Otro gusano - Este ataca con autorun.inf y resycled boot.com
Publicado: Sab Dic 06, 2008 12:35 pm
Esta infeccion ocurrio en una computadora con AVG expirado. No tengo evidencia de que AVG lo haya dejado pasar ya que estaba expirado. Si, fue detectado por AVG y Malwarebytes Antimalware y eliminado. Es posible que despues de eliminar el gusano o trojano, tengas que ir a los discos y manualmente eliminar la carpeta resycled y el archivo autorun.inf
Basicamente, este gusano crea los archivos autorun.inf y tambien la carpeta resycled con el archivo boot.com en todos los discos. Cuando tratas de abrir uno de los discos en Mi PC, te sale un error diciendo que el archivo c:\resycled\boot.com no es una aplicación win32 valida.
C:\resycled\boot.com is not a valid win32 application.
Log de Malwarebytes Antimalware
Malwarebytes' Anti-Malware 1.31
Database version: 1466
Windows 5.1.2600 Service Pack 3
12/6/2008 11:09:02 AM
mbam-log-2008-12-06 (11-09-02).txt
Scan type: Quick Scan
Objects scanned: 39784
Time elapsed: 1 minute(s), 19 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 13
Folders Infected: 1
Files Infected: 6
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_CLASSES_ROOT\homeview (Trojan.DNSChanger) -> Quarantined and deleted successfully.
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowHelp (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.116.163;85.255.112.121 -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.116.163;85.255.112.121 -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{9054443c-22ab-458e-9c53-4665b996aa98}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.116.163;85.255.112.121 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{9054443c-22ab-458e-9c53-4665b996aa98}\NameServer (Trojan.DNSChanger) -> Data: 85.255.116.163;85.255.112.121 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{9b5daa11-59a9-4bcc-b97a-5df893dc81b0}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.116.163;85.255.112.121 -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{9b5daa11-59a9-4bcc-b97a-5df893dc81b0}\NameServer (Trojan.DNSChanger) -> Data: 85.255.116.163;85.255.112.121 -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.116.163;85.255.112.121 -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.116.163;85.255.112.121 -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{9054443c-22ab-458e-9c53-4665b996aa98}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.116.163;85.255.112.121 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{9054443c-22ab-458e-9c53-4665b996aa98}\NameServer (Trojan.DNSChanger) -> Data: 85.255.116.163;85.255.112.121 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{9b5daa11-59a9-4bcc-b97a-5df893dc81b0}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.116.163;85.255.112.121 -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{9b5daa11-59a9-4bcc-b97a-5df893dc81b0}\NameServer (Trojan.DNSChanger) -> Data: 85.255.116.163;85.255.112.121 -> Delete on reboot.
Folders Infected:
C:\resycled (Trojan.DNSChanger) -> Quarantined and deleted successfully.
Files Infected:
C:\WINDOWS\system32\msqpdxosvnnrsr.dll (Trojan.Agent) -> Delete on reboot.
C:\resycled\boot.com (Trojan.DNSChanger) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\msqpdxriqpcfgb.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\drivers\msqpdxmaxtoeqh.sys (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\Mozilla Firefox\components\iamfamous.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\tempo-5E5.tmp (Trojan.DNSChanger) -> Quarantined and deleted successfully.
Basicamente, este gusano crea los archivos autorun.inf y tambien la carpeta resycled con el archivo boot.com en todos los discos. Cuando tratas de abrir uno de los discos en Mi PC, te sale un error diciendo que el archivo c:\resycled\boot.com no es una aplicación win32 valida.
C:\resycled\boot.com is not a valid win32 application.
Log de Malwarebytes Antimalware
Malwarebytes' Anti-Malware 1.31
Database version: 1466
Windows 5.1.2600 Service Pack 3
12/6/2008 11:09:02 AM
mbam-log-2008-12-06 (11-09-02).txt
Scan type: Quick Scan
Objects scanned: 39784
Time elapsed: 1 minute(s), 19 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 13
Folders Infected: 1
Files Infected: 6
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_CLASSES_ROOT\homeview (Trojan.DNSChanger) -> Quarantined and deleted successfully.
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowHelp (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.116.163;85.255.112.121 -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.116.163;85.255.112.121 -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{9054443c-22ab-458e-9c53-4665b996aa98}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.116.163;85.255.112.121 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{9054443c-22ab-458e-9c53-4665b996aa98}\NameServer (Trojan.DNSChanger) -> Data: 85.255.116.163;85.255.112.121 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{9b5daa11-59a9-4bcc-b97a-5df893dc81b0}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.116.163;85.255.112.121 -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{9b5daa11-59a9-4bcc-b97a-5df893dc81b0}\NameServer (Trojan.DNSChanger) -> Data: 85.255.116.163;85.255.112.121 -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.116.163;85.255.112.121 -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.116.163;85.255.112.121 -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{9054443c-22ab-458e-9c53-4665b996aa98}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.116.163;85.255.112.121 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{9054443c-22ab-458e-9c53-4665b996aa98}\NameServer (Trojan.DNSChanger) -> Data: 85.255.116.163;85.255.112.121 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{9b5daa11-59a9-4bcc-b97a-5df893dc81b0}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.116.163;85.255.112.121 -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{9b5daa11-59a9-4bcc-b97a-5df893dc81b0}\NameServer (Trojan.DNSChanger) -> Data: 85.255.116.163;85.255.112.121 -> Delete on reboot.
Folders Infected:
C:\resycled (Trojan.DNSChanger) -> Quarantined and deleted successfully.
Files Infected:
C:\WINDOWS\system32\msqpdxosvnnrsr.dll (Trojan.Agent) -> Delete on reboot.
C:\resycled\boot.com (Trojan.DNSChanger) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\msqpdxriqpcfgb.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\drivers\msqpdxmaxtoeqh.sys (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\Mozilla Firefox\components\iamfamous.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\tempo-5E5.tmp (Trojan.DNSChanger) -> Quarantined and deleted successfully.
