W32.Naras
msinfomgr.sys, msinfmgr.exe, msinfdll.dll, virus rootkit, msinfklg.sys

startseite Gastbuch Kontakt
W32.Naras
W32.Naras, msinfomgr.sys, msinfmgr.exe


W32.Naras - msinfomgr.sys,msinfmgr.exe,msinfdll.dll,virus rootkit,msinfklg.sys

Avenger

Drivers to disable:
msinfklg
msinfomgr

Drivers to delete:
msinfklg
msinfomgr

Registry keys to delete:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\msinflogon
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\msinfmgr

Files to delete:
c:\windows\system32\msinfmgr.exe
c:\windows\system32\msinfdll.dll
c:\windows\system32\drivers\msinfklg.sys
c:\windows\system32\drivers\msinfomgr.sys



Dieser Trojaner ist sehr gefährlich, da er neue Technologien vewendet, die ihm ermöglichen, seine Spur zu löschen und unsichtbar für den Anwender und für die traditionellen Anti-Virenprogramme zu bleiben. Im Bezug auf die Keylogger-Komponente versucht er, sich in jeden aktiven Prozess zu installieren, um die ganzen Eingaben durch die Tastatur zu registrieren.

msinfmgr.exe (Kopie von sich selbst)
msinfdll.dll (Keylogger-Komponent)
msinfklg.sys (Datei, in dem der Keylogger die erhaltene Information speichert)
msinfomgr.sys (Rootkit-Komponent)
autorun.inf


System\drivers\msinfomgr.sys

virus rootkit functionality
When loaded, this driver hides process names and registry keys containing the string "msinf". It also hides files containing any of the following strings in their full path name:

msinf
auto
Auto
AUTO

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\msinfmgr

"Type" = "1"
"ErrorControl" = "1"
"Start" = "3"
"DisplayName" = "msinfmgr"
"ImagePath" = "system32\drivers\msinfomgr.sys"


D:\msinfmgr.exe and creates the file
D:\Autorun.inf It infects .exe

It performs a cavity infection routine, where it inserts a short piece of code in slack space between sections of the executable file. The code it inserts creates the process msinfmgr.exe.

---------------

System\msinfdll.dll

This file contains the keylogging functionality of the virus. It logs keystrokes in the file %System%\drivers\msinfklg.sys. This .dll file also loads the dropped msinfomgr.sys driver.

To get hoked, it adds the values:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\msinflogon

"Asynchronous" = "0"
"DllName" = "msinfdll.dll"
"Impersonate" = "0"
"Startup" = "logon_startup"

to the registry subkey:
so that it runs every time Windows starts.

http://securityresponse.symantec.com/avcenter/venc/data/w32.naras.html






Valid HTML 4.01 Ranking-Hits