TrustWarrior – Noua amenintare Rogue (Ghid pentru Devirusare)

Trust Warrior este un nou rogue din familia Winisoft (SoftSafeness, SafetyKeeper, SaveKeeper, Quick Heal Cleaner, System Cop, SaveDefense, Trust Ninja, SaveSoldier, SaveKeep, Winishield, WiniFighter)
Acest program rogue este unul mult mai periculos decat restul celor prezentati pe acest blog. Acest AntiVirus fals este instalat printr-un Troian-Downloader fara permisiunea utilizatorului. Odata instalat creeaza sute de fisiere inofensive in calculator cu nume aleatorii ce sunt mai apoi detectat in mod eronat ca fiind infectate, sugerand cumpararea soft-ului pentru devirusare.

Nu voi mai aminti celelalte actiuni care de altfel sunt identice la fiecare program de acest gen ci doar ceea ce-l face mai periculos. Troianul utilizat pentru a-l descarca mai copiaza in PC un Troian de tip Fake Alert si in plus un rootkit. Acesta foloseste acelasi truc ca si TDSS: modificand fisierele in memorie folosind: dump_atapi.sys si dump_WMILIB.SYS).

TrustWarrior

Creeaza urmatoarele fisiere\foldere:

  • c:\Program Files\TrustWarrior Software
  • c:\Program Files\TrustWarrior Software\TrustWarrior
  • c:\Program Files\TrustWarrior Software\TrustWarrior\TrustWarrior.exe
  • c:\Program Files\TrustWarrior Software\TrustWarrior\uninstall.exe
  • c:\WINDOWS\1074hazktool7905.bin
  • c:\WINDOWS\10a89acz5oor1785.cpl
  • c:\WINDOWS\10z58s9ambo54d0.exe
  • c:\WINDOWS\system32\52d39tea522z.cpl
  • c:\WINDOWS\system32\52z6ba5kdoor21529.dll
  • c:\WINDOWS\system32\5309zddwar5515.cpl
  • c:\Documents and Settings\All Users\Desktop\TrustWarrior.lnk
  • c:\Documents and Settings\All Users\Start Menu\Programs\TrustWarrior
  • c:\Documents and Settings\All Users\Start Menu\Programs\TrustWarrior\1 TrustWarrior.lnk
  • c:\Documents and Settings\All Users\Start Menu\Programs\TrustWarrior\2 Homepage.lnk
  • c:\Documents and Settings\All Users\Start Menu\Programs\TrustWarrior\3 Uninstall.lnk
  • %Temp%\Local Settings\Temp\xinoprpc.exe



De asemenea ii sunt asociate intrarile registry de mai jos:

HKEY_CURRENT_USER\Software\TrustWarrior
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\TrustWarrior
HKEY_LOCAL_MACHINE\SOFTWARE\TrustWarrior
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TRUSTWARRIORSVC
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TrustWarriorSvc
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run “TrustWarrior”

Intrarile log-ului HijackThis:

O4 – HKCU\..\Run: [xinoprpc.exe] C:\WINDOWS\system32\xinoprpc.exe
O4 – HKCU\..\Run: [TrustWarrior] C:\Program Files\TrustWarrior Software\TrustWarrior\TrustWarrior.exe -min
O23 – Service: TrustWarrior Security Service (TrustWarriorSvc) – Unknown owner – C:\Program Files\TrustWarrior Software\TrustWarrior\TrustWarriorSvc.exe (file missing)

DEVIRUSARE: Descarcati, instalati si scanati Pc-ul cu Malwarebytes Anti-Malware. Stergeti la final toate infectiile gasite, apasand “Remove selected”.

Daca ai reusit sa cureti aceasta infectie, iti recomand sa cumperi versiunea PRO a Malwarebytes Anti-Malware pentru a te proteja si pe viitor de astfel de amenintari, avand in vedere ca nu au fost detectate\eliminate de antivirusul tau actual.

Administrator FaraVirusi.com
voluntar al Comodo Malware Research Team, expert Malwarebytes Anti-Malware

Leave a Reply