W32.Naras
|
W32.Naras - msinfomgr.sys,msinfmgr.exe,msinfdll.dll,virus rootkit,msinfklg.sys
Avenger
Dieser Trojaner ist sehr gefährlich, da er neue Technologien vewendet, die ihm ermöglichen, seine Spur zu löschen und unsichtbar für den Anwender und für die traditionellen Anti-Virenprogramme zu bleiben. Im Bezug auf die Keylogger-Komponente versucht er, sich in jeden aktiven Prozess zu installieren, um die ganzen Eingaben durch die Tastatur zu registrieren.
msinfmgr.exe (Kopie von sich selbst) msinfdll.dll (Keylogger-Komponent) msinfklg.sys (Datei, in dem der Keylogger die erhaltene Information speichert) msinfomgr.sys (Rootkit-Komponent) autorun.inf System\drivers\msinfomgr.sys virus rootkit functionality When loaded, this driver hides process names and registry keys containing the string "msinf". It also hides files containing any of the following strings in their full path name: msinf auto Auto AUTO HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\msinfmgr "Type" = "1" "ErrorControl" = "1" "Start" = "3" "DisplayName" = "msinfmgr" "ImagePath" = "system32\drivers\msinfomgr.sys" D:\msinfmgr.exe and creates the file D:\Autorun.inf It infects .exe It performs a cavity infection routine, where it inserts a short piece of code in slack space between sections of the executable file. The code it inserts creates the process msinfmgr.exe. System\msinfdll.dll This file contains the keylogging functionality of the virus. It logs keystrokes in the file %System%\drivers\msinfklg.sys. This .dll file also loads the dropped msinfomgr.sys driver. To get hoked, it adds the values: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\msinflogon "Asynchronous" = "0" "DllName" = "msinfdll.dll" "Impersonate" = "0" "Startup" = "logon_startup" to the registry subkey: so that it runs every time Windows starts.
http://securityresponse.symantec.com
|
