  Virus.Win32.Xorer.em

: Virus.Win32.Xorer.em
: UPX 0.89.6 - 1.02 / 1.05 - 1.24 -> Markus & Laszlo [Overlay]
:	?

1.     (   ):
1. lsass.exe 	-   
2. smss.exe	-  

2.     : 
1.	AUTORUN.INF 	- 172 	 
2.	pagefile.exe 	- 8 192	
3.	pagefile.pif	- 93 700 	

3.  Windows\System32\ :
1.	dnsq.dll	- 32 256 
2.	12345.log	- 93 700  (   )

3.  Windows\System32\Com\ :
1.	lsass.exe		- 93 700 
2.	netcfg.000	- 16 384  
3.	netcfg.dll	- 16 384 
4.	smss.exe		- 40 960 

4.     :
C:\Documents and Settings\All Users\ \\\ - ~.exe.41906.exe (   )

5.     :
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\]
"AppInit_DLLs" = "C:\Windows\System32\dnsq.dll"

6.   :
1. [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\]
2. [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\]
3. [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\klif\]

7.   :
1. [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\]
2. [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\]

8.  :
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\
Folder\SuperHidden\]
"Type" = "radio" -  "checkbox"

9.        :
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\]

10.    .   exe . 

: 	1.    .
		2.     .
3.  " " (     ).


MaX-13										28  2008 

