技术信息(分析)
Backdoor:这是一个木马Win32/FlyAgent.F具有后门功能。它可能会执行的远程攻击者的命令的某些行动。
安装
后门:Win32/FlyAgent.F可能下降本身使用的文件夹在Windows系统文件夹中创建一个随机文件名。例如:
<系统文件夹> \ 38955c \ cb05e3.exe
注 - <系统文件夹>指的是一个变量的位置,这是由病毒决定查询操作系统。为用于Windows 2000和NT系统文件夹是C:\ Winnt \ System32中的默认安装位置,并为XP和Vista是C:\的Windows \ System32。
它也可能创建一个启动文件夹中的链接指向它的下降副本。例如:
\ cb05e3.lnk
注 - 是指一个变量的位置,这是由病毒决定查询操作系统。为Windows 9x的,我,NT,2000,XP和2003的启动文件夹的默认安装位置是'为%USERPROFILE%\开始菜单\程序\启动'。对于Windows Vista的默认位置是'为%USERPROFILE%\ AppData \漫游\微软\ Windows \ Start菜单\程序\启动'。
有效载荷
执行后门功能
后门:Win32/FlyAgent.F是执行对远程攻击者的命令为基础的行动能力,例如:
窃取用户凭据
连接到不同的网站
下载和执行文件
杀死进程
下降其他恶意软件,如VirTool:Win32/Afrootix.gen!乙 Technical Information (Analysis) Backdoor:Win32/FlyAgent.F is a trojan that has backdoor capabilities. It may perform certain actions based on the commands of a remote attacker. Installation Backdoor:Win32/FlyAgent.F may drop itself using a random file name in a folder it creates in the Windows system folder. For example: \38955c\cb05e3.exe Note - refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP and Vista is C:\Windows\System32. It may also create a link in the Startup folder that points to its dropped copy. For example: \cb05e3.lnk Note - refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the Startup folder for Windows 9x, Me, NT, 2000, XP and 2003 is '%USERPROFILE%\Start Menu\Programs\Startup'. For Windows Vista, the default location is '%USERPROFILE%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup'. Payload Performs backdoor functionality Backdoor:Win32/FlyAgent.F is capable of performing actions based on the commands of a remote attacker, for example: Steal user credentials
Connect to various Web sites
Download and execute files
Kill processes
Drop other malware, such as VirTool:Win32/Afrootix.gen!B Analysis by Andrei Florin Saygo