Otro gusano - Este ataca con autorun.inf y resycled boot.com

[LeThe]

Esta infeccion ocurrio en una computadora con AVG expirado. No tengo evidencia de que AVG lo haya dejado pasar ya que estaba expirado. Si, fue detectado por AVG y Malwarebytes Antimalware y eliminado. Es posible que despues de eliminar el gusano o trojano, tengas que ir a los discos y manualmente eliminar la carpeta resycled y el archivo autorun.inf

Basicamente, este gusano crea los archivos autorun.inf y tambien la carpeta resycled con el archivo boot.com en todos los discos. Cuando tratas de abrir uno de los discos en Mi PC, te sale un error diciendo que el archivo c:\resycled\boot.com no es una aplicación win32 valida.

C:\resycled\boot.com is not a valid win32 application.









Log de Malwarebytes Antimalware
Malwarebytes' Anti-Malware 1.31
Database version: 1466
Windows 5.1.2600 Service Pack 3

12/6/2008 11:09:02 AM
mbam-log-2008-12-06 (11-09-02).txt

Scan type: Quick Scan
Objects scanned: 39784
Time elapsed: 1 minute(s), 19 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 13
Folders Infected: 1
Files Infected: 6

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\homeview (Trojan.DNSChanger) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowHelp (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.116.163;85.255.112.121 -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.116.163;85.255.112.121 -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{9054443c-22ab-458e-9c53-4665b996aa98}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.116.163;85.255.112.121 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{9054443c-22ab-458e-9c53-4665b996aa98}\NameServer (Trojan.DNSChanger) -> Data: 85.255.116.163;85.255.112.121 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{9b5daa11-59a9-4bcc-b97a-5df893dc81b0}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.116.163;85.255.112.121 -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{9b5daa11-59a9-4bcc-b97a-5df893dc81b0}\NameServer (Trojan.DNSChanger) -> Data: 85.255.116.163;85.255.112.121 -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.116.163;85.255.112.121 -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.116.163;85.255.112.121 -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{9054443c-22ab-458e-9c53-4665b996aa98}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.116.163;85.255.112.121 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{9054443c-22ab-458e-9c53-4665b996aa98}\NameServer (Trojan.DNSChanger) -> Data: 85.255.116.163;85.255.112.121 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{9b5daa11-59a9-4bcc-b97a-5df893dc81b0}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.116.163;85.255.112.121 -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{9b5daa11-59a9-4bcc-b97a-5df893dc81b0}\NameServer (Trojan.DNSChanger) -> Data: 85.255.116.163;85.255.112.121 -> Delete on reboot.

Folders Infected:
C:\resycled (Trojan.DNSChanger) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\msqpdxosvnnrsr.dll (Trojan.Agent) -> Delete on reboot.
C:\resycled\boot.com (Trojan.DNSChanger) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\msqpdxriqpcfgb.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\drivers\msqpdxmaxtoeqh.sys (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\Mozilla Firefox\components\iamfamous.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\tempo-5E5.tmp (Trojan.DNSChanger) -> Quarantined and deleted successfully.

[Menfis]

Se lo ve bien peligroso ese Troyano, gracias por la Info.

[UBUNTU]

no entiendo como pude antes deshacerme de infecciones criticas sin contar con Malwarebytes anti-malware, esta aplicacion me la he encontrado super practica y de lo mejor. esta herramienta es un buen aditamento a cualquier antivirus en general.