Вирус Win32/Spy.Ursnif.A

Сегодня обнаружил новый вирус Win32/Spy.Ursnif.A
Как видно из таблички ниже — Ни Касперский, ни Dr.Web, ни Avira его не распознают. Nod32 его увидел , но вылечить не смог. А так же не смог даже удалить. По сайту Virustotal.com его признают вирусом 13 из 41 антивируса, а значит игнорировать такую угрозу просто глупо.
Я нашел чистую незараженную Dll-ку. Выкладываю здесь.
termsrv.dll
Распакуйте архив в папку c:\windows\system32 в безопастном режиме или загрузившись с любого загрузочного диска имеющего доступ к системным папкам.

Файл termsrv.dll получен 2010.01.21 18:51:51 (UTC)
Антивирус Версия Обновление Результат
a-squared 4.5.0.50 2010.01.21 Riskware.Win32.Ursnif!IK
AhnLab-V3 5.0.0.2 2010.01.21
AntiVir 7.9.1.146 2010.01.21
Antiy-AVL 2.0.3.7 2010.01.21
Authentium 5.2.0.5 2010.01.21
Avast 4.8.1351.0 2010.01.21
AVG 9.0.0.730 2010.01.21
BitDefender 7.2 2010.01.21 Backdoor.Generic.247076
CAT-QuickHeal 10.00 2010.01.21
ClamAV 0.94.1 2010.01.21
Comodo 3659 2010.01.21 UnclassifiedMalware
DrWeb 5.0.1.12222 2010.01.21
eSafe 7.0.17.0 2010.01.20
eTrust-Vet 35.2.7250 2010.01.21
F-Prot 4.5.1.85 2010.01.20
F-Secure 9.0.15370.0 2010.01.21 Backdoor.Generic.247076
Fortinet 4.0.14.0 2010.01.21 W32/Patched.E!tr
GData 19 2010.01.21 Backdoor.Generic.247076
Ikarus T3.1.1.80.0 2010.01.21 VirTool.Win32.Ursnif
Jiangmin 13.0.900 2010.01.21
K7AntiVirus 7.10.951 2010.01.20 Trojan.Win32.Malware.1
Kaspersky 7.0.0.125 2010.01.21
McAfee 5867 2010.01.20 potentially unwanted program Patched Termsrv
McAfee+Artemis 5867 2010.01.20 potentially unwanted program Patched Termsrv
McAfee-GW-Edition 6.8.5 2010.01.21
Microsoft 1.5302 2010.01.21 VirTool:Win32/Ursnif.B
NOD32 4791 2010.01.20 Win32/Spy.Ursnif.A
Norman 6.04.03 2010.01.20
nProtect 2009.1.8.0 2010.01.21
Panda 10.0.2.2 2010.01.21 Trj/CI.A
PCTools 7.0.3.5 2010.01.21
Prevx 3.0 2010.01.21
Rising 22.31.03.04 2010.01.21
Sophos 4.50.0 2010.01.21
Sunbelt 3.2.1858.2 2010.01.21
Symantec 20091.2.0.41 2010.01.21
TheHacker 6.5.0.8.157 2010.01.21
TrendMicro 9.120.0.1004 2010.01.21
VBA32 3.12.12.1 2010.01.20
ViRobot 2010.1.21.2148 2010.01.21
VirusBuster 5.0.21.0 2010.01.20
Дополнительная информация
File size: 295936 bytes
MD5…: cdb13f1e48540e19f4b961e77904f168
SHA1..: c9da870e74b7caf003ff3672a7c3227cd332befa
SHA256: 1d716c779a7524d1f1523c55903cb773de7c62437291474bb1dd619441ab0068
ssdeep: 6144:nc51EYcaOzaJ9cBIGxIK7zjL38kY0caPQ/6JnS3f2LntmNwTrAM:nc70aOz
a4xIOjLbPQiJnRtcU
PEiD..: —
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x219fd
timedatestamp…..: 0x480381e3 (Mon Apr 14 16:10:11 2008)
machinetype…….: 0x14c (I386)

( 4 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x3f7ca 0x3f800 6.62 3b17550ec0b93633ac198889c1011bf6
.data 0x41000 0x9838 0x1200 5.40 5d65a3663dd1e46550c681e04de1361f
.rsrc 0x4b000 0x40d4 0x4200 3.98 c31aca52a9a4ad92327931e329286723
.reloc 0x50000 0x32ee 0x3400 6.19 c59c84e9cda7289330e30d991fa19248

( 17 imports )
> msvcrt.dll: wcscpy, wcscmp, _except_handler3, _wcsnicmp, wcscat, swscanf, wcsncpy, wcslen, wcsncat, swprintf, wcsrchr, memmove, _snwprintf, wcschr, sprintf, qsort, strncpy, gmtime, time, mktime, _mbslen, mbstowcs, __3@YAXPAX@Z, __2@YAPAXI@Z, free, _initterm, malloc, _adjust_fdiv, _ftol, _snprintf, strncmp, iswdigit, _wcsupr, wcstok, _wtol, _stricmp, __CxxFrameHandler, _purecall, _wcsicmp
> ntdll.dll: NtOpenProcessToken, NtQueryInformationToken, RtlLengthSid, RtlCopySid, NtAllocateVirtualMemory, NtFreeVirtualMemory, RtlAcquireResourceShared, NtDelayExecution, DbgBreakPoint, RtlPrefixUnicodeString, NtResetEvent, NtWaitForMultipleObjects, RtlInitializeGenericTable, RtlDeleteCriticalSection, NtOpenProcess, NtQueryVirtualMemory, RtlLookupElementGenericTable, RtlCompareMemory, RtlInsertElementGenericTable, RtlDeleteElementGenericTable, RtlInitializeResource, NtCreateEvent, NtDuplicateObject, NtQuerySystemTime, RtlEqualSid, RtlAdjustPrivilege, RtlInitializeCriticalSection, NtTerminateProcess, RtlLengthRequiredSid, NtReleaseMutant, NtWaitForSingleObject, NtCreateMutant, NtQueryInformationProcess, NtDuplicateToken, NtSetInformationThread, RtlpNtEnumerateSubKey, NtRequestPort, NtConnectPort, NtSetEvent, RtlEnterCriticalSection, RtlAllocateHeap, NtOpenThreadToken, NtReplyPort, NtCompleteConnectPort, NtAcceptConnectPort, NtCreateSection, NtReplyWaitReceivePort, RtlFreeUnicodeString, NtCreatePort, RtlAnsiStringToUnicodeString, RtlInitAnsiString, RtlQueryRegistryValues, NtDeviceIoControlFile, RtlExtendedLargeIntegerDivide, RtlConvertExclusiveToShared, RtlConvertSharedToExclusive, RtlDeleteResource, NtRequestWaitReplyPort, RtlFreeHeap, RtlLeaveCriticalSection, RtlAcquireResourceExclusive, RtlReleaseResource, RtlInitUnicodeString, NtOpenKey, NtQueryValueKey, NtClose, VerSetConditionMask, RtlCreateEnvironment, RtlSetProcessIsCritical, DbgPrint, NtQuerySystemInformation, NtSetTimer, NtCreateTimer, RtlCopySecurityDescriptor, RtlNtStatusToDosError, RtlDeleteAce, RtlGetAce, RtlQueryInformationAcl, RtlGetDaclSecurityDescriptor, RtlMapGenericMask, RtlSubAuthoritySid, RtlInitializeSid, RtlCreateUserSecurityObject, RtlSetDaclSecurityDescriptor, RtlAddAccessAllowedAce, RtlCreateAcl, RtlCreateSecurityDescriptor, RtlWriteRegistryValue, RtlCreateRegistryKey, RtlLengthSecurityDescriptor, RtlSetGroupSecurityDescriptor, RtlGetGroupSecurityDescriptor, RtlGetOwnerSecurityDescriptor, NtSetSecurityObject, NtQuerySecurityObject, NtOpenSymbolicLinkObject, NtQueryDirectoryObject, NtCreateDirectoryObject, RtlFreeSid, RtlAllocateAndInitializeSid, RtlIntegerToUnicodeString, RtlAppendUnicodeToString, NtQueryMutant
> ICAAPI.dll: IcaOpen, IcaStackCallback, IcaStackConnectionWait, IcaStackConnectionRequest, IcaStackConnectionAccept, _IcaStackIoControl, IcaStackUnlock, IcaStackReconnect, IcaStackTerminate, IcaChannelClose, IcaStackIoControl, IcaPushConsoleStack, IcaChannelOpen, IcaChannelIoControl, IcaStackConnectionClose, IcaStackClose, IcaClose, IcaIoControl, IcaStackOpen, IcaStackDisconnect
> SHELL32.dll: SHGetFolderPathA
> SETUPAPI.dll: SetupDiGetDeviceRegistryPropertyA, SetupDiGetClassDevsA, SetupDiEnumDeviceInfo, SetupDiDestroyDeviceInfoList
> SHLWAPI.dll: PathAppendA
> WINTRUST.dll: CryptCATAdminCalcHashFromFileHandle, CryptCATAdminEnumCatalogFromHash, CryptCATCatalogInfoFromContext, CryptCATAdminReleaseCatalogContext, CryptCATAdminReleaseContext, WTHelperProvDataFromStateData, WTHelperGetProvSignerFromChain, CryptCATAdminAcquireContext, WinVerifyTrust
> RPCRT4.dll: RpcServerInqDefaultPrincNameW, RpcServerRegisterAuthInfoW, RpcServerRegisterIfEx, RpcBindingToStringBindingW, RpcServerListen, RpcImpersonateClient, I_RpcBindingIsClientLocal, RpcRevertToSelf, RpcServerUseProtseqEpW, I_RpcBindingInqLocalClientPID, RpcStringFreeW, RpcRaiseException, RpcSsContextLockExclusive, NdrServerCall2, RpcServerRegisterIf, RpcStringBindingParseW
> KERNEL32.dll: GetLocalTime, GetDiskFreeSpaceA, GetDateFormatW, FileTimeToSystemTime, InitializeCriticalSection, GetVersion, CreateMutexW, GetModuleHandleA, InterlockedExchange, OutputDebugStringA, GetProcessAffinityMask, SetThreadAffinityMask, ResumeThread, GetExitCodeThread, GetSystemInfo, GetLogicalDriveStringsA, GetDriveTypeA, GetVolumeInformationW, GetVolumeInformationA, GlobalMemoryStatus, lstrlenA, lstrcpyA, GetFileSize, WriteFile, SetFilePointer, ReadFile, CreateFileA, HeapAlloc, HeapFree, CompareFileTime, CreateWaitableTimerW, SetWaitableTimer, FormatMessageW, LeaveCriticalSection, GetSystemDefaultLCID, SystemTimeToFileTime, LoadLibraryExA, GetVersionExA, SetUnhandledExceptionFilter, UnhandledExceptionFilter, TerminateProcess, GetCurrentThreadId, QueryPerformanceCounter, LoadLibraryA, InterlockedCompareExchange, DelayLoadFailureHook, lstrcpynW, GetACP, MultiByteToWideChar, SetLastError, lstrlenW, LocalFree, LocalAlloc, GetProcessHeap, DisableThreadLibraryCalls, DebugBreak, Sleep, CloseHandle, CreateProcessW, GetCurrentProcessId, IsDebuggerPresent, GetVersionExW, ResetEvent, SetEvent, VerifyVersionInfoW, CreateEventW, GetLastError, ReleaseMutex, UnmapViewOfFile, MapViewOfFile, OpenFileMappingW, WaitForMultipleObjects, OpenEventW, OpenMutexW, InterlockedDecrement, CreateThread, CreateFileW, GetSystemDirectoryW, GetSystemTime, GetComputerNameA, GetSystemTimeAsFileTime, UnregisterWait, WaitForSingleObject, InterlockedIncrement, lstrcpyW, ExitThread, QueryDosDeviceW, ProcessIdToSessionId, IsBadReadPtr, IsBadWritePtr, OpenProcess, GetComputerNameW, FreeLibrary, GetProcAddress, LoadLibraryW, GetProfileStringW, GetTickCount, RegisterWaitForSingleObject, lstrcatW, lstrcmpiW, GetProfileIntW, GetWindowsDirectoryW, SetThreadPriority, GetCurrentThread, LocalSize, GetCurrentProcess, PulseEvent, GetComputerNameExW, WideCharToMultiByte, InitializeCriticalSectionAndSpinCount, EnterCriticalSection, DeleteCriticalSection
> USER32.dll: GetCursorPos, wvsprintfA, BroadcastSystemMessageA, wsprintfA, GetSystemMetrics, wsprintfW, ExitWindowsEx, LoadStringW, MessageBeep, GetMessageTime
> Secur32.dll: GetUserNameExW
> WS2_32.dll: -, -, -, getaddrinfo, -, —
> ADVAPI32.dll: GetSidSubAuthorityCount, GetSidSubAuthority, AccessCheckAndAuditAlarmW, AllocateAndInitializeSid, SetEntriesInAclW, InitializeSecurityDescriptor, SetSecurityDescriptorDacl, RegEnumKeyW, DeregisterEventSource, CryptAcquireContextW, CryptCreateHash, CryptImportKey, CryptVerifySignatureW, CryptDestroyKey, CryptDestroyHash, CryptReleaseContext, AddAce, GetAce, GetAclInformation, GetUserNameA, CryptHashData, RegisterServiceCtrlHandlerW, GetSidIdentifierAuthority, IsValidSid, GetTokenInformation, EqualSid, LookupAccountSidW, RegSetValueExW, CryptGenRandom, RegisterEventSourceW, ReportEventW, SetServiceBits, RegOpenKeyW, GetUserNameW, SetServiceStatus, RegOpenKeyExW, GetSecurityDescriptorDacl, LsaDelete, LsaSetSecret, LsaClose, LsaOpenSecret, LsaCreateSecret, LsaOpenPolicy, LsaFreeMemory, LsaQuerySecret, GetEventLogInformation, LsaQueryInformationPolicy, RegQueryValueExW, RegCloseKey, LogonUserW, AddAccessAllowedAce, InitializeAcl, GetLengthSid, OpenThreadToken, CheckTokenMembership, MakeSelfRelativeSD, MakeAbsoluteSD, IsValidSecurityDescriptor, ElfReportEventW, ElfRegisterEventSourceW, I_ScSendTSMessage, RegNotifyChangeKeyValue, RegCreateKeyExW, RegQueryValueExA, RegOpenKeyExA, GetCurrentHwProfileA, RegEnumKeyExA, RegEnumKeyExW, LsaStorePrivateData, LsaNtStatusToWinError, LsaRetrievePrivateData, RegDeleteValueW, OpenProcessToken
> CRYPT32.dll: CertCloseStore, CertCreateCertificateContext, CertOpenStore, CertDuplicateCertificateContext, CertFreeCertificateContext, CertGetIssuerCertificateFromStore, CertVerifySubjectCertificateContext, CryptExportPublicKeyInfo, CertEnumCertificatesInStore, CertFindExtension, CertVerifyCertificateChainPolicy, CertComparePublicKeyInfo, CryptDecodeObject, CryptVerifyCertificateSignature, CryptBinaryToStringW
> OLEAUT32.dll: -, -, -, -, -, -, -, -, -, —
> AUTHZ.dll: AuthzFreeResourceManager, AuthziAllocateAuditParams, AuthziInitializeAuditParamsWithRM, AuthziInitializeAuditEvent, AuthziLogAuditEvent, AuthzFreeAuditEvent, AuthziFreeAuditParams, AuthzInitializeResourceManager, AuthziInitializeAuditEventType, AuthziFreeAuditEventType
> mstlsapi.dll: -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, —

( 1 exports )
ServiceMain

RDS…: NSRL Reference Data Set
sigcheck:
publisher….: __________ __________
copyright….: (c) __________ __________. ___ _____ ________.
product……: ____________ _______ Microsoft_ Windows_
description..: ______ _______ __________
original name: termsrv.exe
internal name: termsrv.exe
file version.: 5.1.2600.5512 (xpsp.080413-2111)
comments…..: n/a
signers……: —
signing date.: —
verified…..: Unsigned
pdfid.: —
trid..: Win32 Executable Generic (42.3%)
Win32 Dynamic Link Library (generic) (37.6%)
Generic Win/DOS Executable (9.9%)
DOS Executable Generic (9.9%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)

Комментарий (61)

  • дИМА| 3 июля 2012

    СПАСИБО ПОМОГЛО ПРОСТО ЗАМЕНИЛ ФАЙЛ БЕЗ ВСЯКОГО ЗАХОДА В БЕЗОПАСНЫЙ РЕЖИМ ПРОВЕРИЛ NOD БОЛЬШЕ НЕ ВЫСКАКИВАЕТ

  • анна| 22 ноября 2012

    распаковала файл в папку, но ничего не изменилось. антивирус как видел вирус так и обнаруживает его(((может что-то не так сделала…и еще не понимаю. для чего эта таблица приведена после комментариев?

  • Free porno daiting| 8 сентября 2015

    Free porno daiting

    Free porno daiting

  • Оставить ответ

    Ваш e-mail не будет опубликован. Обязательные поля помечены *

    Изображения должны быть включены!