Friday, 23 October 2009

SecurityTool Rogue

Ran into a new rogue today called "Security Tool":

SecurityTool Malware

This program was installed by exploiting a security hole in an unpatched Windows XP installation. Below is a FreeFixer log to show what files appeared on the infected computer:

FreeFixer v0.47 log
http://www.freefixer.com/
Operating system: Windows XP Service Pack 1
Log dated 2009-10-23 14:45


Registry Startups
HKLM\..\Run, sysgif32 = C:\WINDOWS\Temp\wpv511255703227.exe
HKLM\..\Run, restorer64_a = C:\WINDOWS\system32\restorer64_a.exe
HKLM\..\Run, 60306520 = C:\DOCUME~1\ALLUSE~1\APPLIC~1\60306520\60306520.exe
HKLM\..\Run, PromoReg = C:\WINDOWS\Temp\_ex-08.exe
HKLM\..\Run, Antivirus Pro 2010 = "C:\Program\AntivirusPro_2010\AntivirusPro_2010.exe" /hide
HKLM\..\Run, Regedit32 = C:\WINDOWS\system32\regedit.exe (file is missing)
HKCU\..\Run, restorer64_a = C:\Documents and Settings\Roger\restorer64_a.exe
HKCU\..\Run, mserv = C:\Documents and Settings\Roger\Application Data\seres.exe
HKCU\..\Run, svchost = C:\Documents and Settings\Roger\Application Data\svcst.exe

Autostart shortcuts
zavupd32.exe, , C:\Documents and Settings\Roger\Start-meny\Program\Autostart\zavupd32.exe

Recently created/modified files
15 minutes, c:\Documents and Settings\Roger\Lokala inställningar\Temp\BN6.tmp
15 minutes, c:\WINDOWS\system32\dllcache\agp440.sys
15 minutes, c:\WINDOWS\system32\drivers\AGP440.SYS
15 minutes, c:\Documents and Settings\Roger\Lokala inställningar\Temp\BN5.tmp
42 minutes, c:\Documents and Settings\Roger\Lokala inställningar\Temp\TMP13.tmp
42 minutes, c:\Documents and Settings\Roger\Lokala inställningar\Temporary Internet Files\Content.IE5\2B6JEHAV\win[1].exe
42 minutes, c:\WINDOWS\system32\_scui.cpl
42 minutes, c:\Program\AntivirusPro_2010\Uninstall.exe
42 minutes, c:\Program\AntivirusPro_2010\wscui.cpl
42 minutes, c:\Program\AntivirusPro_2010\htmlayout.dll
42 minutes, c:\Program\AntivirusPro_2010\pthreadVC2.dll
42 minutes, c:\Program\AntivirusPro_2010\Microsoft.VC80.CRT\msvcr80.dll
42 minutes, c:\Program\AntivirusPro_2010\Microsoft.VC80.CRT\msvcp80.dll
42 minutes, c:\Program\AntivirusPro_2010\Microsoft.VC80.CRT\msvcm80.dll
42 minutes, c:\Program\AntivirusPro_2010\AVEngn.dll
42 minutes, c:\Program\AntivirusPro_2010\AntivirusPro_2010.exe
44 minutes, c:\Documents and Settings\Roger\Application Data\lizkavd.exe
44 minutes, c:\Documents and Settings\Roger\Lokala inställningar\Temporary Internet Files\Content.IE5\G5ER0HM3\Install[1].exe
44 minutes, c:\Documents and Settings\All Users\Application Data\60306520\60306520.exe
44 minutes, c:\Documents and Settings\Roger\Application Data\svcst.exe
44 minutes, c:\WINDOWS\Temp\_ex-08.exe
44 minutes, c:\Documents and Settings\Roger\Application Data\seres.exe
44 minutes, c:\Documents and Settings\Roger\Lokala inställningar\Temp\BN12.tmp
44 minutes, c:\Documents and Settings\Roger\restorer64_a.exe
45 minutes, c:\WINDOWS\system32\restorer64_a.exe
45 minutes, c:\Documents and Settings\Roger\Lokala inställningar\Temp\10.tmp
45 minutes, c:\WINDOWS\Temp\wpv791256209457.exe
45 minutes, c:\WINDOWS\Temp\wpv651256085323.exe
45 minutes, c:\WINDOWS\Temp\wpv511255703227.exe

No comments:

Post a Comment