msc hotline sat
Monday, May 12, 2008
El MEGA-D, que llegó a ser considerado en los últimos meses como el BOT-NET que originaba el 30 % del spam mundial, ha sido desplazado por el SRIZBI, que se estima es causante actualmente del 50 % del spam, con mas de 300.000 ordenadores zombi que pueden llegar a enviar mas de 60.000 millones de mensajes spam al día ...
(recuerdese que los billones americanos no son los españoles, alli son miles de millones, en lugar de millones de millones como aqui ! -menos mal
:wink: )
Y sobre el marrano en cuestión, indican:
"sobre el Rootkit Srizbi, McAfee"
Trojan SubType Rootkit Discovery Date 08/06/2007 Length varies Minimum DAT 5091 (08/06/2007) Updated DAT 5281 (04/24/2008) Minimum Engine 5.1.00 Description Added 08/06/2007 Description Modified 03/31/2008 4:01
Overview -
This detection is for a trojan that drops a rootkit component to hide the files and registry entries created by it.
Aliases
Trojan.Win32.Pakes.cmk (F-Secure) Trojan.Win32.Pakes.cmk (Kaspersky) Win32/Srizbi.Gen (NOD32)
Characteristics
Characteristics -
This detection is for a trojan that drops a rootkit component to hide the files and registry entries created by it.
Upon execution, this trojan drops the following files.
%windir%\system32\drivers\grande48.sys %windir%\system32\drivers\<RANDOM name>.sysThe dropped SYS file is detected as Srizbi.sys trojan.
The trojan drops following file and executes it to delete itself.
%temp%\_it.batIt creates the following hidden service entries to load its rootkit component.
HKLM\System\currentcontorlset\services\grande48 HKLM\System\currentcontorlset\services\<RANDOM name>It hooks the 'IRP_MJ_DIRECTORY_CONTROL' routine of NTFS file system driver to hide its files.
It hooks following kernel routines to hide its registry keys.
ZwEnumerateKey ZwOpenKeyThe rootkit component of this trojan will be loaded in Windows safe mode also.
It connects to the following remote web server to download email addresses to send spam.
and uploads last crash dump file from %windir%\minidump folder.
Ip Address : 208.72.168.xxx
port : 4099
Symptoms
Symptoms -
Presence of the above hidden registry key and files.
Method of Infection
Method of Infection -
Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, etc.
However they may themselves be downloaded by other viruses and/or Trojans to be installed on the user's system.
Alternatively they may be installed by visiting a malicious web page (either by clicking on a link, or by the website hosting a scripted exploit which installs the trojan onto the user's system with no user interaction.
Removal -
Removal -
AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination.
Additional Windows ME/XP removal considerations
Variants
Variants -
N/A
APAGA Y VAMONOS !
Mucho cuidado ahi fuera....
Se recuerda que la mejor solucion contra el correo spam es exigir validacion de los remitentes de mails.
RSS Noticias 