- מידע על הווירוס
ידוע גם כ:
- Backdoor.SdBot
- Backdoor.Win32.SdBot.arn
- W32.Spybot.Worm
- W32/Sdbot.worm.gen.ax
זהו סוס טרויאני המאפשר שליטה על המחשב באמצעות IRC
- קבצים
- Windows>\ctfmonn.exe
- autorun.inf
- ctfmonn.exe
- Registry
הווירוס יוצר את הערכים הבאים:
- HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate
- HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall
- HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile
- HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_NETWORK_SERVICE
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_NETWORK_SERVICE\0000
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_NETWORK_SERVICE\0000\Control
- HKEY_LOCAL_MACHINE\SOFTWARE\ProductName
- HKEY_LOCAL_MACHINE\SOFTWARE\ProductName\ProductID
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\NETWORK SERVICE
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\NETWORK SERVICE\Security
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\NETWORK SERVICE\Enum
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NETWORK SERVICE
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NETWORK SERVICE\Security
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NETWORK SERVICE\Enum
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_SERVICE
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_SERVICE\0000
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_SERVICE\0000\Control
Created values:
- HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate
DoNotAllowXPSP2 = 0x00000001
- HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile
EnableFirewall = 0x00000000
- HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile
EnableFirewall = 0x00000000
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_NETWORK_SERVICE\0000\Control
*NewlyCreated* = 0x00000000
ActiveService = "NETWORK SERVICE"
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_NETWORK_SERVICE\0000
Service = "NETWORK SERVICE"
Legacy = 0x00000001
ConfigFlags = 0x00000000
Class = "LegacyDriver"
ClassGUID = "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
DeviceDesc = "NETWORK SERVICE"
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_NETWORK_SERVICE
NextInstance = 0x00000001
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\NETWORK SERVICE\Enum
0 = "Root\LEGACY_NETWORK_SERVICE\0000"
Count = 0x00000001
NextInstance = 0x00000001
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\NETWORK SERVICE\Security
Security = 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 0
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\NETWORK SERVICE
Type = 0x00000110
Start = 0x00000002
ErrorControl = 0x00000000
ImagePath = "\ctfmonn.exe"
DisplayName = "NETWORK SERVICE"
ObjectName = "LocalSystem"
FailureActions = 0A 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 01 00 00 00 B8 0B 00 00
Description = "NETWORK SERVICE"
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_SERVICE\0000\Control
*NewlyCreated* = 0x00000000
ActiveService = "NETWORK SERVICE"
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_SERVICE\0000
Service = "NETWORK SERVICE"
Legacy = 0x00000001
ConfigFlags = 0x00000000
Class = "LegacyDriver"
ClassGUID = "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
DeviceDesc = "NETWORK SERVICE"
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_SERVICE
NextInstance = 0x00000001
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NETWORK SERVICE\Enum
0 = "Root\LEGACY_NETWORK_SERVICE\0000"
Count = 0x00000001
NextInstance = 0x00000001
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NETWORK SERVICE\Security
Security = 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 0
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NETWORK SERVICE
Type = 0x00000110
Start = 0x00000002
ErrorControl = 0x00000000
ImagePath =\ctfmonn.exe"
DisplayName = "NETWORK SERVICE"
ObjectName = "LocalSystem"
FailureActions = 0A 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 01 00 00 00 B8 0B 00 00
Description = "NETWORK SERVICE"
Changed values:
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole
EnableDCOM = "N" - HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center
AntiVirusOverride = 0x00000001
FirewallOverride = 0x00000001 - HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths
Directory = "%user%\LocalService\Local Settings\Temporary Internet Files\Content.IE5"
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1
CachePath = "%user%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2
CachePath = "%user%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache2" - HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3
CachePath = "%user%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache3" - HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4
CachePath = "%user%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache4" - HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control
WaitToKillServiceTimeout = "7000"
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa
restrictanonymous = 0x00000001
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\ServiceCurrent
(Default) = 0x00000015
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control
WaitToKillServiceTimeout = "7000"
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
restrictanonymous = 0x00000001
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ServiceCurrent
(Default) = 0x00000015 - HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
Cookies = "%user%\LocalService\Cookies"
Cache = "%user%\LocalService\Local Settings\Temporary Internet Files"
History = "%user%\LocalService\Local Settings\History"
- אזהרה
הווירוס מריץ את הקוד הזדוני בכל פעם שאתם ניגשים לכונן במחשב, לכן מומלץ להוריד את ההתקן ולשמור אותו על שולחן העבודה, להפעיל מחדש את המחשב במצב Safe Mode ולהריץ את ההתקן במצב Safe Mode בלבד.
התקן להסרת SdBot
להורדת ההתקן להסרת הווירוס על פי ההנחיות בעמוד זה - לחצו
על קישור ההורדה המתאים
אין תגובות:
הוסף רשומת תגובה