|
|
|
WORM_CODBOT.B - integitor.exe, upnp.exe, nmeproxy.exe
HijackThis
O23 - Service: Universal Plug and Play Device Configuration (UPnP Configuration)
- Unknown owner - C:\WINDOWS\System32\upnp.exe
Universal Plug and Play Device Configuration
1.
Click Start - Ausführen - Services.msc und Click OK!
"Eigenschaften" - Click "Stop" - Starttyp "deaktiviert"
- Universal Plug and Play Device Configuration (UPnP Configuration) --> nur diese, keine andere !!!
- Secure System
2.
Start --> Ausführen --> reinkopieren (wenn eine Fehlermeldung kommt...ignorieren) --> klicke nach jedem O.K.
sc delete Universal Plug and Play Device Configuration
sc delete UPnP Configuration
sc delete Secure System
Download Registry Search by Bobbi Flekman
http://virus-protect.org/artikel/tools/regsearch.html
und doppelklicken, um zu starten. in: "Enter search strings" (reinschreiben oder reinkopieren)
Universal Plug and Play Device Configuration
in edit und klicke "Ok".
Notepad wird sich oeffnen
in: "Enter search strings" (reinschreiben oder reinkopieren)
UPnP Configuration
Secure System
ServiceFilter.zip
Unknown Service # 8
Service Name: UPnP Configuration
Display Name: Universal Plug and Play Device Configuration
Start Mode: Disabled
Start Name: LocalSystem
Description: Handling all UPnP related system ...
Service Type: Own Process
Path: c:\windows\system32\upnp.exe
State: Stopped
Process ID: 0
Started: Falsch
Exit Code: 1077
Accept Pause: Falsch
Accept Stop: Falsch
Unknown Service # 5
Service Name: Secure System
Display Name: Secure System
Start Mode: Disabled
Start Name: LocalSystem
Description: ...
Service Type: Share Process
Path: "c:\windows\system32\integitor.exe" -service
State: Stopped
Process ID: 0
Started: Falsch
Exit Code: 1077
Accept Pause: Falsch
Accept Stop: Falsch
datfindbat
Verzeichnis von C:\WINDOWS\system32
26.02.2006 12:01 167.936 nmeproxy.exe
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Secure System]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_SECURE_SYSTEM\0000]
"Service"="Secure System"
"DeviceDesc"="Secure System"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Secure System]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Secure System]
"DisplayName"="Secure System"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Secure System\Security]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_SECURE_SYSTEM\0000]
"Service"="Secure System"
"DeviceDesc"="Secure System"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Secure System]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Secure System]
"DisplayName"="Secure System"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Secure System\Security]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Secure System\Enum]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Enum\Root\LEGACY_SECURE_SYSTEM\0000]
"Service"="Secure System"
"DeviceDesc"="Secure System"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\Secure System]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\Secure System]
"DisplayName"="Secure System"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\Secure System\Security]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SECURE_SYSTEM\0000]
"Service"="Secure System"
"DeviceDesc"="Secure System"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Secure System]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Secure System]
"DisplayName"="Secure System"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Secure System\Security]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Secure System\Enum]
[HKEY_USERS\S-1-5-21-2669302297-645757453-568730901-1007\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU]
"d"="sc delete secure system\\1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{AE1E00A A-3FD5-403C-8A27-2BBDC30CD0E1}]
@="Home Networking NAT Traversal via UPnP Configuration Manager"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_UPNP_CONFIGURATION\0000]
"Service"="UPnP Configuration"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\UPnP Configuration]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\UPnP Configuration\Security]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_UPNP_CONFIGURATION\0000]
"Service"="UPnP Configuration"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\UPnP Configuration]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\UPnP Configuration\Security]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\UPnP Configuration\Enum]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Enum\Root\LEGACY_UPNP_CONFIGURATION\0000]
"Service"="UPnP Configuration"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\UPnP Configuration]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\UPnP Configuration\Security]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_UPNP_CONFIGURATION\0000]
"Service"="UPnP Configuration"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UPnP Configuration]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UPnP Configuration\Security]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UPnP Configuration\Enum]
[HKEY_USERS\S-1-5-21-2669302297-645757453-568730901-1007\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU]
"c"="sc delete UPnP configuration\\1"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_UPNP_CONFIGURATION\0000]
"DeviceDesc"="Universal Plug and Play Device Configuration"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\UPnP Configuration]
"DisplayName"="Universal Plug and Play Device Configuration"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_UPNP_CONFIGURATION\0000]
"DeviceDesc"="Universal Plug and Play Device Configuration"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\UPnP Configuration]
"DisplayName"="Universal Plug and Play Device Configuration"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Enum\Root\LEGACY_UPNP_CONFIGURATION\0000]
"DeviceDesc"="Universal Plug and Play Device Configuration"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\UPnP Configuration]
"DisplayName"="Universal Plug and Play Device Configuration"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_UPNP_CONFIGURATION\0000]
"DeviceDesc"="Universal Plug and Play Device Configuration"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UPnP Configuration]
"DisplayName"="Universal Plug and Play Device Configuration"
[HKEY_USERS\S-1-5-21-2669302297-645757453-568730901-1007\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU]
"b"="sc delete universal plug and play device configuration\\1"
F-Secure Virendefinition: Bozori.B
F-Secure stellt zur Desinfektion dieser Malware ein spezielles Dienstprogramm zur Verfügung. Dieses Dienstprogramm können Sie von unseren FTP- bzw. Websites herunterladen:
http://www.f-secure.de/v-desk/bozori_b.shtml
http://www.f-secure.com/tools/f-bot.zip
wintbp.exe (Net-Worm.Win32.Bozori.a) [verwendet die MS05-039-Sicherheitslücke]
winpnp.exe (Backdoor.Win32.Rbot.ym) [verwendet die MS05-039-Sicherheitslücke]
mousebm.exe (Backdoor.Win32.IRCBot.es) [verwendet die MS05-039-Sicherheitslücke]
csm.exe (Net-Worm.Win32.Mytob.cf / Zotob.B) [verwendet die MS05-039-Sicherheitslücke]
botzor.exe (Net-Worm.Win32.Mytob.cd / Zotob.A) [verwendet die MS05-039-Sicherheitslücke]
pnpsrv.exe (Backdoor.Win32.Rbot.yk) [verwendet die MS05-039-Sicherheitslücke]
svnlitup32.exe (Backdoor.Win32.SdBot.yx) [verwendet die MS05-039-Sicherheitslücke]
upnp.exe (Backdoor.Win32.Codbot.ab) [verwendet nicht die MS05-039-Sicherheitslücke]
service32.exe
llsrv.exe
system32.exe
Panda (Onlinescan)
Virus:W32/Codbot.A.worm -> C:\WINDOWS\system32\upnp.exe
Virus:W32/Gaobot.AZP.worm Disinfected C:\Dokumente und Einstellungen\Besitzer\Lokale Einstellungen\Temp\31E.tmp
Virus:W32/Sdbot.BWA.worm Disinfected C:\Dokumente und Einstellungen\Besitzer\Lokale Einstellungen\Temp\3AB.tmp
Virus:W32/Sdbot.BSW.worm Disinfected C:\Dokumente und Einstellungen\Besitzer\Lokale Einstellungen\Temp\3FC.tmp
Virus:W32/Codbot.A.worm Disinfected C:\Dokumente und Einstellungen\Besitzer\Lokale Einstellungen\Temp\436.tmp
|
|
