQ.dll, HBQJSJ.dll - will remove the entries: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 360Safetray 360Safebox which belong to a Chinese antivirus. System.exe will be run as a process accessible only from kernel mode. If trying to kill this process with task manager, an error will occur. Instruções para remoção: Please let BitDefender delete your infected files.ANALISADO POR: Boeriu Laura, virus researcher |