ViRobot/HAURI

Trojan.Win32.S.FakeAV.249344.C
種類
Hoax
危険度/拡散度
/
発見日
[korea] 0000-00-00 [Foreign] 0000-00-00
Virobot対応
2012-08-02 [Able to detect & repair]

A. Main symptoms of infection
Information of computers and users could be leaked to the outside by the infection.

 

B. Whether to compress
Armadillo v1.71

 

C. Analysis information
It creates or modifies following files.

(User Account Folder)\All Users\Application Data\it_k#ZMr
(User Account Folder)\USER\Start Menu\Program\File Recovery\File Recovery.lnk
(User Account Folder)\USER\Start Menu\Program\File Recovery\Uninstall File Recovery.lnk
(User Account Folder)\USER\Desktop\File_Recovery.lnk

 

It creates the following process.

(User Account Folder)\All Users\Application Data\it_k#ZMr.exe

 

It modifies following registries.

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData"=REG_SZ:(User Account Folder)\All Users\Application Data
"Common Documents"=REG_SZ:(User Account Folder)\All Users\Documents
"Common Desktop"=REG_SZ:(User Account Folder)\All Users\Desktop
"Common Start Menu"=REG_SZ:(User Account Folder)\All Users\Start Menu
"CommonPictures"=REG_SZ:(User Account Folder)\All Users\Documents\My Pictures
"CommonMusic"=REG_SZ:(User Account Folder)\All Users\Documents\My Music
"CommonVideo"=REG_SZ:(User Account Folder)\All Users\Documents\My Videos

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop"=REG_SZ:(User Account Folder)\USER\Desktop
"Programs"=REG_SZ:(User Account Folder)\USER\Start Menu\Program
"Cache"=REG_SZ:(User Account Folder)\USER\Local Settings\Temporary Internet Files
"Cookies"=REG_SZ:(User Account Folder)\USER\Cookies
"History"=REG_SZ:(User Account Folder)\USER\Local Settings\History
"Personal"=REG_SZ:(User Account Folder)\USER\My Documents
"Start Menu"=REG_SZ:(User Account Folder)\USER\Start Menu
"AppData"=REG_SZ:(User Account Folder)\USER\Application Data
"My Pictures"=REG_SZ:(User Account Folder)\USER\My Documents\My Pictures

[HKCU\Software\Microsoft\Internet Explorer\Main]
"Use FormSuggest"=REG_SZ:Yes

[HKCU\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing]
"State"=REG_DWORD:00023e00

[HKCU\Software\Microsoft\Internet Explorer\Download]
"CheckExeSignatures"=REG_SZ:no

[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments]
"SaveZoneInformation"=REG_DWORD:00000001

[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Associations]
"LowRiskFileTypes"=REG_SZ:.zip;.rar;.nfo;.txt;.exe;.bat;.com;.cmd;.reg;.msi;.htm;.html;.gif;.bmp;.jpg;.avi;.mpg;.mpeg;.mov;.mp3;.m3u;.wav;.scr;

[HKLM\SYSTEM\ControlSet001\Services\Eventlog\Application\ESENT]
"EventMessageFile"=REG_EXPAND_SZ:(System Folder)\ESENT.dll
"CategoryMessageFile"=REG_EXPAND_SZ:(System Folder)\ESENT.dll
"CategoryCount"=REG_DWORD:00000010
"TypesSupported"=REG_DWORD:00000007

[HKLM\SOFTWARE\Microsoft\ESENT\Process\it_k#ZMr\DEBUG]
"Trace Level"=REG_SZ:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{a472b432-98ef-11df-9531-806d6172696f}]
"BaseClass"=REG_SZ:Drive

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{a472b430-98ef-11df-9531-806d6172696f}]
"BaseClass"=REG_SZ:Drive

 

It deletes following registries.

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\\internat.exe
HKLM\SOFTWARE\Microsoft\ESENT\Process\it_k#ZMr\DEBUG\\Trace Level
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyServer
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyOverride
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\AutoConfigURL

 

It's run after reboot by adding following registries.

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"it_k#ZMr"=REG_SZ:(Root Folder)\DOCUME~1\ALLUSE~1\APPLIC~1\it_k#ZMr.exe

 

It modifies settings of internet explorer by editing following registries.

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3]
"1601"=REG_DWORD:00000000

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"WarnOnZoneCrossing"=REG_DWORD:00000000
"WarnonBadCertRecving"=REG_DWORD:00000000
"CertificateRevocation"=REG_DWORD:00000000
"MigrateProxy"=REG_DWORD:00000001
"ProxyEnable"=REG_DWORD:00000000

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory"=REG_SZ:(User Account Folder)\USER\Local Settings\Temporary Internet Files\Content.IE5
"Paths"=REG_DWORD:00000004

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath"=REG_SZ:(User Account Folder)\USER\Local Settings\Temporary Internet Files\Content.IE5\Cache1
"CacheLimit"=REG_DWORD:00013fa6

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath"=REG_SZ:(User Account Folder)\USER\Local Settings\Temporary Internet Files\Content.IE5\Cache2
"CacheLimit"=REG_DWORD:00013fa6

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath"=REG_SZ:(User Account Folder)\USER\Local Settings\Temporary Internet Files\Content.IE5\Cache3
"CacheLimit"=REG_DWORD:00013fa6

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CachePath"=REG_SZ:(User Account Folder)\USER\Local Settings\Temporary Internet Files\Content.IE5\Cache4
"CacheLimit"=REG_DWORD:00013fa6

[HKLM\SYSTEM\ControlSet001\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable"=REG_DWORD:00000000

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings"=REG_BINARY:3c 00 00 00 07 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 10 9c 48 c6 25 4c cc 01 01 00 00 00 0a 00 02 0f 00 00 00 00 00 00 00 00

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"=REG_DWORD:00000001
"IntranetName"=REG_DWORD:00000001
"UNCAsIntranet"=REG_DWORD:00000001

 

It connects following network path.

http://***veling*na.c*m
http://***destruct.c*m
http://si***disful.c*m
http://*****retin.c*m

[How to repair]

Reparable by ViRobot engine ver.2012-08-02.01 or above.