WareOut n'est plus d'actualité dans la description donnée ci-dessus (bien que le nom employé pour définir certaines infections peut encore être utilisé), il est conseillé de se reporter à la page Trojan.DNSChanger
WareOut
est un faux anti-spyware qui s'installe sans permission, le malware affiche
de fausses alertes vous indiquant que vous êtes infectés par un spyware et
vous recommande d'acheter l'anti-spyware WareOut qui est un produit
commercial.
Le seul but de ce spyware est de vous faire acheter cet anti-spyware
Exemple de log avec HijackThis :
O4 - HKCU\..\Run: [WareOut]
"C:\Program Files\WareOut\WareOut.exe"
O4 - HKCU\..\Run:
[msag] qwe.exe
O4 - HKCU\..\Run: [driver32]
MsNetHelper.exe
O4 - HKCU\..\Run: [atl_helper] new32.exe
Le rogue s'installe dans le dossier : C:\Program Files\WareOut\
Il créé aussi des ficheirs dans le dossier system32 de Windows, en
voici la liste :
10010.exe
321102.exe
321102.exe
34763.exe
ABCXYZ.exe
abrek.exe
ActionScr.exe
AliceSD.exe
AppMasterCenter.exe
ATLIEHELPER.exe
atl_helper.exe
avpmondll.exe
awinrar.exe
backd.exe
backorif.exe
barint.exe
bhoserv.exe
bingo9.exe
bnui.exe
Bogobot.exe
borlandg.exe
BoundRec.exe
br0ken.exe
Brong32.exe
clamav.exe
cmon14.exe
cmon14.exe
cnftips.exe
control64.exe
corrida.exe
CToolBar.exe
DCC_send.exe
defect08.exe
dePloy.exe
Dest068.exe
dialer423.exe
diskserv.exe
driver64.exe
DTOURS.exe
ERTYDF.exe
ExchangeMaster.exe
EXE32EXE.exe
expoler.exe
FLKPT.exe
forces_elite.exe
ftbar.exe
gabber.exe
hyandex.exe
iehelper.exe
iesetupdll.exe
init32.exe
InpriseMon.exe
install2.exe
JAguAr.exe
jopplerg.exe
Kargo.exe
keybdll.exe
KeywordFinder.exe
killall.exe
LOPTCON.exe
media64.exe
MNTP.exe
MON76234.exe
moniter.exe
mozilla-text.exe
ms-its.exe
msag.exe
MsNetHelper.exe
new32.exe
newbreed.exe
nmdllw.exe
NopeZ.exe
NsCplTray.exe
NSYSCPLSTR.exe
NukeSpan.exe
openstre.exe
panel_its.exe
ParisM.exe
PasswdMon.exe
pizda.exe
powerdll.exe
PrcIdle.exe
prcmon.exe
Preliminary.exe
prgsys0984.exe
progmen.exe
qwe.exe
RtlFindVal.exe
runload32.exe
SAPSTR.exe
sbin.exe
scanSYS.exe
Serviceprocess.exe
SetupExeDll.exe
Shaitan1678.exe
slamm.exe
sound64.exe
SpyElim.exe
srbho.exe
ssweeper.exe
StartCpl.exe
startman.exe
StatusCheck.exe
stuffmon.exe
sysconf16.exe
SysEntry.exe
sysmon12.exe
syspanel.exe
SysSupport.exe
SYSTRAV.exe
TemplateDongle.exe
teqq32.exe
Testimonials.exe
TForm1.exe
TorontoMail.exe
Trayz.exe
TRPT.exe
trycrt.exe
typeconf.exe
Uint32.exe
uio.exe
UserSp1.exe
utsgmon.exe
vxdman.exe
WhatsNewBot.exe
WinInitDll.exe
wormexe.exe
WTFCTF.exe
XTermInit.exe
xwiz.exe
xxtoolbar.exe
zantu.exe
zxc.exe
_ctcp.exe
Voici la liste des clefs dans
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run afin de se
lancer au démarrage :
WareOut registry value
BoundRec
WareOut registry value qwe
WareOut registry value Wareout
WareOut registry value ___
WareOut registry value _ctcp
WareOut registry value 10010
WareOut registry value 321102
WareOut registry value 34763
WareOut registry value ABCXYZ
WareOut registry value abrek
WareOut registry value
ActionScr
WareOut registry value AliceSD
WareOut registry value
atl_helper.dll
WareOut registry value
ATLIEHELPER
WareOut registry value
avpmondll
WareOut registry value backd
WareOut registry value backorif
WareOut registry value barint
WareOut registry value bhoserv
WareOut registry value bingo9
WareOut registry value bnui
WareOut registry value Bogobot
WareOut registry value borlandg
WareOut registry value br0ken
WareOut registry value Brong32
WareOut registry value browebar
WareOut registry value clamav
WareOut registry value cmon14
WareOut registry value cnftips
WareOut registry value
control64
WareOut registry value corrida
WareOut registry value CToolBar
WareOut registry value DCC_send
WareOut registry value defect08
WareOut registry value dePloy
WareOut registry value Dest068
WareOut registry value
dialer423
WareOut registry value driver32
WareOut registry value DTOURS
WareOut registry value ERTYDF
WareOut registry value EXE2EXE
WareOut registry value
forces_elite
WareOut registry value ftbar
WareOut registry value gabber
WareOut registry value hyandex
WareOut registry value
iesetupdll
WareOut registry value init32
WareOut registry value
InpriseMon
WareOut registry value install2
WareOut registry value JAguAr
WareOut registry value jopplerg
WareOut registry value Kargo
WareOut registry value keybdll
WareOut registry value killall
WareOut registry value LOPTCON
WareOut registry value MONITER
WareOut registry value MON76234
WareOut registry value MNTP
WareOut registry value msag
WareOut registry value ms-its
WareOut registry value
MsNetHelper
WareOut registry value MSTCPDLL
WareOut registry value new32
WareOut registry value newbreed
WareOut registry value nmdllw
WareOut registry value NopeZ
WareOut registry value
NSYSCPLSTR.exe
WareOut registry value NukeSpan
WareOut registry value ParisM
WareOut registry value
panel_its
WareOut registry value
PasswdMon
WareOut registry value pizda
WareOut registry value powerdll
WareOut registry value prcmon
WareOut registry value PrcIdle
WareOut registry value
prgsys0984
WareOut registry value
Preliminary
WareOut registry value
RtlFindVal
WareOut registry value load32
WareOut registry value SAPSTR
WareOut registry value sbin
WareOut registry value scanSYS
WareOut registry value
Serviceprocess
WareOut registry value
SetupExeDll
WareOut registry value
Shaitan1678
WareOut registry value slamm
WareOut registry value sound64
WareOut registry value ssweeper
WareOut registry value StartCpl
WareOut registry value startman
WareOut registry value
StatusCheck
WareOut registry value stuffmon
WareOut registry value SYSTRAV
WareOut registry value
sysconf16
WareOut registry value sysmon12
WareOut registry value syspanel
WareOut registry value
SysSupport
WareOut registry value
systemdll
WareOut registry value
TemplateDongle
WareOut registry value
Testimonials
WareOut registry value teqq32
WareOut registry value TForm1
WareOut registry value
TorontoMail
WareOut registry value Trayz
WareOut registry value TRPT
WareOut registry value trycrt
WareOut registry value typeconf
WareOut registry value uio
WareOut registry value uint32
WareOut registry value UserSP1
WareOut registry value utsgmon
WareOut registry value vxdman
WareOut registry value
WhatsNewBot
WareOut registry value wormexe
WareOut registry value WTFCTF
WareOut registry value
XTermInit
WareOut registry value xwiz
WareOut registry value
xxtoolbar
WareOut registry value zantu
WareOut registry value zxc
WareOut registry value
AppMasterCenter
Sur HijackThis, vous trouverez ces lignes
:
O17 -
HKLM\System\CCS\Services\Tcpip\..\{14AFD67D-EAA0-4F1C-9E2F-BD4D70C98EF5}:
NameServer = 85.255.113.206,85.255.112.76
O17 -
HKLM\System\CCS\Services\Tcpip\..\{40B8A899-C9EA-44C2-B99A-441E79759D0D}:
NameServer = 85.255.113.206,85.255.112.76
O17 -
HKLM\System\CCS\Services\Tcpip\..\{959CDDB7-501C-4E4B-B86D-3B0C19881D9E}:
NameServer = 85.255.113.206,85.255.112.76
O17 -
HKLM\System\CCS\Services\Tcpip\..\{DAF5930F-4081-4082-9F63-74356889A13E}:
NameServer = 85.255.113.206,85.255.112.76
O17 -
HKLM\System\CCS\Services\Tcpip\..\{FE6E915A-3D61-4BB4-B3D2-69B1A4C7864D}:
NameServer = 85.255.113.206,85.255.112.76
O17 -
HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.113.206
85.255.112.76
O17 -
HKLM\System\CS1\Services\Tcpip\..\{14AFD67D-EAA0-4F1C-9E2F-BD4D70C98EF5}:
NameServer = 85.255.113.206,85.255.112.76
O17 -
HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.113.206
85.255.112.76
Voir explication et procédure de la page Trojan.DNSChanger
Pour plus d'informations, sur le
fonctionnement des spywares et les conseils à suivre :
Fonctionnement et suppression des
Vers/Spywares/Malwares sous Windows
Guide de
suppression des malwares (SpySherrif, Spyaxe, SpywareStrike, Winbound,
etc..)
