- Личный дневник Spider'a - https://spider.bsyteam.net -

Вирус Win32/Spy.Ursnif.A

Сегодня обнаружил новый вирус Win32/Spy.Ursnif.A
Как видно из таблички ниже — Ни Касперский, ни Dr.Web, ни Avira его не распознают. Nod32 его увидел , но вылечить не смог. А так же не смог даже удалить. По сайту Virustotal.com его признают вирусом 13 из 41 антивируса, а значит игнорировать такую угрозу просто глупо.
Я нашел чистую незараженную Dll-ку. Выкладываю здесь.
termsrv.dll
Распакуйте архив в папку c:\windows\system32 в безопастном режиме или загрузившись с любого загрузочного диска имеющего доступ к системным папкам.

Файл termsrv.dll получен 2010.01.21 18:51:51 (UTC)
АнтивирусВерсияОбновлениеРезультат
a-squared4.5.0.502010.01.21Riskware.Win32.Ursnif!IK
AhnLab-V35.0.0.22010.01.21
AntiVir7.9.1.1462010.01.21
Antiy-AVL2.0.3.72010.01.21
Authentium5.2.0.52010.01.21
Avast4.8.1351.02010.01.21
AVG9.0.0.7302010.01.21
BitDefender7.22010.01.21Backdoor.Generic.247076
CAT-QuickHeal10.002010.01.21
ClamAV0.94.12010.01.21
Comodo36592010.01.21UnclassifiedMalware
DrWeb5.0.1.122222010.01.21
eSafe7.0.17.02010.01.20
eTrust-Vet35.2.72502010.01.21
F-Prot4.5.1.852010.01.20
F-Secure9.0.15370.02010.01.21Backdoor.Generic.247076
Fortinet4.0.14.02010.01.21W32/Patched.E!tr
GData192010.01.21Backdoor.Generic.247076
IkarusT3.1.1.80.02010.01.21VirTool.Win32.Ursnif
Jiangmin13.0.9002010.01.21
K7AntiVirus7.10.9512010.01.20Trojan.Win32.Malware.1
Kaspersky7.0.0.1252010.01.21
McAfee58672010.01.20potentially unwanted program Patched Termsrv
McAfee+Artemis58672010.01.20potentially unwanted program Patched Termsrv
McAfee-GW-Edition6.8.52010.01.21
Microsoft1.53022010.01.21VirTool:Win32/Ursnif.B
NOD3247912010.01.20Win32/Spy.Ursnif.A
Norman6.04.032010.01.20
nProtect2009.1.8.02010.01.21
Panda10.0.2.22010.01.21Trj/CI.A
PCTools7.0.3.52010.01.21
Prevx3.02010.01.21
Rising22.31.03.042010.01.21
Sophos4.50.02010.01.21
Sunbelt3.2.1858.22010.01.21
Symantec20091.2.0.412010.01.21
TheHacker6.5.0.8.1572010.01.21
TrendMicro9.120.0.10042010.01.21
VBA323.12.12.12010.01.20
ViRobot2010.1.21.21482010.01.21
VirusBuster5.0.21.02010.01.20
Дополнительная информация
File size: 295936 bytes
MD5…: cdb13f1e48540e19f4b961e77904f168
SHA1..: c9da870e74b7caf003ff3672a7c3227cd332befa
SHA256: 1d716c779a7524d1f1523c55903cb773de7c62437291474bb1dd619441ab0068
ssdeep: 6144:nc51EYcaOzaJ9cBIGxIK7zjL38kY0caPQ/6JnS3f2LntmNwTrAM:nc70aOz
a4xIOjLbPQiJnRtcU
PEiD..: —
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x219fd
timedatestamp…..: 0x480381e3 (Mon Apr 14 16:10:11 2008)
machinetype…….: 0x14c (I386)

( 4 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x3f7ca 0x3f800 6.62 3b17550ec0b93633ac198889c1011bf6
.data 0x41000 0x9838 0x1200 5.40 5d65a3663dd1e46550c681e04de1361f
.rsrc 0x4b000 0x40d4 0x4200 3.98 c31aca52a9a4ad92327931e329286723
.reloc 0x50000 0x32ee 0x3400 6.19 c59c84e9cda7289330e30d991fa19248

( 17 imports )
> msvcrt.dll: wcscpy, wcscmp, _except_handler3, _wcsnicmp, wcscat, swscanf, wcsncpy, wcslen, wcsncat, swprintf, wcsrchr, memmove, _snwprintf, wcschr, sprintf, qsort, strncpy, gmtime, time, mktime, _mbslen, mbstowcs, __3@YAXPAX@Z, __2@YAPAXI@Z, free, _initterm, malloc, _adjust_fdiv, _ftol, _snprintf, strncmp, iswdigit, _wcsupr, wcstok, _wtol, _stricmp, __CxxFrameHandler, _purecall, _wcsicmp
> ntdll.dll: NtOpenProcessToken, NtQueryInformationToken, RtlLengthSid, RtlCopySid, NtAllocateVirtualMemory, NtFreeVirtualMemory, RtlAcquireResourceShared, NtDelayExecution, DbgBreakPoint, RtlPrefixUnicodeString, NtResetEvent, NtWaitForMultipleObjects, RtlInitializeGenericTable, RtlDeleteCriticalSection, NtOpenProcess, NtQueryVirtualMemory, RtlLookupElementGenericTable, RtlCompareMemory, RtlInsertElementGenericTable, RtlDeleteElementGenericTable, RtlInitializeResource, NtCreateEvent, NtDuplicateObject, NtQuerySystemTime, RtlEqualSid, RtlAdjustPrivilege, RtlInitializeCriticalSection, NtTerminateProcess, RtlLengthRequiredSid, NtReleaseMutant, NtWaitForSingleObject, NtCreateMutant, NtQueryInformationProcess, NtDuplicateToken, NtSetInformationThread, RtlpNtEnumerateSubKey, NtRequestPort, NtConnectPort, NtSetEvent, RtlEnterCriticalSection, RtlAllocateHeap, NtOpenThreadToken, NtReplyPort, NtCompleteConnectPort, NtAcceptConnectPort, NtCreateSection, NtReplyWaitReceivePort, RtlFreeUnicodeString, NtCreatePort, RtlAnsiStringToUnicodeString, RtlInitAnsiString, RtlQueryRegistryValues, NtDeviceIoControlFile, RtlExtendedLargeIntegerDivide, RtlConvertExclusiveToShared, RtlConvertSharedToExclusive, RtlDeleteResource, NtRequestWaitReplyPort, RtlFreeHeap, RtlLeaveCriticalSection, RtlAcquireResourceExclusive, RtlReleaseResource, RtlInitUnicodeString, NtOpenKey, NtQueryValueKey, NtClose, VerSetConditionMask, RtlCreateEnvironment, RtlSetProcessIsCritical, DbgPrint, NtQuerySystemInformation, NtSetTimer, NtCreateTimer, RtlCopySecurityDescriptor, RtlNtStatusToDosError, RtlDeleteAce, RtlGetAce, RtlQueryInformationAcl, RtlGetDaclSecurityDescriptor, RtlMapGenericMask, RtlSubAuthoritySid, RtlInitializeSid, RtlCreateUserSecurityObject, RtlSetDaclSecurityDescriptor, RtlAddAccessAllowedAce, RtlCreateAcl, RtlCreateSecurityDescriptor, RtlWriteRegistryValue, RtlCreateRegistryKey, RtlLengthSecurityDescriptor, RtlSetGroupSecurityDescriptor, RtlGetGroupSecurityDescriptor, RtlGetOwnerSecurityDescriptor, NtSetSecurityObject, NtQuerySecurityObject, NtOpenSymbolicLinkObject, NtQueryDirectoryObject, NtCreateDirectoryObject, RtlFreeSid, RtlAllocateAndInitializeSid, RtlIntegerToUnicodeString, RtlAppendUnicodeToString, NtQueryMutant
> ICAAPI.dll: IcaOpen, IcaStackCallback, IcaStackConnectionWait, IcaStackConnectionRequest, IcaStackConnectionAccept, _IcaStackIoControl, IcaStackUnlock, IcaStackReconnect, IcaStackTerminate, IcaChannelClose, IcaStackIoControl, IcaPushConsoleStack, IcaChannelOpen, IcaChannelIoControl, IcaStackConnectionClose, IcaStackClose, IcaClose, IcaIoControl, IcaStackOpen, IcaStackDisconnect
> SHELL32.dll: SHGetFolderPathA
> SETUPAPI.dll: SetupDiGetDeviceRegistryPropertyA, SetupDiGetClassDevsA, SetupDiEnumDeviceInfo, SetupDiDestroyDeviceInfoList
> SHLWAPI.dll: PathAppendA
> WINTRUST.dll: CryptCATAdminCalcHashFromFileHandle, CryptCATAdminEnumCatalogFromHash, CryptCATCatalogInfoFromContext, CryptCATAdminReleaseCatalogContext, CryptCATAdminReleaseContext, WTHelperProvDataFromStateData, WTHelperGetProvSignerFromChain, CryptCATAdminAcquireContext, WinVerifyTrust
> RPCRT4.dll: RpcServerInqDefaultPrincNameW, RpcServerRegisterAuthInfoW, RpcServerRegisterIfEx, RpcBindingToStringBindingW, RpcServerListen, RpcImpersonateClient, I_RpcBindingIsClientLocal, RpcRevertToSelf, RpcServerUseProtseqEpW, I_RpcBindingInqLocalClientPID, RpcStringFreeW, RpcRaiseException, RpcSsContextLockExclusive, NdrServerCall2, RpcServerRegisterIf, RpcStringBindingParseW
> KERNEL32.dll: GetLocalTime, GetDiskFreeSpaceA, GetDateFormatW, FileTimeToSystemTime, InitializeCriticalSection, GetVersion, CreateMutexW, GetModuleHandleA, InterlockedExchange, OutputDebugStringA, GetProcessAffinityMask, SetThreadAffinityMask, ResumeThread, GetExitCodeThread, GetSystemInfo, GetLogicalDriveStringsA, GetDriveTypeA, GetVolumeInformationW, GetVolumeInformationA, GlobalMemoryStatus, lstrlenA, lstrcpyA, GetFileSize, WriteFile, SetFilePointer, ReadFile, CreateFileA, HeapAlloc, HeapFree, CompareFileTime, CreateWaitableTimerW, SetWaitableTimer, FormatMessageW, LeaveCriticalSection, GetSystemDefaultLCID, SystemTimeToFileTime, LoadLibraryExA, GetVersionExA, SetUnhandledExceptionFilter, UnhandledExceptionFilter, TerminateProcess, GetCurrentThreadId, QueryPerformanceCounter, LoadLibraryA, InterlockedCompareExchange, DelayLoadFailureHook, lstrcpynW, GetACP, MultiByteToWideChar, SetLastError, lstrlenW, LocalFree, LocalAlloc, GetProcessHeap, DisableThreadLibraryCalls, DebugBreak, Sleep, CloseHandle, CreateProcessW, GetCurrentProcessId, IsDebuggerPresent, GetVersionExW, ResetEvent, SetEvent, VerifyVersionInfoW, CreateEventW, GetLastError, ReleaseMutex, UnmapViewOfFile, MapViewOfFile, OpenFileMappingW, WaitForMultipleObjects, OpenEventW, OpenMutexW, InterlockedDecrement, CreateThread, CreateFileW, GetSystemDirectoryW, GetSystemTime, GetComputerNameA, GetSystemTimeAsFileTime, UnregisterWait, WaitForSingleObject, InterlockedIncrement, lstrcpyW, ExitThread, QueryDosDeviceW, ProcessIdToSessionId, IsBadReadPtr, IsBadWritePtr, OpenProcess, GetComputerNameW, FreeLibrary, GetProcAddress, LoadLibraryW, GetProfileStringW, GetTickCount, RegisterWaitForSingleObject, lstrcatW, lstrcmpiW, GetProfileIntW, GetWindowsDirectoryW, SetThreadPriority, GetCurrentThread, LocalSize, GetCurrentProcess, PulseEvent, GetComputerNameExW, WideCharToMultiByte, InitializeCriticalSectionAndSpinCount, EnterCriticalSection, DeleteCriticalSection
> USER32.dll: GetCursorPos, wvsprintfA, BroadcastSystemMessageA, wsprintfA, GetSystemMetrics, wsprintfW, ExitWindowsEx, LoadStringW, MessageBeep, GetMessageTime
> Secur32.dll: GetUserNameExW
> WS2_32.dll: -, -, -, getaddrinfo, -, —
> ADVAPI32.dll: GetSidSubAuthorityCount, GetSidSubAuthority, AccessCheckAndAuditAlarmW, AllocateAndInitializeSid, SetEntriesInAclW, InitializeSecurityDescriptor, SetSecurityDescriptorDacl, RegEnumKeyW, DeregisterEventSource, CryptAcquireContextW, CryptCreateHash, CryptImportKey, CryptVerifySignatureW, CryptDestroyKey, CryptDestroyHash, CryptReleaseContext, AddAce, GetAce, GetAclInformation, GetUserNameA, CryptHashData, RegisterServiceCtrlHandlerW, GetSidIdentifierAuthority, IsValidSid, GetTokenInformation, EqualSid, LookupAccountSidW, RegSetValueExW, CryptGenRandom, RegisterEventSourceW, ReportEventW, SetServiceBits, RegOpenKeyW, GetUserNameW, SetServiceStatus, RegOpenKeyExW, GetSecurityDescriptorDacl, LsaDelete, LsaSetSecret, LsaClose, LsaOpenSecret, LsaCreateSecret, LsaOpenPolicy, LsaFreeMemory, LsaQuerySecret, GetEventLogInformation, LsaQueryInformationPolicy, RegQueryValueExW, RegCloseKey, LogonUserW, AddAccessAllowedAce, InitializeAcl, GetLengthSid, OpenThreadToken, CheckTokenMembership, MakeSelfRelativeSD, MakeAbsoluteSD, IsValidSecurityDescriptor, ElfReportEventW, ElfRegisterEventSourceW, I_ScSendTSMessage, RegNotifyChangeKeyValue, RegCreateKeyExW, RegQueryValueExA, RegOpenKeyExA, GetCurrentHwProfileA, RegEnumKeyExA, RegEnumKeyExW, LsaStorePrivateData, LsaNtStatusToWinError, LsaRetrievePrivateData, RegDeleteValueW, OpenProcessToken
> CRYPT32.dll: CertCloseStore, CertCreateCertificateContext, CertOpenStore, CertDuplicateCertificateContext, CertFreeCertificateContext, CertGetIssuerCertificateFromStore, CertVerifySubjectCertificateContext, CryptExportPublicKeyInfo, CertEnumCertificatesInStore, CertFindExtension, CertVerifyCertificateChainPolicy, CertComparePublicKeyInfo, CryptDecodeObject, CryptVerifyCertificateSignature, CryptBinaryToStringW
> OLEAUT32.dll: -, -, -, -, -, -, -, -, -, —
> AUTHZ.dll: AuthzFreeResourceManager, AuthziAllocateAuditParams, AuthziInitializeAuditParamsWithRM, AuthziInitializeAuditEvent, AuthziLogAuditEvent, AuthzFreeAuditEvent, AuthziFreeAuditParams, AuthzInitializeResourceManager, AuthziInitializeAuditEventType, AuthziFreeAuditEventType
> mstlsapi.dll: -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, —

( 1 exports )
ServiceMain

RDS…: NSRL Reference Data Set
sigcheck:
publisher….: __________ __________
copyright….: (c) __________ __________. ___ _____ ________.
product……: ____________ _______ Microsoft_ Windows_
description..: ______ _______ __________
original name: termsrv.exe
internal name: termsrv.exe
file version.: 5.1.2600.5512 (xpsp.080413-2111)
comments…..: n/a
signers……: —
signing date.: —
verified…..: Unsigned
pdfid.: —
trid..: Win32 Executable Generic (42.3%)
Win32 Dynamic Link Library (generic) (37.6%)
Generic Win/DOS Executable (9.9%)
DOS Executable Generic (9.9%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)