 !!!  c   06.04.2008        (/ )
   AVZ  4.30
   07.11.2008 20:33:24
 :  - 157571,  - 2,   - 55,   06.04.2008 17:09
  : 370
  : 9
    : 70476
  :   
 : 
 Windows: 5.1.2600, Service Pack 3 ; AVZ    
 : 
1.  RootKit  ,   API
1.1   API,   UserMode
  kernel32.dll,      .text
  ntdll.dll,      .text
  user32.dll,      .text
  advapi32.dll,      .text
  ws2_32.dll,      .text
  wininet.dll,      .text
  rasapi32.dll,      .text
  urlmon.dll,      .text
  netapi32.dll,      .text
1.2   API,   KernelMode
   
 SDT  (RVA=085700)
  ntkrnlpa.exe      804D7000
   SDT = 8055C700
   KiST = 80504460 (284)
 NtClose (19)  (805BC524->B7004618),  D:\WINDOWS\System32\Drivers\aswSP.SYS
 NtCreateKey (29)  (806237BE->B70044D4),  D:\WINDOWS\System32\Drivers\aswSP.SYS
 NtDeleteValueKey (41)  (80623E1E->B70049B2),  D:\WINDOWS\System32\Drivers\aswSP.SYS
 NtDuplicateObject (44)  (805BDFFC->B70040AC),  D:\WINDOWS\System32\Drivers\aswSP.SYS
 NtEnumerateKey (47)  (80623FFE->BA6C6CA2),  spiw.sys
 NtEnumerateValueKey (49)  (80624268->BA6C7030),  spiw.sys
 NtOpenKey (77)  (80624B90->B70045AE),  D:\WINDOWS\System32\Drivers\aswSP.SYS
 NtOpenProcess (7A)  (805CB434->B7003FEC),  D:\WINDOWS\System32\Drivers\aswSP.SYS
 NtOpenThread (80)  (805CB6C0->B7004050),  D:\WINDOWS\System32\Drivers\aswSP.SYS
 NtQueryKey (A0)  (80624EB6->BA6C7108),  spiw.sys
 NtQueryValueKey (B1)  (806219F6->B70046CE),  D:\WINDOWS\System32\Drivers\aswSP.SYS
 NtRestoreKey (CC)  (80625176->B700468E),  D:\WINDOWS\System32\Drivers\aswSP.SYS
 NtSetValueKey (F7)  (80621D44->B700480E),  D:\WINDOWS\System32\Drivers\aswSP.SYS
 : 284, : 13, : 0
1.3  IDT  SYSENTER
    1
    2
  IDT  SYSENTER 
1.4     
   ,       AVZPM
   
1.5   IRP
\FileSystem\ntfs[IRP_MJ_CREATE] = 8A44F1F8 ->   
\FileSystem\ntfs[IRP_MJ_CLOSE] = 8A44F1F8 ->   
\FileSystem\ntfs[IRP_MJ_WRITE] = 8A44F1F8 ->   
\FileSystem\ntfs[IRP_MJ_QUERY_INFORMATION] = 8A44F1F8 ->   
\FileSystem\ntfs[IRP_MJ_SET_INFORMATION] = 8A44F1F8 ->   
\FileSystem\ntfs[IRP_MJ_QUERY_EA] = 8A44F1F8 ->   
\FileSystem\ntfs[IRP_MJ_SET_EA] = 8A44F1F8 ->   
\FileSystem\ntfs[IRP_MJ_QUERY_VOLUME_INFORMATION] = 8A44F1F8 ->   
\FileSystem\ntfs[IRP_MJ_SET_VOLUME_INFORMATION] = 8A44F1F8 ->   
\FileSystem\ntfs[IRP_MJ_DIRECTORY_CONTROL] = 8A44F1F8 ->   
\FileSystem\ntfs[IRP_MJ_FILE_SYSTEM_CONTROL] = 8A44F1F8 ->   
\FileSystem\ntfs[IRP_MJ_DEVICE_CONTROL] = 8A44F1F8 ->   
\FileSystem\ntfs[IRP_MJ_LOCK_CONTROL] = 8A44F1F8 ->   
\FileSystem\ntfs[IRP_MJ_QUERY_SECURITY] = 8A44F1F8 ->   
\FileSystem\ntfs[IRP_MJ_SET_SECURITY] = 8A44F1F8 ->   
\FileSystem\ntfs[IRP_MJ_PNP] = 8A44F1F8 ->   
  
2.  
   : 44
   : 433
  
3.  
  D:\Documents and Settings\User\Local Settings\Temp\~DFC775.tmp
D:\Documents and Settings\User\ \kurpatov_andrei_sredstvo_ot_straha.rar/{RAR}/kurpatov_andrei_sredstvo_ot_straha\kurpatov_andrei_sredstvo_ot_straha.chm/{CHM}//sredstvo_ot_straha-Dateien/sredstvo_ot_straha.exe >>>  -    CHM  - ,    
D:\Documents and Settings\User\ \Viruses-3732-for-Anti-Virus-Testing.rar/{RAR}/Live Viruses 3732 for Anti-Virus Testing.zip/{ZIP}/KIMENTA.COM >>>>> Trojan-Dropper.Boot.InstallDisk.c 
D:\Documents and Settings\User\ \Viruses-3732-for-Anti-Virus-Testing.rar/{RAR}/Live Viruses 3732 for Anti-Virus Testing.zip/{ZIP}/KF.COM >>>>> Trojan.Claes 
D:\Documents and Settings\User\ \Viruses-3732-for-Anti-Virus-Testing.rar/{RAR}/Live Viruses 3732 for Anti-Virus Testing.zip/{ZIP}/KERMIT.COM >>>>> Trojan.BAT.Phine 
D:\Documents and Settings\User\ \Viruses-3732-for-Anti-Virus-Testing.rar/{RAR}/Live Viruses 3732 for Anti-Virus Testing.zip/{ZIP}/MKWORM.COM >>>>> MKWorm.715 
D:\Documents and Settings\User\ \Viruses-3732-for-Anti-Virus-Testing.rar/{RAR}/Live Viruses 3732 for Anti-Virus Testing.zip/{ZIP}/AIRCOP-1.COM >>>>> Trojan-Dropper.Boot.InstallDisk.a 
D:\Documents and Settings\User\ \Viruses-3732-for-Anti-Virus-Testing.rar/{RAR}/Live Viruses 3732 for Anti-Virus Testing.zip/{ZIP}/ADX.COM >>>>> VCL-based.trojan 
D:\Documents and Settings\User\ \Viruses-3732-for-Anti-Virus-Testing.rar/{RAR}/Live Viruses 3732 for Anti-Virus Testing.zip/{ZIP}/BOOTKILL.COM >>>>> Trojan.BootKiller.b 
D:\Documents and Settings\User\ \Viruses-3732-for-Anti-Virus-Testing.rar/{RAR}/Live Viruses 3732 for Anti-Virus Testing.zip/{ZIP}/CALCULUS.EXE >>>>> Trojan.CommFix 
D:\Documents and Settings\User\ \Viruses-3732-for-Anti-Virus-Testing.rar/{RAR}/Live Viruses 3732 for Anti-Virus Testing.zip/{ZIP}/BYPASS1.EXE >>>>> Trojan.Nukwar 
D:\Documents and Settings\User\ \Viruses-3732-for-Anti-Virus-Testing.rar/{RAR}/Live Viruses 3732 for Anti-Virus Testing.zip/{ZIP}/COMMTROJ.COM >>>>> Trojan.CommFix 
D:\Documents and Settings\User\ \Viruses-3732-for-Anti-Virus-Testing.rar/{RAR}/Live Viruses 3732 for Anti-Virus Testing.zip/{ZIP}/DEKODOLO.COM >>>>> Trojan.Dekodolo 
D:\Documents and Settings\User\ \Viruses-3732-for-Anti-Virus-Testing.rar/{RAR}/Live Viruses 3732 for Anti-Virus Testing.zip/{ZIP}/FORMAT.COM >>>>> Trojan.Format_0D 
D:\Documents and Settings\User\ \Viruses-3732-for-Anti-Virus-Testing.rar/{RAR}/Live Viruses 3732 for Anti-Virus Testing.zip/{ZIP}/OHBABY.COM >>>>> Trojan.OhBaby 
D:\Documents and Settings\User\ \Viruses-3732-for-Anti-Virus-Testing.rar/{RAR}/Live Viruses 3732 for Anti-Virus Testing.zip/{ZIP}/NOLITE.COM >>>>> VirTool.DOS.NoLite 
D:\Documents and Settings\User\ \Viruses-3732-for-Anti-Virus-Testing.rar/{RAR}/Live Viruses 3732 for Anti-Virus Testing.zip/{ZIP}/NOINT.COM >>>>> Trojan-Dropper.Boot.InstallDisk.a 
D:\Documents and Settings\User\ \Viruses-3732-for-Anti-Virus-Testing.rar/{RAR}/Live Viruses 3732 for Anti-Virus Testing.zip/{ZIP}/NOGZOEEN.EXE >>>>> Trojan.Nogzoeen 
D:\Documents and Settings\User\ \Viruses-3732-for-Anti-Virus-Testing.rar/{RAR}/Live Viruses 3732 for Anti-Virus Testing.zip/{ZIP}/PET.COM >>>>> Trojan.Anon 
D:\Documents and Settings\User\ \Viruses-3732-for-Anti-Virus-Testing.rar/{RAR}/Live Viruses 3732 for Anti-Virus Testing.zip/{ZIP}/ROB3.COM >>>>> Trojan.Rob.b 
D:\Documents and Settings\User\ \Viruses-3732-for-Anti-Virus-Testing.rar/{RAR}/Live Viruses 3732 for Anti-Virus Testing.zip/{ZIP}/ROB2.COM >>>>> Trojan.Rob.c 
D:\Documents and Settings\User\ \Viruses-3732-for-Anti-Virus-Testing.rar/{RAR}/Live Viruses 3732 for Anti-Virus Testing.zip/{ZIP}/ROB.COM >>>>> Trojan.Rob.a 
D:\Documents and Settings\User\ \Viruses-3732-for-Anti-Virus-Testing.rar/{RAR}/Live Viruses 3732 for Anti-Virus Testing.zip/{ZIP}/SECT0.COM >>>>> Trojan.Erasefat 
D:\Documents and Settings\User\ \Viruses-3732-for-Anti-Virus-Testing.rar/{RAR}/Live Viruses 3732 for Anti-Virus Testing.zip/{ZIP}/RUN.EXE >>>>> Trojan.Loader.TCS 
D:\Documents and Settings\User\ \Viruses-3732-for-Anti-Virus-Testing.rar/{RAR}/Live Viruses 3732 for Anti-Virus Testing.zip/{ZIP}/SURVIVE.COM >>>>> Trojan.Survive 
D:\Documents and Settings\User\ \Viruses-3732-for-Anti-Virus-Testing.rar/{RAR}/Live Viruses 3732 for Anti-Virus Testing.zip/{ZIP}/STONEDRP.COM >>>>> Trojan-Dropper.Boot.InstallDisk.a 
D:\Documents and Settings\User\ \Viruses-3732-for-Anti-Virus-Testing.rar/{RAR}/Live Viruses 3732 for Anti-Virus Testing.zip/{ZIP}/STONED_A.COM >>>>> Trojan-Dropper.Boot.InstallDisk.b 
D:\Documents and Settings\User\ \Viruses-3732-for-Anti-Virus-Testing.rar/{RAR}/Live Viruses 3732 for Anti-Virus Testing.zip/{ZIP}/STONED.COM >>>   Trojan-Dropper.Boot.InstallDisk.a ( 038F9553 047FC2F7 00000000 00000000 2975)
D:\Documents and Settings\User\ \Viruses-3732-for-Anti-Virus-Testing.rar/{RAR}/Live Viruses 3732 for Anti-Virus Testing.zip/{ZIP}/SMASH.EXE >>>>> Trojan.Skism.b 
D:\Documents and Settings\User\ \Viruses-3732-for-Anti-Virus-Testing.rar/{RAR}/Live Viruses 3732 for Anti-Virus Testing.zip/{ZIP}/SMASH.COM >>>>> Trojan.Skism.a 
D:\Documents and Settings\User\ \Viruses-3732-for-Anti-Virus-Testing.rar/{RAR}/Live Viruses 3732 for Anti-Virus Testing.zip/{ZIP}/TPWORM.EXE >>>>> Tpworm.12969 
D:\Documents and Settings\User\ \Magic Jelly Bean Keyfinder\keyfinder.exe/{RAR-SFX}/officekey.exe >>>>> not-a-virus:PSWTool.Win32.RAS.a 
D:\Program Files\DivX\DivX Converter\dpil100.dll >>>   AdvWare.Win32.NewWeb.i ( 00707F72 00000000 001AEEF2 001AFFE8 61440)
  D:\WINDOWS\system32\drivers\sptd.sys
4.  Winsock Layered Service Provider (SPI/LSP)
  LSP .   
5.    // (Keylogger,  DLL)
D:\Program Files\Alwil Software\Avast4\AhJsctNs.dll -->   Keylogger   DLL
D:\Program Files\Alwil Software\Avast4\AhJsctNs.dll>>>   
  1.   : 
D:\Program Files\Alwil Software\Avast4\AhJsctNs.dll>>> :    99.92%      /
 :     ,      (  FAQ), ..    DLL-
6.    TCP/UDP,   
   
7. c  
 
8.   
>> :     RemoteRegistry ( )
>> :     TermService ( )
>> :     SSDPSRV (  SSDP)
>> :     Schedule ( )
>> :     mnmsrvc (NetMeeting Remote Desktop Sharing)
>> :     RDSessMgr (      )
> :   -           (,     ...)!
>> :     CDROM
>> :       (C$, D$ ...)
>> :      
 
9.     
 >>    -  
 >>     HDD
 >>      
 >>      
 
 : 184210,   : 155934,    29,  - 2
   07.11.2008 20:57:02
  00:23:39
            ,
      - http://virusinfo.info
