Proxy Trojan and SQL Phantom variant

Jiangmin 9.21 Virus Broadcast

English Name: TrojanDropper.Agent.aaxa

Chinese name: "Agent Trojan" variant Aaxa

Virus Length: 23552 bytes

Virus type: Trojan Horse releasing device

Hazard Level: ★★★

Impact Platform: Win 9x/me/nt/2000/xp/2003

MD5 Check: 35db985e312f22cc6ead0a4a5f2d0a2d

Feature Description:

TrojanDropper.Agent.aaxa "Agent Trojan" variant Aaxa is "proxy Trojan Horse" Trojan release family of one of the newest members, using "Microsoft Visual C + + 6.0" written, and after the shell protection processing. "Agent Trojan" variant Aaxa after running, will self copy to the infected computer system under the "%SystemRoot%\System32 \dllcache\" folder, renamed to "Systembox.bak." Releases the shell-protected malicious DLL component "*.dll" under the%systemroot%\system32\ folder (the file name is obtained sequentially from the Netsvcs service group, typically starting with "6to4"), and copies it to the%systemroot%\ System32\dllcache\ folder. In addition, the malicious driver "Wmisvc.sys" is released under the "%SystemRoot%\System32 \drivers\" folder to end the self-protection of all types of security software. End the process of a large number of security software, while using the registry image file hijacking function, interfering with the normal operation of these security software. "Agent Trojan" variant Aaxa released DLL files in the run, will download other types of Trojans or connection to the designated hanging horse page, thereby causing different degrees of loss to users. "Agent Trojan" variant Aaxa can also be propagated through mobile storage devices and network Places, and it will replicate itself as "[Disk character]:\recycle. {645ff040-5081-101b-9f08-00aa002f954e}\ghost.exe "and generate" Autorun.inf "files to activate the self using the system's AutoPlay feature. Connect to a network place with a weak password by using its own password table, and once the connection succeeds, it replicates itself to the "c:\" of the computer, renames "Bootfont.exe", and activates it using the Scheduled Tasks feature. In addition, the "Agent Trojan" variant Aaxa will have a partial extension of ". exe", ". asp", ". htm", ". html", ". aspx" and ". RAR file is infected, causing more risk to the user. "Agent Trojan" variant Aaxa will be registered as a system service in the infected computer, so as to achieve the power-on self-starter.

English Name: EXPLOIT.SQLSHELL.O

Chinese name: "SQL Phantom" variant O

Virus Length: 227328 bytes

Virus type: Vulnerability virus

Hazard Level: ★

Impact Platform: Win 9x/me/nt/2000/xp/2003

MD5 Check: 750e784163ea09d7889b4e1110b985e2

Feature Description:

EXPLOIT.SQLSHELL.O "SQL Phantom" Variant O is one of the newest members of the "SQL Phantom" vulnerability Virus family, written in a high-level language, and is a DLL-functional component released by other malicious programs, protected by Shell. The "SQL Phantom" variant o Runtime releases the shell-protected malicious DLL component "Dwinter.dll" and "Dwintel.dll" in the "%systemroot%\system32\" directory of the infected system. The SQL Phantom variant o attacks a known vulnerability in Microsoft SQL Server 2003 or other versions, searches for database services that exist within the current network segment, and connects to a database service that uses a weak password and is logged in in mixed authentication mode. The hacker sends a specific query to make the previously released DLL file invoked, and once the call succeeds, "SQL Phantom" variant o may download other malicious programs via FTP, or execute arbitrary code on the server, causing varying degrees of damage to users of the infected system.