The reason I posted this is because Vista Machines, firewall or no, are HIGHLY vulnerable to this. It will affect alot of casual internet users "surfers"
Originally Posted by http://www.threatexpert.com
|
Installs a default debugger that is injected into the execution sequence of a target application. If a threat is installed as a default debugger, it will be run every time a target application is attempted to be launched - either to mimic it and hide its own presence (e.g. an open port or a running process), or simply to be activated as often as possible.
Registers a 32-bit in-process server DLL.
Registers a Browser Helper Object (Microsoft's Internet Explorer plugin module).
Contains characteristics of an identified security risk.
The following files were created in the system:
1 %System%qnkfqvs.dll
2 %System%wkgszvx.exe Trojan-Downloader.Win32.Agent.aukz [Kaspersky Lab] Troj/Vundeb-A [Sophos]
Memory Modifications
There was a new process created in the system:
wkgszvx.exe %System%wkgszvx.exe 16,384 bytes
The following Registry Keys were created:
HKEY_LOCAL_MACHINESOFTWAREClassesCLSID{B05D9B24-659E-3715-B858-2D1B1CCD131A}
HKEY_LOCAL_MACHINESOFTWAREClassesCLSID{B05D9B24-659E-3715-B858-2D1B1CCD131A}InprocServer32
HKEY_LOCAL_MACHINESOFTWAREClassesInterface{8B70FAF 4-9E89-33B9-9CA7-6C4765B2CCF8}
HKEY_LOCAL_MACHINESOFTWAREClassesInterface{8B70FAF 4-9E89-33B9-9CA7-6C4765B2CCF8}ProxyStubClsid
HKEY_LOCAL_MACHINESOFTWAREClassesInterface{8B70FAF 4-9E89-33B9-9CA7-6C4765B2CCF8}ProxyStubClsid32
HKEY_LOCAL_MACHINESOFTWAREClassesInterface{8B70FAF 4-9E89-33B9-9CA7-6C4765B2CCF8}TypeLib
HKEY_LOCAL_MACHINESOFTWAREClassesTypeLib{1E5E364E-BAEE-37C2-BA28-2520937A874C}
HKEY_LOCAL_MACHINESOFTWAREClassesTypeLib{1E5E364E-BAEE-37C2-BA28-2520937A874C}1.0
HKEY_LOCAL_MACHINESOFTWAREClassesTypeLib{1E5E364E-BAEE-37C2-BA28-2520937A874C}1.0
HKEY_LOCAL_MACHINESOFTWAREClassesTypeLib{1E5E364E-BAEE-37C2-BA28-2520937A874C}1.0win32
HKEY_LOCAL_MACHINESOFTWAREClassesTypeLib{1E5E364E-BAEE-37C2-BA28-2520937A874C}1.0FLAGS
HKEY_LOCAL_MACHINESOFTWAREClassesTypeLib{1E5E364E-BAEE-37C2-BA28-2520937A874C}1.0HELPDIR
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentV ersionExplorerBrowser Helper Objects
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentV ersionExplorerBrowser Helper Objects{B05D9B24-659E-3715-B858-2D1B1CCD131A}
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Optionsiexplore.exe
The newly created Registry Values are:
[HKEY_LOCAL_MACHINESOFTWAREClassesCLSID{B05D9B24-659E-3715-B858-2D1B1CCD131A}InprocServer32]
(Default) = "[file and pathname of the sample #1]"
ThreadingModel = "Apartment"
[HKEY_LOCAL_MACHINESOFTWAREClassesCLSID{B05D9B24-659E-3715-B858-2D1B1CCD131A}]
(Default) = "D"
[HKEY_LOCAL_MACHINESOFTWAREClassesInterface{8B70FAF 4-9E89-33B9-9CA7-6C4765B2CCF8}TypeLib]
(Default) = "{1E5E364E-BAEE-37C2-BA28-2520937A874C}"
Version = "1.0"
[HKEY_LOCAL_MACHINESOFTWAREClassesInterface{8B70FAF 4-9E89-33B9-9CA7-6C4765B2CCF8}ProxyStubClsid32]
(Default) = "{00020424-0000-0000-C000-000000000046}"
[HKEY_LOCAL_MACHINESOFTWAREClassesInterface{8B70FAF 4-9E89-33B9-9CA7-6C4765B2CCF8}ProxyStubClsid]
(Default) = "{00020424-0000-0000-C000-000000000046}"
[HKEY_LOCAL_MACHINESOFTWAREClassesInterface{8B70FAF 4-9E89-33B9-9CA7-6C4765B2CCF8}]
(Default) = "IDOMPeek"
[HKEY_LOCAL_MACHINESOFTWAREClassesTypeLib{1E5E364E-BAEE-37C2-BA28-2520937A874C}1.0win32]
(Default) = "[file and pathname of the sample #1]"
[HKEY_LOCAL_MACHINESOFTWAREClassesTypeLib{1E5E364E-BAEE-37C2-BA28-2520937A874C}1.0HELPDIR]
(Default) = "%System%"
[HKEY_LOCAL_MACHINESOFTWAREClassesTypeLib{1E5E364E-BAEE-37C2-BA28-2520937A874C}1.0FLAGS]
(Default) = "0"
[HKEY_LOCAL_MACHINESOFTWAREClassesTypeLib{1E5E364E-BAEE-37C2-BA28-2520937A874C}1.0]
(Default) = "LIB"
[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentV ersionExplorerBrowser Helper Objects{B05D9B24-659E-3715-B858-2D1B1CCD131A}]
IExplore = 0x00000001
[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Optionsiexplore.exe]
Debugger = "%System%wkgszvx.exe"
so that wkgszvx.exe is injected into the execution sequence of iexplore.exe by being installed as its default debugger
|
Be warned, as of today there is a new drive by downloader (injects itself into your browser via websites).
I picked this one up today. Rather annoying. Opens like...Thirty iexplore.exe processes. I dont know what else it does though I do know that it completely axes internet explorer when you remove it. Its a simple fix though.
Open your registry editor and navigate to the key:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe
There will be an entry that says "Debugger". In that entry you will see the trojan file set as your debugger. Right click the key and select modify and delete the entire entry so its blank. That will restore your IE back to working order. If I find any other adverse affects, I will be sure to let you know.
Information gathered from:
http://www.threatexpert.com/report.a...435103713cb32f