U盤病毒 新變種 20090124

Sherry.ai

Ka8 0

evilrabbit

C\WINDOWS\system32\drivers\klif.sys
C\WINDOWS\system32\ierdfgh.exe

*\current\Local Settings\Temp
*\machine\software\microsoft\ole\EnableDCOM [1] = N
> *\machine\software\microsoft\Windows\CurrentVersion\Explorer\BitBucket\NukeOnDelete [4] = 01000000
> *\machine\software\microsoft\Windows\CurrentVersion\Explorer\BitBucket\UseGlobalSettings [4] = 01000000
> *\machine\software\microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Common Documents [1] = C:\Documents and Settings\All Users\Documents
> *\machine\software\microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Common Desktop [1] = C:\Documents and Settings\All Users\Lhb?
> *\machine\software\microsoft\windows nt\currentversion\winlogon\Shell [1] = x
> *\machine\SYSTEM\CurrentControlSet\Services\KAVsys\Type [4] = 01000000
> *\machine\SYSTEM\CurrentControlSet\Services\KAVsys\ErrorControl [4] = 01000000
> *\machine\SYSTEM\CurrentControlSet\Services\KAVsys\Start [4] = 01000000
> *\machine\SYSTEM\CurrentControlSet\Services\KAVsys\ImagePath [1] = \??\C:\WINDOWS\system32\drivers\klif.sys
> *\user\current\software\classes\SymbolicLinkValue [6] = 5C00520045004700490053005400520059005C0055005300450052005C00530061006E00640062006F0078005F00410064006D0069006E006900730074007200610074006F0072005F00440065006600610075006C00740042006F0078005C0075007300650072005C00630075007200720065006E0074005F0063006C0061007300730065007300
> *\user\current\software\Microsoft\Windows\CurrentVersion\Explorer\BrowseNewProcess\BrowseNewProcess [1] = yes
> *\user\current\software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{9f23f4ca-767d-11dd-a315-806d6172696f}\BaseClass [1] = Drive
> *\user\current\software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{9f23f4cb-767d-11dd-a315-806d6172696f}\BaseClass [1] = Drive
> *\user\current\software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{9f23f4cc-767d-11dd-a315-806d6172696f}\BaseClass [1] = Drive
> *\user\current\software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{9f23f4cd-767d-11dd-a315-806d6172696f}\BaseClass [1] = Drive
> *\user\current\software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{9f23f4ce-767d-11dd-a315-806d6172696f}\BaseClass [1] = Drive
> *\user\current\software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Personal [1] = C:\Documents and Settings\Administrator\My Documents
> *\user\current\software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Desktop [1] = C:\Documents and Settings\Administrator\Lhb?
> *\user\current\software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\AppData [1] = C:\Documents and Settings\Administrator\Application Data
> *\user\current\software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cache [1] = C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files
> *\user\current\software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cookies [1] = C:\Documents and Settings\Administrator\Cookies
> *\user\current\software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass [4] = 01000000
> *\user\current\software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName [4] = 01000000
> *\user\current\software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet [4] = 01000000
> *\user\current\software\Microsoft\Windows\CurrentVersion\Run\kxswsoft [1] = C:\WINDOWS\system32\ierdfgh.exe
> *\user\current\software\Microsoft\Windows\ShellNoRoam\MUICache\C:\Documents and Settings\Administrator\Local Settings\Temp\Rar$DI00.125\a81lkgv.com [1] = a81lkgv
> *\user\current\software\SandboxieAutoExec  [3] = 31
> *\user\current\software\WinRAR\ArcHistory\3 [1] = F:\?P[孴QR遶\錧wQ\?P[鴙sQ孴OD\200872100012.rar
> *\user\current\software\WinRAR\ArcHistory\2 [1] = F:\?P[孴QR遶\錧wQ\?P[鴙sQ孴OD\200875142113.rar
> *\user\current\software\WinRAR\ArcHistory\1 [1] = F:\臺Y錧wQ\vQ諲\3.0恘
x\恘
x.rar
> *\user\current\software\WinRAR\ArcHistory\0 [1] = C:\Documents and Settings\Administrator\Lhb梊a81lkgv.zip
> *\user\current\software\WinRAR\FileList\ArcColumnWidths\name [4] = 78000000
> *\user\current\software\WinRAR\FileList\ArcColumnWidths\size [4] = 50000000
> *\user\current\software\WinRAR\FileList\ArcColumnWidths\psize [4] = 50000000
> *\user\current\software\WinRAR\FileList\ArcColumnWidths\type [4] = 78000000
> *\user\current\software\WinRAR\FileList\ArcColumnWidths\mtime [4] = 64000000
> *\user\current\software\WinRAR\FileList\ArcColumnWidths\crc [4] = 46000000
> *\user\current\software\WinRAR\FileList\FileColumnWidths\name [4] = 78000000
> *\user\current\software\WinRAR\FileList\FileColumnWidths\size [4] = 50000000
> *\user\current\software\WinRAR\FileList\FileColumnWidths\type [4] = 78000000
> *\user\current\software\WinRAR\FileList\FileColumnWidths\mtime [4] = 64000000
> *\user\current\software\WinRAR\General\LastFolder [1] = C:\Documents and Settings\Administrator\Lhb?
> *\user\current\software\WinRAR\General\Toolbar\Layout\Band0 [3] = 38000000730100000402000000000000FFFFFFF4FFFFFFF4FFFFFFF4000000000000000000000000004C020800000000003A000000FFFFFFB40200000000000001000000
> *\user\current\software\WinRAR\General\Toolbar\Layout\Band1 [3] = 38000000730100000500000000000000FFFFFFF4FFFFFFF4FFFFFFF400000000000000000000000000FFFFFFFA010F000000000017000000280000000000000002000000
> *\user\current\software\WinRAR\General\Toolbar\Layout\Band2 [3] = 38000000730100000400000000000000FFFFFFF4FFFFFFF4FFFFFFF4000000000000000000000000004A010C000000000017000000640000000000000003000000
> *\user\current\software\WinRAR\General\Toolbar\Layout\Band3 [3] = 3800000073010000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
> *\user\current\software\WinRAR\Interface\MainWin\Placement [3] = 2C0000000000000001000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF600000006C00000072030000FFFFFFFF010000

dreams521

23ft.exe,
a81lkgv.com - Packed.Win32.Krap.g

New malicious software was found in these files. Detection will be included in the next update. Thank you for your help.