"Enter"a basıp içeriğe geçin

Win32 Agent.AK Virüsünü Temizlemek

Diğer Adı Trojan.Agent.Delf.RHO olan Bu Virüs Çok Fazla Tehlikeli işler çevirmiyor.
Ama yinede Paylaşmak istedim
Agent.AK Virüsünü Temizlemek için Tıklamalısınız

Neler Yaptıgı Hakkında Biglier İse Aşağıdadadır.
İngilizce

SYMPTOMS:
The presence of the following files:
%WINDIR%\system32\yahooui.exe
%WINDIR%\seocfg.exe
%WINDIR%\upd1234.exe
%WINDIR%\vbn.sdf

The malware also installs the following clean files:
%WINDIR%\system32\yahooauth2.dll
%WINDIR%\system32\ssleay32.dll
%WINDIR%\system32\libeay32.dll

The virus will also modify the following registry key:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
by appending the following strings to it:
%WINDIR%\system32\yahooui.exe
%WINDIR%\seocfg.exe

The presence of the following subkeys:
HKLM\SOFTWARE\Yahoo\smartkey
and
HKLM\SOFTWARE\Yahoo\lidl
Which contains the values:
Count
USER
PASS

TECHNICAL DESCRIPTION:
The malware spreads through links sent in instant messages on Yahoo!Messenger by other infected users. It tries to convince the target user that the message is legitimate by adding friendly phrases to trick the user into clicking the provided link. The used messages are:

sa intrii sa imi zici ce parere ai ca sigur recuonsti personaju ;)
o cunosti?

:)))
chiar vroiam sa te apelez, ai virusi si imi trimiti tot felu de mailuri
ia programu asta sa il scoti ca l-am avut si eu sau daca nu intra pe removed].ro
Afla cine te are pus la invizibil sau la ignore cu un singur click chiar si persoanele care sunt offline http://[link removed].blogspot.com
ce faci?
Super tare!!!!!!!! http://[link removed].blogspot.com

Depending on the version of the malware, if the target user replies, the virus will check for the presence of the following keywords in the reply and sends an automatic answer according to what is found:

Keyword Reply
virus intra ca nu e nici un virus
esti uita-te si vrb dupa
merge trebuie sa instalezi programu ca sa mearga
frica nu are de ce sa-ti fie frica

Once the user clicks the link he is usually directed to a web site or blog containing an embedded movie which requests the user to download a codec that is actually the malware. When the user executes the downloaded file, a progress bar briefly appears and the following files are installed without user intervention:

%WINDIR%\system32\yahooui.exe
%WINDIR%\system32\yahooauth2.dll
%WINDIR%\system32\ssleay32.dll
%WINDIR%\system32\libeay32.dll

It also places itself in the startup list by appending the following string to the registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell

%WINDIR%\system32\yahooui.exe

After the next system startup, the yahooui.exe process creates the following registry key:

HKLM\SOFTWARE\Yahoo\lidl

It waits for the user to sign in to Yahoo!Messenger and saves the username and password inside the values USER and PASS in the HKLM\SOFTWARE\Yahoo\lidl key. The virus will then try to spread by sending spam messages to the contacts in the user's contact list.

The malware also downloads the following files:

%WINDIR%\seocfg.exe
%WINDIR%\upd1234.exe
%WINDIR%\vbn.sdf

seocfg.exe and upd1234.exe are malware files, detected as Trojan.Spy.Banker.ACFQ, which tries to trick the user into accessing phishing sites related to banking. The vbn.sdf file contains the links which are sent in the spam messages.

Removal instructions:
Please let BitDefender disinfect your files.

ANALYZED BY:
Livadariu Mihai Andrei, virus researcher

Tek Yorum

  1. abicim bu winrar yüzünden wolfteama giremiyom hata weriyor bunu bana kaldırın size söz bol bol dua edecem

Bir cevap yazın

E-posta hesabınız yayımlanmayacak. Gerekli alanlar * ile işaretlenmişlerdir

This site uses Akismet to reduce spam. Learn how your comment data is processed.