viri help
viri help
Quote:
Trojan.Agent.AAQK
( Troj/FakeAV-CC, W32/Agent.AAQ!tr, Win32/Small.NEB trojan, Trojan W32/Agent.GYHC, Trojan.Fakealert.1260 )
Spreading: low
Damage: low
Size: 24,5KB, 40KB
Discovered: 2008 Aug 27
SYMPTOMS:
A file named __a00[some-hexa-digits].exe in C:\Documents and Settings\\local settings\temp having a dimension of 40KB.
One or more files named __c00[five-hexa-digits].dat in the system directory (c:\windows\system32) with a size of 24,5KB (25088 Bytes)
The presence of a mutex named vmc_mm.
TECHNICAL DESCRIPTION:
The malware copies itself to
C:\Documents and Settings\\local settings\temp under the name
__a00[some-hexa-digits].exe
and adds the following registry key:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run \A00[some-hexa-digits].exe
C:\Documents and Settings\\Local Settings\Temp\__a00[some-hexa-digits].exe
Aftewards, the trojan will drop a .dll file (in the directory from where it was run) under its original file name and extension followed by .dat. It will load this dll and will execute it's exported function named A.
Running that code will copy the dll in the system directory (C:\windows\system32) under a name of the form __c00[five-hexa-digits].dat and will set the following registry key:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\__c00[five-hexa-digits]
* Logon -> B
* Impersonate -> 0x00000000
* DllName -> C:\WINDOWS\system32\__c00[five-hexa-digits].dat
* Startup -> B
* Asynchronous -> 0x00000001
Also, it will create a mutex named vmc_mm and will download a file from a link that was down at the moment this description was made.
yeh help plz
Trojan.Agent.AAQK
( Troj/FakeAV-CC, W32/Agent.AAQ!tr, Win32/Small.NEB trojan, Trojan W32/Agent.GYHC, Trojan.Fakealert.1260 )
Spreading: low
Damage: low
Size: 24,5KB, 40KB
Discovered: 2008 Aug 27
SYMPTOMS:
A file named __a00[some-hexa-digits].exe in C:\Documents and Settings\\local settings\temp having a dimension of 40KB.
One or more files named __c00[five-hexa-digits].dat in the system directory (c:\windows\system32) with a size of 24,5KB (25088 Bytes)
The presence of a mutex named vmc_mm.
TECHNICAL DESCRIPTION:
The malware copies itself to
C:\Documents and Settings\\local settings\temp under the name
__a00[some-hexa-digits].exe
and adds the following registry key:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run \A00[some-hexa-digits].exe
C:\Documents and Settings\\Local Settings\Temp\__a00[some-hexa-digits].exe
Aftewards, the trojan will drop a .dll file (in the directory from where it was run) under its original file name and extension followed by .dat. It will load this dll and will execute it's exported function named A.
Running that code will copy the dll in the system directory (C:\windows\system32) under a name of the form __c00[five-hexa-digits].dat and will set the following registry key:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\__c00[five-hexa-digits]
* Logon -> B
* Impersonate -> 0x00000000
* DllName -> C:\WINDOWS\system32\__c00[five-hexa-digits].dat
* Startup -> B
* Asynchronous -> 0x00000001
Also, it will create a mutex named vmc_mm and will download a file from a link that was down at the moment this description was made.
yeh help plz
- Still_Learning
- Fame ! Where are the chicks?!
- Posts: 1040
- Joined: 11 Jun 2008, 16:00
- 15
- Location: Trigger City
- bad_brain
- Site Owner
- Posts: 11636
- Joined: 06 Apr 2005, 16:00
- 19
- Location: In your eye floaters.
- Contact:
never seen a rootkit or a MBR virus on a home computer, rootkits are mostly used on servers and for a MBR virus you need physical access (I guess)....so it's more likely to win the jackpot in the lottery than to catch an infection with one of those...
the reason why most viruses can't be deleted that easy is because they are running processes, and MS is a little crippled compared to Linux when it's about stopping them....and the files involved in the running process can't be deleted as long as the process is not stopped. booting in safe mode just starts the basic system processes, so the chance is goot that the virus process will not be started which makes deletion easier...
the reason why most viruses can't be deleted that easy is because they are running processes, and MS is a little crippled compared to Linux when it's about stopping them....and the files involved in the running process can't be deleted as long as the process is not stopped. booting in safe mode just starts the basic system processes, so the chance is goot that the virus process will not be started which makes deletion easier...
- Oppconsulting
- Fame ! Where are the chicks?!
- Posts: 205
- Joined: 05 Aug 2007, 16:00
- 16
- Location: Wheres Waldo
- Contact:
I have yet to run into a true virus in over 5 years.
my point its mostly all active x and other web trash.
I dont evan run virus anymore just use etrust pest patroll
adaware pro old version not new adaware its crap and also use windows washer and cc cleaner or go to a boot disk and go to the windows online files and empty it
good luck
my point its mostly all active x and other web trash.
I dont evan run virus anymore just use etrust pest patroll
adaware pro old version not new adaware its crap and also use windows washer and cc cleaner or go to a boot disk and go to the windows online files and empty it
good luck
“As usual, there is a great woman behind every idiot.”
― John Lennon
“One thing you can't hide - is when you're crippled inside.”
― John Lennon
― John Lennon
“One thing you can't hide - is when you're crippled inside.”
― John Lennon
- bad_brain
- Site Owner
- Posts: 11636
- Joined: 06 Apr 2005, 16:00
- 19
- Location: In your eye floaters.
- Contact:
hm, in context with viruses http://vx.netlux.org/ is THE place to start, you can get all kind of info and even the virus source codes there, also check out the link section.