a worm - tel.xls.exe
上一篇 /
下一篇 2006-10-31 02:19:43 / 天氣: 晴朗
/ 心情: 高興
/ 個人分類:Security
| File name: |
tel.xls.exe |
| Size: |
48.0 KB (49,152 bytes) |
| Checksum: |
d88f7c6c15585404c30c92a11c429c36 (MD5) |
| Packer: |
None |
| Written in: |
Visual Basic 6 |
| Virus detected as: |
- KAV: Trojan.Win32.VB.atg
- Duba: -
- Rising: -
- KV: -
|
| Details: |
File System Change(s):
- After execution,the file replicates itself to:
- %System%\SocksA.exe
- %System%\algsrv.exe
- %System%\FileKan.exe
PS: %System% is an environment variable.This represent the System32 folder in Windows NT/2000/XP/Server 2003 (eg. C:\Windows\System32 )
- It also replicates itsef to all fixed drives and renamed as tel.xls.exe
- Create autorun.inf to all fixed drives
- After replicating the files,it executes explorer.exe with parameter %SystemDrive%,Windows Explorer will be shown
Registry Change(s):
- Create the following values to HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
- "ASocksrv" = "SocksA.exe"
- "BSserver" = "FileKan.exe"
- Modify the value "CheckedValue" in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL
|
| Removal Procedure: |
- Press Ctrl + Alt + Del to execute Windows Task Manager,terminate the following processes:
- SocksA.exe
- algsrv.exe
- FileKan.exe
- Delete the autorun.inf files
- Delete the tel.xls.exe files
- Delete the following files:
- %System%\SocksA.exe
- %System%\algsrv.exe
- %System%\FileKan.exe
PS: %System% is an environment variable.This represent the System32 folder in Windows NT/2000/XP/Server 2003 (eg. C:\Windows\System32 ) |
| Comment: |
In fact,this is a worm |
| Write-up by: |
Krazaf/tkabc |
導入論壇
收藏
分享給好友
管理
舉報
TAG:
Security
