   AVZ  4.30
   25.01.2009 4:32:49
 :  - 207013,  - 2,   - 56,   24.01.2009 16:53
  : 372
  : 9
    : 84381
  :   
 : 
 Windows: 5.1.2600, Service Pack 1 ; AVZ    
 : 
1.  RootKit  ,   API
1.1   API,   UserMode
  kernel32.dll,      .text
  ntdll.dll,      .text
  user32.dll,      .text
  advapi32.dll,      .text
  ws2_32.dll,      .text
  wininet.dll,      .text
  rasapi32.dll,      .text
  urlmon.dll,      .text
  netapi32.dll,      .text
1.2   API,   KernelMode
   
 SDT  (RVA=0751C0)
  ntoskrnl.exe      804D4000
   SDT = 805491C0
   KiST = 804FDFD8 (284)
 : 284, : 0, : 0
1.3  IDT  SYSENTER
    1
    2
  IDT  SYSENTER 
 >>>>    1092 c:\windows.2\fonts\wmsncs.exe
1.4     
   ,       AVZPM
   
1.5   IRP
  
2.  
   : 30
 -   1288 C:\WINDOWS.2\System32\PAStiSvc.exe
[ES]:    
[ES]:   
 -   2684 C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
[ES]:    
[ES]:   !!
 -   4284 C:\Program Files\Opera\opera.exe
[ES]:   
[ES]: DLL RASAPI - ,     ?
>>>    = 2805760
 -   1092 C:\WINDOWS.2\Fonts\wmsncs.exe
[ES]:   
[ES]:  TCP !
[ES]:Trojan.PSW ?
[ES]: -      FU-Based 
[ES]:    
[ES]:EXE  ?
[ES]:   
[ES]:   !!
[ES]:    Firewall  
[ES]:      ?
[ES]: DLL RASAPI - ,     ?
  "susp Trojan-LowZones.gen"
   : 309
  
3.  
4.  Winsock Layered Service Provider (SPI/LSP)
  LSP .   
5.    // (Keylogger,  DLL)
6.    TCP/UDP,   
   
7. c  
  Winlogon\Shell,     "explorer.exe "c:\windows.2\fonts\wmsncs.exe""
>>> C:\WINDOWS.2\Fonts\wmsncs.exe :       (  )
 
8.   
>> :     TermService ( )
>> :     SSDPSRV (  SSDP)
>> :     Schedule ( )
>> :     mnmsrvc (NetMeeting Remote Desktop Sharing)
>> :     RDSessMgr (      )
> :   -           (,     ...)!
>> :     CDROM
>>> :  IE      ActiveX
>> :     
 
9.     
 >>     
 >>  Internet Explorer -      ActiveX
 >>     HDD
 >>      
 >>      
 
 : 339,   : 0,    0,  - 0
   25.01.2009 4:33:30
  00:00:42
            ,
      - http://virusinfo.info
  
  
