Вирус Win32/Spy.Ursnif.A

Разместил: spider. Рубрика: уязвимости | Нет комментариев »

Сегодня обнаружил новый вирус Win32/Spy.Ursnif.A
Как видно из таблички ниже – Ни Касперский, ни Dr.Web, ни Avira его не распознают. Nod32 его увидел , но вылечить не смог. А так же не смог даже удалить. По сайту Virustotal.com его признают вирусом 13 из 41 антивируса, а значит игнорировать такую угрозу просто глупо.
Я нашел чистую незараженную Dll-ку. Выкладываю здесь.
termsrv.dll
Распакуйте архив в папку c:\windows\system32 в безопастном режиме или загрузившись с любого загрузочного диска имеющего доступ к системным папкам.

Файл termsrv.dll получен 2010.01.21 18:51:51 (UTC)
Антивирус	Версия	Обновление	Результат
a-squared	4.5.0.50	2010.01.21	Riskware.Win32.Ursnif!IK
AhnLab-V3	5.0.0.2	2010.01.21	-
AntiVir	7.9.1.146	2010.01.21	-
Antiy-AVL	2.0.3.7	2010.01.21	-
Authentium	5.2.0.5	2010.01.21	-
Avast	4.8.1351.0	2010.01.21	-
AVG	9.0.0.730	2010.01.21	-
BitDefender	7.2	2010.01.21	Backdoor.Generic.247076
CAT-QuickHeal	10.00	2010.01.21	-
ClamAV	0.94.1	2010.01.21	-
Comodo	3659	2010.01.21	UnclassifiedMalware
DrWeb	5.0.1.12222	2010.01.21	-
eSafe	7.0.17.0	2010.01.20	-
eTrust-Vet	35.2.7250	2010.01.21	-
F-Prot	4.5.1.85	2010.01.20	-
F-Secure	9.0.15370.0	2010.01.21	Backdoor.Generic.247076
Fortinet	4.0.14.0	2010.01.21	W32/Patched.E!tr
GData	19	2010.01.21	Backdoor.Generic.247076
Ikarus	T3.1.1.80.0	2010.01.21	VirTool.Win32.Ursnif
Jiangmin	13.0.900	2010.01.21	-
K7AntiVirus	7.10.951	2010.01.20	Trojan.Win32.Malware.1
Kaspersky	7.0.0.125	2010.01.21	-
McAfee	5867	2010.01.20	potentially unwanted program Patched Termsrv
McAfee+Artemis	5867	2010.01.20	potentially unwanted program Patched Termsrv
McAfee-GW-Edition	6.8.5	2010.01.21	-
Microsoft	1.5302	2010.01.21	VirTool:Win32/Ursnif.B
NOD32	4791	2010.01.20	Win32/Spy.Ursnif.A
Norman	6.04.03	2010.01.20	-
nProtect	2009.1.8.0	2010.01.21	-
Panda	10.0.2.2	2010.01.21	Trj/CI.A
PCTools	7.0.3.5	2010.01.21	-
Prevx	3.0	2010.01.21	-
Rising	22.31.03.04	2010.01.21	-
Sophos	4.50.0	2010.01.21	-
Sunbelt	3.2.1858.2	2010.01.21	-
Symantec	20091.2.0.41	2010.01.21	-
TheHacker	6.5.0.8.157	2010.01.21	-
TrendMicro	9.120.0.1004	2010.01.21	-
VBA32	3.12.12.1	2010.01.20	-
ViRobot	2010.1.21.2148	2010.01.21	-
VirusBuster	5.0.21.0	2010.01.20	-

Дополнительная информация
File size: 295936 bytes
MD5…: cdb13f1e48540e19f4b961e77904f168
SHA1..: c9da870e74b7caf003ff3672a7c3227cd332befa
SHA256: 1d716c779a7524d1f1523c55903cb773de7c62437291474bb1dd619441ab0068
ssdeep: 6144:nc51EYcaOzaJ9cBIGxIK7zjL38kY0caPQ/6JnS3f2LntmNwTrAM:nc70aOz a4xIOjLbPQiJnRtcU
PEiD..: -
PEInfo: PE Structure information ( base data ) entrypointaddress.: 0×219fd timedatestamp…..: 0×480381e3 (Mon Apr 14 16:10:11 2008) machinetype…….: 0×14c (I386) ( 4 sections ) name viradd virsiz rawdsiz ntrpy md5 .text 0×1000 0×3f7ca 0×3f800 6.62 3b17550ec0b93633ac198889c1011bf6 .data 0×41000 0×9838 0×1200 5.40 5d65a3663dd1e46550c681e04de1361f .rsrc 0×4b000 0×40d4 0×4200 3.98 c31aca52a9a4ad92327931e329286723 .reloc 0×50000 0×32ee 0×3400 6.19 c59c84e9cda7289330e30d991fa19248 ( 17 imports ) > msvcrt.dll: wcscpy, wcscmp, _except_handler3, _wcsnicmp, wcscat, swscanf, wcsncpy, wcslen, wcsncat, swprintf, wcsrchr, memmove, _snwprintf, wcschr, sprintf, qsort, strncpy, gmtime, time, mktime, _mbslen, mbstowcs, __3@YAXPAX@Z, __2@YAPAXI@Z, free, _initterm, malloc, _adjust_fdiv, _ftol, _snprintf, strncmp, iswdigit, _wcsupr, wcstok, _wtol, _stricmp, __CxxFrameHandler, _purecall, _wcsicmp > ntdll.dll: NtOpenProcessToken, NtQueryInformationToken, RtlLengthSid, RtlCopySid, NtAllocateVirtualMemory, NtFreeVirtualMemory, RtlAcquireResourceShared, NtDelayExecution, DbgBreakPoint, RtlPrefixUnicodeString, NtResetEvent, NtWaitForMultipleObjects, RtlInitializeGenericTable, RtlDeleteCriticalSection, NtOpenProcess, NtQueryVirtualMemory, RtlLookupElementGenericTable, RtlCompareMemory, RtlInsertElementGenericTable, RtlDeleteElementGenericTable, RtlInitializeResource, NtCreateEvent, NtDuplicateObject, NtQuerySystemTime, RtlEqualSid, RtlAdjustPrivilege, RtlInitializeCriticalSection, NtTerminateProcess, RtlLengthRequiredSid, NtReleaseMutant, NtWaitForSingleObject, NtCreateMutant, NtQueryInformationProcess, NtDuplicateToken, NtSetInformationThread, RtlpNtEnumerateSubKey, NtRequestPort, NtConnectPort, NtSetEvent, RtlEnterCriticalSection, RtlAllocateHeap, NtOpenThreadToken, NtReplyPort, NtCompleteConnectPort, NtAcceptConnectPort, NtCreateSection, NtReplyWaitReceivePort, RtlFreeUnicodeString, NtCreatePort, RtlAnsiStringToUnicodeString, RtlInitAnsiString, RtlQueryRegistryValues, NtDeviceIoControlFile, RtlExtendedLargeIntegerDivide, RtlConvertExclusiveToShared, RtlConvertSharedToExclusive, RtlDeleteResource, NtRequestWaitReplyPort, RtlFreeHeap, RtlLeaveCriticalSection, RtlAcquireResourceExclusive, RtlReleaseResource, RtlInitUnicodeString, NtOpenKey, NtQueryValueKey, NtClose, VerSetConditionMask, RtlCreateEnvironment, RtlSetProcessIsCritical, DbgPrint, NtQuerySystemInformation, NtSetTimer, NtCreateTimer, RtlCopySecurityDescriptor, RtlNtStatusToDosError, RtlDeleteAce, RtlGetAce, RtlQueryInformationAcl, RtlGetDaclSecurityDescriptor, RtlMapGenericMask, RtlSubAuthoritySid, RtlInitializeSid, RtlCreateUserSecurityObject, RtlSetDaclSecurityDescriptor, RtlAddAccessAllowedAce, RtlCreateAcl, RtlCreateSecurityDescriptor, RtlWriteRegistryValue, RtlCreateRegistryKey, RtlLengthSecurityDescriptor, RtlSetGroupSecurityDescriptor, RtlGetGroupSecurityDescriptor, RtlGetOwnerSecurityDescriptor, NtSetSecurityObject, NtQuerySecurityObject, NtOpenSymbolicLinkObject, NtQueryDirectoryObject, NtCreateDirectoryObject, RtlFreeSid, RtlAllocateAndInitializeSid, RtlIntegerToUnicodeString, RtlAppendUnicodeToString, NtQueryMutant > ICAAPI.dll: IcaOpen, IcaStackCallback, IcaStackConnectionWait, IcaStackConnectionRequest, IcaStackConnectionAccept, _IcaStackIoControl, IcaStackUnlock, IcaStackReconnect, IcaStackTerminate, IcaChannelClose, IcaStackIoControl, IcaPushConsoleStack, IcaChannelOpen, IcaChannelIoControl, IcaStackConnectionClose, IcaStackClose, IcaClose, IcaIoControl, IcaStackOpen, IcaStackDisconnect > SHELL32.dll: SHGetFolderPathA > SETUPAPI.dll: SetupDiGetDeviceRegistryPropertyA, SetupDiGetClassDevsA, SetupDiEnumDeviceInfo, SetupDiDestroyDeviceInfoList > SHLWAPI.dll: PathAppendA > WINTRUST.dll: CryptCATAdminCalcHashFromFileHandle, CryptCATAdminEnumCatalogFromHash, CryptCATCatalogInfoFromContext, CryptCATAdminReleaseCatalogContext, CryptCATAdminReleaseContext, WTHelperProvDataFromStateData, WTHelperGetProvSignerFromChain, CryptCATAdminAcquireContext, WinVerifyTrust > RPCRT4.dll: RpcServerInqDefaultPrincNameW, RpcServerRegisterAuthInfoW, RpcServerRegisterIfEx, RpcBindingToStringBindingW, RpcServerListen, RpcImpersonateClient, I_RpcBindingIsClientLocal, RpcRevertToSelf, RpcServerUseProtseqEpW, I_RpcBindingInqLocalClientPID, RpcStringFreeW, RpcRaiseException, RpcSsContextLockExclusive, NdrServerCall2, RpcServerRegisterIf, RpcStringBindingParseW > KERNEL32.dll: GetLocalTime, GetDiskFreeSpaceA, GetDateFormatW, FileTimeToSystemTime, InitializeCriticalSection, GetVersion, CreateMutexW, GetModuleHandleA, InterlockedExchange, OutputDebugStringA, GetProcessAffinityMask, SetThreadAffinityMask, ResumeThread, GetExitCodeThread, GetSystemInfo, GetLogicalDriveStringsA, GetDriveTypeA, GetVolumeInformationW, GetVolumeInformationA, GlobalMemoryStatus, lstrlenA, lstrcpyA, GetFileSize, WriteFile, SetFilePointer, ReadFile, CreateFileA, HeapAlloc, HeapFree, CompareFileTime, CreateWaitableTimerW, SetWaitableTimer, FormatMessageW, LeaveCriticalSection, GetSystemDefaultLCID, SystemTimeToFileTime, LoadLibraryExA, GetVersionExA, SetUnhandledExceptionFilter, UnhandledExceptionFilter, TerminateProcess, GetCurrentThreadId, QueryPerformanceCounter, LoadLibraryA, InterlockedCompareExchange, DelayLoadFailureHook, lstrcpynW, GetACP, MultiByteToWideChar, SetLastError, lstrlenW, LocalFree, LocalAlloc, GetProcessHeap, DisableThreadLibraryCalls, DebugBreak, Sleep, CloseHandle, CreateProcessW, GetCurrentProcessId, IsDebuggerPresent, GetVersionExW, ResetEvent, SetEvent, VerifyVersionInfoW, CreateEventW, GetLastError, ReleaseMutex, UnmapViewOfFile, MapViewOfFile, OpenFileMappingW, WaitForMultipleObjects, OpenEventW, OpenMutexW, InterlockedDecrement, CreateThread, CreateFileW, GetSystemDirectoryW, GetSystemTime, GetComputerNameA, GetSystemTimeAsFileTime, UnregisterWait, WaitForSingleObject, InterlockedIncrement, lstrcpyW, ExitThread, QueryDosDeviceW, ProcessIdToSessionId, IsBadReadPtr, IsBadWritePtr, OpenProcess, GetComputerNameW, FreeLibrary, GetProcAddress, LoadLibraryW, GetProfileStringW, GetTickCount, RegisterWaitForSingleObject, lstrcatW, lstrcmpiW, GetProfileIntW, GetWindowsDirectoryW, SetThreadPriority, GetCurrentThread, LocalSize, GetCurrentProcess, PulseEvent, GetComputerNameExW, WideCharToMultiByte, InitializeCriticalSectionAndSpinCount, EnterCriticalSection, DeleteCriticalSection > USER32.dll: GetCursorPos, wvsprintfA, BroadcastSystemMessageA, wsprintfA, GetSystemMetrics, wsprintfW, ExitWindowsEx, LoadStringW, MessageBeep, GetMessageTime > Secur32.dll: GetUserNameExW > WS2_32.dll: -, -, -, getaddrinfo, -, - > ADVAPI32.dll: GetSidSubAuthorityCount, GetSidSubAuthority, AccessCheckAndAuditAlarmW, AllocateAndInitializeSid, SetEntriesInAclW, InitializeSecurityDescriptor, SetSecurityDescriptorDacl, RegEnumKeyW, DeregisterEventSource, CryptAcquireContextW, CryptCreateHash, CryptImportKey, CryptVerifySignatureW, CryptDestroyKey, CryptDestroyHash, CryptReleaseContext, AddAce, GetAce, GetAclInformation, GetUserNameA, CryptHashData, RegisterServiceCtrlHandlerW, GetSidIdentifierAuthority, IsValidSid, GetTokenInformation, EqualSid, LookupAccountSidW, RegSetValueExW, CryptGenRandom, RegisterEventSourceW, ReportEventW, SetServiceBits, RegOpenKeyW, GetUserNameW, SetServiceStatus, RegOpenKeyExW, GetSecurityDescriptorDacl, LsaDelete, LsaSetSecret, LsaClose, LsaOpenSecret, LsaCreateSecret, LsaOpenPolicy, LsaFreeMemory, LsaQuerySecret, GetEventLogInformation, LsaQueryInformationPolicy, RegQueryValueExW, RegCloseKey, LogonUserW, AddAccessAllowedAce, InitializeAcl, GetLengthSid, OpenThreadToken, CheckTokenMembership, MakeSelfRelativeSD, MakeAbsoluteSD, IsValidSecurityDescriptor, ElfReportEventW, ElfRegisterEventSourceW, I_ScSendTSMessage, RegNotifyChangeKeyValue, RegCreateKeyExW, RegQueryValueExA, RegOpenKeyExA, GetCurrentHwProfileA, RegEnumKeyExA, RegEnumKeyExW, LsaStorePrivateData, LsaNtStatusToWinError, LsaRetrievePrivateData, RegDeleteValueW, OpenProcessToken > CRYPT32.dll: CertCloseStore, CertCreateCertificateContext, CertOpenStore, CertDuplicateCertificateContext, CertFreeCertificateContext, CertGetIssuerCertificateFromStore, CertVerifySubjectCertificateContext, CryptExportPublicKeyInfo, CertEnumCertificatesInStore, CertFindExtension, CertVerifyCertificateChainPolicy, CertComparePublicKeyInfo, CryptDecodeObject, CryptVerifyCertificateSignature, CryptBinaryToStringW > OLEAUT32.dll: -, -, -, -, -, -, -, -, -, - > AUTHZ.dll: AuthzFreeResourceManager, AuthziAllocateAuditParams, AuthziInitializeAuditParamsWithRM, AuthziInitializeAuditEvent, AuthziLogAuditEvent, AuthzFreeAuditEvent, AuthziFreeAuditParams, AuthzInitializeResourceManager, AuthziInitializeAuditEventType, AuthziFreeAuditEventType > mstlsapi.dll: -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, - ( 1 exports ) ServiceMain
RDS…: NSRL Reference Data Set -
sigcheck: publisher….: __________ __________ copyright….: (c) __________ __________. ___ _____ ________. product……: ____________ _______ Microsoft_ Windows_ description..: ______ _______ __________ original name: termsrv.exe internal name: termsrv.exe file version.: 5.1.2600.5512 (xpsp.080413-2111) comments…..: n/a signers……: - signing date.: - verified…..: Unsigned
pdfid.: -
trid..: Win32 Executable Generic (42.3%) Win32 Dynamic Link Library (generic) (37.6%) Generic Win/DOS Executable (9.9%) DOS Executable Generic (9.9%) Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)