 !!!  c   06.04.2008        (/ )
   AVZ  4.30
   17.01.2010 13:02:55
 :  - 157571,  - 2,   - 55,   06.04.2008 17:09
  : 370
  : 9
    : 70476
  :   
 : 
 Windows: 5.1.2600, Service Pack 2 ; AVZ    
 : 
1.  RootKit  ,   API
1.1   API,   UserMode
  kernel32.dll,      .text
  ntdll.dll,      .text
  user32.dll,      .text
  advapi32.dll,      .text
  ws2_32.dll,      .text
  wininet.dll,      .text
  rasapi32.dll,      .text
  urlmon.dll,      .text
  netapi32.dll,      .text
1.2   API,   KernelMode
   
 SDT  (RVA=07B180)
  ntkrnlpa.exe      804D7000
   SDT = 80552180
   KiST = 80501030 (284)
 NtAssignProcessToJobObject (13)  (805CB162->822F28A0),   
 NtOpenProcess (7A)  (805BFB78->822F1CB0),   
 NtOpenThread (80)  (805BFE04->822F20D0),   
 NtSuspendProcess (FD)  (805C9588->822F26D0),   
 NtSuspendThread (FE)  (805C93FA->822F24F0),   
 NtTerminateProcess (101)  (805C74C8->822F1EE0),   
 NtTerminateThread (102)  (805C76C2->822F2310),   
 : 284, : 7, : 0
1.3  IDT  SYSENTER
    1
  IDT  SYSENTER 
1.4     
   ,       AVZPM
   
1.5   IRP
  
2.  
   : 34
 -   1884 C:\WINDOWS\VM305_STI.EXE
[ES]:    
[ES]:   
[ES]:   !!
 -   1892 C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE
[ES]:   
[ES]:    
[ES]:   !!
[ES]: DLL RASAPI - ,     ?
 -   1908 C:\Program Files\ABBYY Lingvo 12\Lvagent.exe
[ES]:    
[ES]:   !!
 -   212 C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
[ES]:   
[ES]:   ?!
[ES]:  TCP !
[ES]:    
[ES]: DLL RASAPI - ,     ?
   : 519
  
3.  
D:\Downloads\INTERNET\DOWNLOAD_MASTER_5.13.1037_RUS\PATCH.EXE -   Virus.Win32.PE_Type1(  75%)
     (D:\Downloads\INTERNET\DOWNLOAD_MASTER_5.13.1037_RUS\PATCH.EXE)
D:\Downloads\INTERNET\OFFLINE_EXPLORER_4.5.2458_RUS\CRACK\PATCH.EXE -   Virus.Win32.PE_Type1(  75%)
     (D:\Downloads\INTERNET\OFFLINE_EXPLORER_4.5.2458_RUS\CRACK\PATCH.EXE)
D:\System Volume Information\_restore{232C1F34-B096-4FC0-BDC0-9895D93E0EED}\RP30\A0022154.EXE -   Virus.Win32.PE_Type1(  75%)
     (D:\System Volume Information\_restore{232C1F34-B096-4FC0-BDC0-9895D93E0EED}\RP30\A0022154.EXE)
4.  Winsock Layered Service Provider (SPI/LSP)
  LSP .   
5.    // (Keylogger,  DLL)
C:\Program Files\ABBYY Lingvo 12\LvHook.dll -->   Keylogger   DLL
C:\Program Files\ABBYY Lingvo 12\LvHook.dll>>>   
  1.   : , 
  2.   
  3.  PID  
C:\Program Files\ABBYY Lingvo 12\LvHook.dll>>> :    76.43%      /
 :     ,      (  FAQ), ..    DLL-
6.    TCP/UDP,   
   317  
     6 TCP   11 UDP 
  ,    
7. c  
>>>   -   
 
8.   
>> :     RemoteRegistry ( )
>> :     TermService ( )
>> :     SSDPSRV (  SSDP)
>> :     Schedule ( )
>> :     mnmsrvc (NetMeeting Remote Desktop Sharing)
>> :     RDSessMgr (      )
> :   -           (,     ...)!
>> :     CDROM
>> :       (C$, D$ ...)
>> :      
>> :     
 
9.     
 >>    
 >>>     - 
 >>   -     
 >>>   -      - 
 >>     HDD
 >>>     HDD - 
 >>      
 >>>       - 
 >>      
 >>>       - 
 
 : 254606,   : 216617,    0,  - 0
   17.01.2010 13:34:29
  00:31:35
            ,
      - http://virusinfo.info
