ViRobot/HAURI

Backdoor.Win32.Agent.91136.G
種類
Backdoor
危険度/拡散度
/
発見日
[korea] 0000-00-00 [Foreign] 0000-00-00
Virobot対応
2014-08-19 [Able to detect & repair]

Summary

It's a Backdoor malicious code(Server-side polymorphism). It collects information from infected systems and runs by command codes from a C&C server.

 

Here are main malicious actions by this malware.

- Download and run malicious codes.
- Execute files.
- Execute command codes.
- Execute files.​

 

This malicious code uses ' Server-side polymorphism', therefore distributed files' MD5 is changed continuously. (But, the function of this malicious code is same as a Backdoor malware.)
Files(named 3002.exe or 3005.exe) have been distributed by many websites(e.g. Universities, organizations, shopping malls, travel agencies, etc. ), users need to be aware of that.

 

[Distributed location]

 


 The Symptom

1. It creates the following files.

C:WINDOWS(Random names)svchsot.exe => Self-replication

 

2. It creates the following registry values.

 

 

3. It registers the following task scheduler.
C:WINDOWSTasksAt1~24.job

 

4. It accesses the following network.

 

[How to repair]
Reparable by ViRobot engine ver. 2014-08-19 or above.