Projet AntiMalware

Supprimer Trojan-PSW.Win32.Small.bs/Rootkit.Win32.Agent.ef

Trojan-PSW.Win32.Small.bs/Rootkit.Win32.Agent.ef est un trojan qui se propage par le réseau edonkey via des cracks.

Détection Trojan-PSW.Win32.Small.bs/Rootkit.Win32.Agent.ef

Exemple de log avec HijackThis :
O4 - HKCU\..\Run: [ttool] C:\WINDOWS\9129837.exe
O4 - HKCU\..\Run: [strkjhk] C:\WINDOWS\bdir\sdflkj3.exe (Trojan-PSW.Win32.Small.bs)

Le fichier installe un rootkit kernel-mode (Rootkit.Win32.Agent.ef ) via le driver new_drv.sys

Le trojan ajoute alors des cracks et logiciels infectieux dans le répertoire : C:\WINDOWS\bdir\ffmiu
Vous trouverez la liste des fichiers infectés avec leurs noms sur ce lien : Liste des fichiers infectieux Trojan-PSW.Win32.Small.bs
Le trojan partage ces fichiers sur le réseau Edonkey afin que d'autres internautes téléchargent les fichiers piégés et s'infectent à leurs tours.

Les scans des fichiers :
Complete scanning result of "sdflkj3.exe", received in VirusTotal at 06.16.2007, 15:03:17 (CET).

Antivirus Version Update Result
AhnLab-V3 2007.6.16.0 06.15.2007  no virus found
AntiVir 7.4.0.32 06.16.2007 HEUR/Crypted
Authentium 4.93.8 06.16.2007  no virus found
Avast 4.7.997.0 06.15.2007  no virus found
AVG 7.5.0.467 06.15.2007  no virus found
BitDefender 7.2 06.16.2007  no virus found
CAT-QuickHeal 9.00 06.15.2007  no virus found
ClamAV devel-20070416 06.16.2007  no virus found
DrWeb 4.33 06.16.2007  no virus found
eSafe 7.0.15.0 06.14.2007 Suspicious Trojan/Worm
eTrust-Vet 30.7.3721 06.15.2007  no virus found
Ewido 4.0 06.16.2007  no virus found
FileAdvisor 1 06.16.2007  No threat detected
Fortinet 2.85.0.0 06.16.2007  no virus found
F-Prot 4.3.2.48 06.15.2007  no virus found
F-Secure 6.70.13030.0 06.15.2007  no virus found
Ikarus T3.1.1.8 06.16.2007 Trojan-Downloader.Win32.Small.cyn
Kaspersky 4.0.2.24 06.16.2007  no virus found
McAfee 5054 06.15.2007  no virus found
Microsoft 1.2607 06.16.2007 Trojan:Win32/Anomaly.gen!A
Norman 5.80.02 06.15.2007  no virus found
Panda 9.0.0.4 06.16.2007  no virus found
Prevx1 V2 06.16.2007 PSW.Generic
Sophos 4.18.0 06.12.2007 Mal/AvPak
Sunbelt 2.2.907.0 06.16.2007 VIPRE.Suspicious
Symantec 10 06.16.2007  no virus found
TheHacker 6.1.6.133 06.15.2007  no virus found
VBA32 3.12.0.2 06.15.2007  no virus found
VirusBuster 4.3.23:9 06.16.2007 Trojan.DR.Cimuz.Gen.1
Webwasher-Gateway 6.0.1 06.16.2007 Win32.Malware.gen


Aditional Information
File size: 669253 bytes
MD5: 9819414ef1a6bbb8577509818a17612a
SHA1: 5dce6256a86ec86efb3ce2f39135f0a50b85fddc
Bit9 info: http://fileadvisor.bit9.com/services/extinfo.aspx?md5=9819414ef1a6bbb8577509818a17612a
Prevx info: http://fileinfo.prevx.com/fileinfo.asp?PXC=b900100771637
Sunbelt info: VIPRE.Suspicious is a generic detection for potential threats that are deemed suspicious through heuristics.

Complete scanning result of "new_drv.sys", received in VirusTotal at 06.16.2007, 19:20:18 (CET).

Antivirus Version Update Result
AhnLab-V3 2007.6.16.0 06.15.2007  no virus found
AntiVir 7.4.0.32 06.16.2007 RKit/Agent.EE
Authentium 4.93.8 06.16.2007  no virus found
Avast 4.7.997.0 06.16.2007 Win32:Small-BXP
AVG 7.5.0.467 06.16.2007 PSW.Generic3.LKY
BitDefender 7.2 06.16.2007 Trojan.Rootkit.Agent.EF
CAT-QuickHeal 9.00 06.16.2007 Rootkit.Agent.ef
ClamAV devel-20070416 06.16.2007 Trojan.Rootkit-146
DrWeb 4.33 06.16.2007 Trojan.NtRootKit.209
eSafe 7.0.15.0 06.14.2007  no virus found
eTrust-Vet 30.7.3721 06.15.2007 Win32/Ursnif
Ewido 4.0 06.16.2007 Rootkit.Agent.ef
FileAdvisor 1 06.16.2007  No threat detected
Fortinet 2.85.0.0 06.16.2007 RootKit.A!tr
F-Prot 4.3.2.48 06.15.2007  no virus found
F-Secure 6.70.13030.0 06.15.2007 Rootkit.Win32.Agent.ef
Ikarus T3.1.1.8 06.16.2007 Rootkit.Win32.Agent.ef
Kaspersky 4.0.2.24 06.16.2007 Rootkit.Win32.Agent.ef
McAfee 5054 06.15.2007 Generic RootKit.a
Microsoft 1.2607 06.16.2007 VirTool:WinNT/Rootkitdrv.CE
NOD32v2 2334 06.15.2007 Win32/PSW.Small.NAF
Norman 5.80.02 06.15.2007  no virus found
Panda 9.0.0.4 06.16.2007 Rootkit/Spyforms.H
Prevx1 V2 06.16.2007 TROJAN.ROOTKIT.AP
Sophos 4.18.0 06.12.2007 Troj/RKProc-Fam
Sunbelt 2.2.907.0 06.16.2007 Hacktool.Rootkit
Symantec 10 06.16.2007 Hacktool.Rootkit
TheHacker 6.1.6.133 06.15.2007  no virus found
VBA32 3.12.0.2 06.15.2007 Trojan.Win32.PSW.Small.NAF
VirusBuster 4.3.23:9 06.16.2007 Rootkit.Vixdl.M
Webwasher-Gateway 6.0.1 06.16.2007 Rootkit.Agent.EE


Aditional Information
File size: 5376 bytes
MD5: 42d05364dedf2c17e72bbe54338477d2
SHA1: 82111967518591d993321f6ef09f3abd6f112577
Bit9 info: http://fileadvisor.bit9.com/services/extinfo.aspx?md5=42d05364dedf2c17e72bbe54338477d2
Prevx info: http://fileinfo.prevx.com/fileinfo.asp?PXC=4f0980313792

Complete scanning result of "ITIL_Power_Management_1.0.exe", received in VirusTotal at 06.16.2007, 18:26:57 (CET).

Antivirus Version Update Result
AhnLab-V3 2007.6.16.0 06.15.2007  no virus found
AntiVir 7.4.0.32 06.16.2007 TR/PSW.Small.BS.166
Authentium 4.93.8 06.16.2007  no virus found
Avast 4.7.997.0 06.16.2007  no virus found
AVG 7.5.0.467 06.16.2007 PSW.Generic4.TFQ
BitDefender 7.2 06.16.2007 MemScan:Trojan.Agent.AWS
CAT-QuickHeal 9.00 06.16.2007 (Suspicious) - DNAScan
ClamAV devel-20070416 06.16.2007  no virus found
DrWeb 4.33 06.16.2007 Trojan.PWS.Haiuy
eSafe 7.0.15.0 06.14.2007 Suspicious Trojan/Worm
eTrust-Vet 30.7.3721 06.15.2007  no virus found
Ewido 4.0 06.16.2007 Trojan.Small.bs
FileAdvisor 1 06.16.2007  no virus found
Fortinet 2.85.0.0 06.16.2007 Spy/Small
F-Prot 4.3.2.48 06.15.2007  no virus found
F-Secure 6.70.13030.0 06.15.2007 Trojan-PSW.Win32.Small.bs
Ikarus T3.1.1.8 06.16.2007 Trojan-Downloader.Win32.Small.cyn
Kaspersky 4.0.2.24 06.16.2007 Trojan-PSW.Win32.Small.bs
McAfee 5054 06.15.2007  no virus found
Microsoft 1.2607 06.16.2007 Trojan:Win32/Anomaly.gen!A
NOD32v2 2334 06.15.2007  no virus found
Norman 5.80.02 06.15.2007  no virus found
Panda 9.0.0.4 06.16.2007 Trj/Spyforms.AO
Prevx1 V2 06.16.2007 Covert.Sys.Exec
Sophos 4.18.0 06.12.2007  no virus found
Sunbelt 2.2.907.0 06.16.2007 Trojan.Win32/Anomaly.gen!A
Symantec 10 06.16.2007  no virus found
TheHacker 6.1.6.133 06.15.2007  no virus found
VBA32 3.12.0.2 06.15.2007 Trojan-PSW.Win32.Small.bs
VirusBuster 4.3.23:9 06.16.2007 Trojan.DR.Cimuz.Gen.1
Webwasher-Gateway 6.0.1 06.16.2007 Win32.Malware.gen!94


Aditional Information
File size: 27330 bytes
MD5: 6bf196c766221001d2178e5b707fbde7
SHA1: 154ea998cc8c2c9977934da978a7a771d7401424
Prevx info: http://fileinfo.prevx.com/fileinfo.asp?PXC=d330100785861

Suppression Trojan-PSW.Win32.Small.bs/Rootkit.Win32.Agent.ef

Suivez la Procédure de désinfection des Trojans/Backdoor

Autres Liens

Pour plus d'informations, sur le fonctionnement des spywares et les conseils à suivre :
Fonctionnement et suppression des Vers/Spywares/Malwares sous Windows
Guide de suppression des malwares (SpySherrif, Spyaxe, SpywareStrike, Winbound, etc..)