ViRobot/HAURI

Trojan.Win32.Poweliks.75776
種類
Trojan Horse
危険度/拡散度
/
発見日
[korea] 2014-08-06 [Foreign] 0000-00-00
Virobot対応
2014-08-06 [Able to detect & repair]
[Symptom of infection]

1) It accesses following IPs.

178.89.159.34
178.89.159.35

It accesses following web sites, and it tries to downloads and installs the files on the web. 
 

2) It creates registry values as follows.

* The First registered value(Run section) 
 

[Default] registry values created by this malicious code are two, but only one [Default] value shows on the registry edit.

The two [Default] value could be seen by AutoRuns and Gmer tools as follows.




* The Second registered value(Run section) 
 

* The Third registered value(Unicode)
A Unicode registry key is created by the malicious code under following [Run] registry, but the Unicode key is not shown by Regedit program. 
 

But, the key is seen after exporting the key as follows.


3) It executes some script using normal rundll32.exe and tries to download additional files continuously.
[How to repair]

Reparable by ViRobot engine ver.2014-08-06 or above.