[Solutie] From the Google and Facebook team – E-mail cu Atasament Infectat

Se raspandeste de curand un e-mail ce are un atasament infectat. Ca sa fiu mai precis, atasamentul este un fisier .html, care odata rulat va accesa un site descarcand un troian.

E-mail-ul are subiectul: “From the Google and Facebook team” si adresa de unde este trimis pare sa fie service@gmail.com.

Continutul sau este urmatorul:

Dear subscriber,

As you may know, the holidays are just around the corner, so all of us here at Google and Facebook decided to come together and bring you a new
contest with lots of prizes, including, but not limited to, the new Google Chrome OS which will be released in January 2011, Nexus One smartphones,
Google Maps GPS for your favourite mobile phone and lots more. Think of it as our way of saying: “Thank you !” for supporting our work all this
time. For a chance to win, all you have to do is go to the attached page and follow the instructions.

Hope you enjoy,

Google & Facebook.



Contine atasamentul Google and Facebook.html, care odata rulat si descarcat va accesa site-ul: ajax.smkberangan.com. De acolo va descarca fisierul Google.information.exe, cu o detectie de 12 din 41 de Antivirusi, conform VirusTotal.com

NU deschideti e-mail-ul si nu descarcati sau rulati fisierul atasat.
In cazul in care ati facut-o folositi pentru DEVIRUSARE:

1. Descarcati si instalati Malwarebytes Anti-Malware. Scanati PC-ul complet si stergeti la final infectiile gasite apasandRemove selected.

Daca ai reusit sa cureti aceasta infectie, iti recomand sa cumperi versiunea PRO a Malwarebytes Anti-Malware pentru a te proteja si pe viitor de astfel de amenintari, avand in vedere ca nu au fost detectate\eliminate de antivirusul tau actual.

2. Scanare cu BitDefender Online Scan: http://www.bitdefender.ro/scanner/online/free.html



Pentru cei mai tehnici, virusul face o multime de modificari in sistem printre care:

  • creeaza procesele: %Templates%\nvdisp.exe si %Templates%\52_msupdate.exe
  • creeaza fisierele: %System%\windows_7full.scr, %Temp%\TMP.dat, %System%\sdra64.exe, %Templates%\System.Data.SQLite.DLL, %System%\workgroup
  • creeaza cheile registry:
  1. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ESENT\Process\nvdisp
  2. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ESENT\Process\nvdisp\DEBUG
  3. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ESENT\Process\[filename of the sample #1 without extension]
  4. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ESENT\Process\[filename of the sample #1 without extension]\DEBUG
  5. HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\{19127AD2-394B-70F5-C650-B97867BAA1F7}
  6. HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\{43BF8CD1-C5D5-2230-7BB2-98F22C2B7DC6}
  7. HKEY_USERS\.DEFAULT\Software\Microsoft\Protected Storage System Provider
  8. HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System
  • acceseaza si descarca urmatoarele fisiere:
  1. http://whatismyip.com/automation/n09230945.asp
  2. http://www.whatismyip.com/automation/n09230945.asp
  3. http://www.mythicbeasts.org/directory/dir/bt.exe
  4. http://www.mythicbeasts.org/directory/dir/link.txt
  5. http://www.mythicbeasts.org/directory/dir/System.Data.SQLite.DLL
  6. http://www.mythicbeasts.org/directory/dir/cfg.bin
  7. http://www.mythicbeasts.org/directory/dir/gate.php
  8. http://www.mythicbeasts.org/directory/dir/ip.php

Administrator FaraVirusi.com
voluntar al Comodo Malware Research Team, expert Malwarebytes Anti-Malware

5 responses to “[Solutie] From the Google and Facebook team – E-mail cu Atasament Infectat”

  1. Gigi

    Pana la urma in ce echipa intri? Google sau Facebook? 😀

    1. happyday

      presupun ca “gogu’s face” e o optiune rezonabila 😀 .

  2. TutorialePc

    Bine ca avast stie deja de aceasta amenintare si blocheaza accesul.

    1. Gigi

      Abia ieri au adaugat detectie (multumita mie :P).

  3. Ionut Ciurdea

    Eu unu folosesc de mult timp Avira impreuna cu Mbam …..fac o treaba buna impreuna …mbam il folosesc free adica doar pentru dezinfectie si scanare …versiunea pro cu celalte optiuni active mi se pare ca ingreuneaza activitaea pc-ului mai ales net-ul.

Leave a Reply