Внимание вирус!!!

Strannik · 17.10.2007, 13:37

WINSTO.EXE was first seen on Sep 25 2007 in The UNITED STATES
У нас впервые замечен 27 сентября.
Вот такая пакость всё чаще встречается. Вирус - почтовый агент.
Живёт , как правило в папке Temp локального пользователя.
Там же плодит свои копии под именами:
47241357.DAT
2131558230.EXE
3834715934.EXE
WINSTO.EX#
1079434912.EXE
1969923936.EXE
802662940.EXE
238763982.EXE
768244364.EXE
1671870818.EXE
WINSTO.EXE__DELETE_ON_REBOOT
84740134.EXE
39647329.EXE
44908025.EXE
3050562900.EXE
10427722.EXE
4137630588.EXE
1657539746.EXE
53265907.EXE
64236818.EXE
2263287493.EXE
3862967548.EXE
3727244922.EXE
1360439662.EXE
4021366334.EXE
746395414.EXE
439415274.EXE
2163041728.EXE
3003136238.EXE
26782702.EXE
00498825.EXE
85126438.EXE
1817829200.EXE
2979441662.EXE
514922995.EXE
48720020.EXE
2971310896.EXE
382313804.EXE
485403004.EXE
1109500706.EXE
3887404400.EXE
1354923558.EXE
4277921410.EXE
1138283246.EXE
328416521.EXE
3161732842.EXE
156387704.EXE
62584772.EXE
4025763298.EXE

Исходящий трафик просто сумасшедший.
Вот немножко описания:
The filename WINSTO.EXE refers to mutiple instances of an executable program.
The most common file size is 14,913 bytes. But the following file sizes have also been seen:
14,912 bytes
724,992 bytes
14,914 bytes
The unsafe files using this name are associated with the malware group Trojan.Nudos.

These files have no vendor, product or version information specified in the file header.

WINSTO.EXE has been seen to perform the following behavior(s):
The Process is packed and/or encrypted using a software packing process
Adds a Registry Key (RUN) to auto start Programs on system start up
Executes a Process
Can communicate with other computer systems using HTTP protocols
Registers a Dynamic Link Library File
Terminates Processes
This Process Deletes Other Processes From Disk
This Process Creates Other Processes On Disk
Executes Processes stored in Temporary Folders
Modifies Windows Initialization And System Settings Used On Start up

WINSTO.EXE has been the subject of the following behavior(s):
Executed as a Process
Executed from Temporary Folders
Executed by Internet Explorer
Terminated as a Process
Deleted as a process from disk
Created as a process on disk
Added as a Registry auto start to load Program on Boot up
Writes to another Process's Virtual Memory (Process Hijacking)

Всвязи с тем, что скотинка новая - ловят её не все. Вебовский модуль CureIt ловит точно.
А здесь лежит он-лайн сканер:
http://info.prevx.com/download.asp?grab=prevxcsi

17.10.2007, 13:37	#1
Strannik Местный Регистрация: 03.10.2006 Адрес: Москва Сообщений: 576 Вы сказали Спасибо: 0 Поблагодарили 4 раз(а) в 4 сообщениях	Внимание вирус!!! WINSTO.EXE was first seen on Sep 25 2007 in The UNITED STATES У нас впервые замечен 27 сентября. Вот такая пакость всё чаще встречается. Вирус - почтовый агент. Живёт , как правило в папке Temp локального пользователя. Там же плодит свои копии под именами: 47241357.DAT 2131558230.EXE 3834715934.EXE WINSTO.EX# 1079434912.EXE 1969923936.EXE 802662940.EXE 238763982.EXE 768244364.EXE 1671870818.EXE WINSTO.EXE__DELETE_ON_REBOOT 84740134.EXE 39647329.EXE 44908025.EXE 3050562900.EXE 10427722.EXE 4137630588.EXE 1657539746.EXE 53265907.EXE 64236818.EXE 2263287493.EXE 3862967548.EXE 3727244922.EXE 1360439662.EXE 4021366334.EXE 746395414.EXE 439415274.EXE 2163041728.EXE 3003136238.EXE 26782702.EXE 00498825.EXE 85126438.EXE 1817829200.EXE 2979441662.EXE 514922995.EXE 48720020.EXE 2971310896.EXE 382313804.EXE 485403004.EXE 1109500706.EXE 3887404400.EXE 1354923558.EXE 4277921410.EXE 1138283246.EXE 328416521.EXE 3161732842.EXE 156387704.EXE 62584772.EXE 4025763298.EXE Исходящий трафик просто сумасшедший. Вот немножко описания: The filename WINSTO.EXE refers to mutiple instances of an executable program. The most common file size is 14,913 bytes. But the following file sizes have also been seen: 14,912 bytes 724,992 bytes 14,914 bytes The unsafe files using this name are associated with the malware group Trojan.Nudos. These files have no vendor, product or version information specified in the file header. WINSTO.EXE has been seen to perform the following behavior(s): The Process is packed and/or encrypted using a software packing process Adds a Registry Key (RUN) to auto start Programs on system start up Executes a Process Can communicate with other computer systems using HTTP protocols Registers a Dynamic Link Library File Terminates Processes This Process Deletes Other Processes From Disk This Process Creates Other Processes On Disk Executes Processes stored in Temporary Folders Modifies Windows Initialization And System Settings Used On Start up WINSTO.EXE has been the subject of the following behavior(s): Executed as a Process Executed from Temporary Folders Executed by Internet Explorer Terminated as a Process Deleted as a process from disk Created as a process on disk Added as a Registry auto start to load Program on Boot up Writes to another Process's Virtual Memory (Process Hijacking) Всвязи с тем, что скотинка новая - ловят её не все. Вебовский модуль CureIt ловит точно. А здесь лежит он-лайн сканер: http://info.prevx.com/download.asp?grab=prevxcsi __________________ Дорога - она для тех, кто готов пройти через собственный ад, ибо дорога есть удел зрячего и сильного. Последний раз редактировалось Strannik; 17.10.2007 в 14:17.

	◊
www.udomlya.ru \| Медиа-Центр \| Удомля КТВ \| Старый форум

Здесь присутствуют: 1 (пользователей: 0 , гостей: 1)