Trojan Trojan-Downloader.PowerScan.11 installed on computers via the Internet in the event that the car hit one of the notorious family of Trojans " Trojan-Downloader.ISTbar "- affected by the aforementioned Trojans computer as a file called powerscan.exe and the size of 70,144 bytes (compressed file compression utility "UPX" version 1.24, to decompress the form of its size is 184,320 bytes, while the bulk of its code encrypted) in the following sub-directories created by them within system folder "Program Files": Program Files \ PowerScan \ powerscan.exe Program Files \ IST \ powerscan.exe This program has a graphical interface, and "squints," under a scanner "PowerScan v1.1" to check the machine for the presence of "pornographic trash" .
When you start the program displays the following operating window:
Functionality of the program contains the following options: Option SCAN START - starts the process of scanning all hard drives on your computer to check for "pornographic garbage." In reality, the program simply looks for the following snippets of text (some are in the list of programs on several Vincent Azlea BridgetteBrittany Bunny Lain Cherry Chloe Christy Claudia Cock cumming clit cumshot cunt Chickscheerleader clitoris chicksride coyote Girls college Girls Doggy double Penetration Debbie DiamondDenisa Devon Dominica Draghixa Dick dildo dirty bird dirty babes deepthroat Erotic Emberejaculation Ebony euroangel Emmanuel felation freeporn Felacia Danay Felix Jameson JentealJessica Drake Jezebelle Jewel De Nyle jillkeley Jill Kelly Juanita kiddysex Kaitlyn Ashley KalaniKascha Keisha Kim mckay Kobe Kristina bluegirl Christina Britney Latina Little Jody LucindaLesbian latex Lolita levrette Lovette Masturbate Madison Margo Stevens Mariah Midori Monicamannequin Mini-skirt Mini-jupe mouthfuck Mature Monkey Love nenette Nadia Nikita Nikki TylerKournikova Naked nudity nudist nude nake nasty nympho nipple Orgy Oral Sex Orgasm PenetrationPapoose Patricia Precious Girl Piercing Vinyl pedophily Tight ass putes Pussy petsex pornstarsPenthouse Playboy Playboy playgirl Playgirl porn mail photonu porn putas panties panty PamelaPamela Pornstars penis Peter north Raped ramble rectal rocco Racquel Derrian Raylene RebeccaRON Services sexfarm sweet sexy Senior Sex Story smut squirt jstring Sabrina smack SwallowSpycam Sexual Sylvia Knight whip xx xxx All of these pieces of the program looks for names in graphics, animation (Macromedia Flash Player), and video files with these extensions: AVI mpg MPEG JPG JPEG gifTIF BMP asf wmf mov , as well as in the following system log files: cookies. txt netscape.hst index.dat If you find at least one of these files, the program indicates its location in the scan results (in the same way as do anti-virus scanners when it detects a malicious file), and at the end of the search process displays a message
Option SCAN STOP - stops scanning files. Clicking on any of the specified program "unnecessary" files, you can view their properties, such as:
Option CLEAN OUT YOUR COMPUTER - opens the Web-browser Internet Explorer to connect to the Internet through the 1025-th or any subsequent port machine (if the 1025-D, for any reason unavailable), causing the search link (part of the link for security reasons, I replaced the symbol "%") http://www.slotch.com/% /% / ist_shortcuts_jump.php? fav_id = 209 through this site attempts to download Trojan hidden in the car and run some other Trojan program. At the same time that the user did not suspect anything, the link in the search box Web-browser is redirected to other software website (with a real program of cleaning debris pornographic
During file upload program communicates with a remote machine on which the files are located, the technical data in the form of the following messages: item found items found Power Scan Uploaded files recorded program in the registry created by her 2 class PowerScan automaticly at Windows Startup - if a user on their own to celebrate, "bird" this option, the program will be loaded at every system startup, showing its main window (or, if you remove the "bird", the Startup programs will be removed from the system). To enable a startup program adds the following registry keys: [HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Windows \ CurrentVersion \ Run] "Power Scan" = "C: \ \ Program Files \ \ [name 2nd key of the program is not entirely clear - perhaps it is used to store some overhead. Option ABOUT PowerScan - displays the following window:
Option unInstall PowerScan - opens Internet Explorer, in which the program is a link http://www.power-scan.com/remove.html This link is loaded into the car harmless file power_remove.exe size of 5120 bytes(also compressed utility "UPX" version 1.24, in the form of uncompressed size is 32768 bytes.) This file is a harmless program that removes " PowerScan "out of the car, he (the file) is sent to antivirus companies," Eugene Kaspersky Lab "(Kaspersky AntiVirus) and" Softwin "(BitDefender Professional), as anti-virus database developers mistakenly detect it as Trojan But now, since 17/09/2005, false recognition has been corrected and the file power_remove.exe no longer be detected as malware. When you startpower_remove.exe copies itself to the temporary file directory system or the current user, depending on the type installed on a computer running Windows called uninstall.exe : for Windows 9X/ME: WINDOWS \ TEMP \ uninstall.exe for Windows Server 2K/2K / XP: Documents and Settings \% user% \ Local Settings \ TEMP \ uninstall.exe file is then run on execution, giving on-screen window with the following menu:
If the user selects no , then uninstall.exe just quits, and if you selected Yes , the uninstall.exe removes registry keys from the startup as prescribed by the program " PowerScan ", terminates the process of system memory Program Files \ Power Scan \ powerscan.exe and this removes the subdirectory with the file powerscan.exe (Note: If " PowerScan "was installed in a subdirectory so, the uninstall.exe removes only the keys created by the Trojan autorun). Next uninstall.exe displays a message
, Completing its work on this. After the removal process " PowerScan "both files - power_remove.exe and copy uninstall.exe represent no more than a garbage file.
At the time of this description of anti-virus software detected Trojan-Downloader.PowerScan.11 (filepowerscan.exe ) under such identification names: Kaspersky AntiVirus Kaspersky : Trojan-Downloader.Win32.IstBar.gg Antivirus BitDefender Professional : Trojan.Downloader.IstBar.GG AntivirusDrWeb : Adware.PowerScan In identifying the computer this program, simply delete the filepowerscan.exe with a subdirectory in which it resides. Also, to remove a Trojan you may use the above author's original utility, which can be downloaded here .
Were discovered two versions of the Trojan (apparently - the earlier and later) that are virtually identical to that described above version, and differ from it only in fewer search fragments of text that is used to "discover" the pornographic trash.
Both are also called powerscan.exe and have size 69 120 bytes and 71,680 bytes respectively (compression utility files are compressed "UPX" version 1.24, in the form of their uncompressed size is 184,320 bytes and 241,664 bytes respectively, while the bulk of the code is encrypted).
At the time of writing anti-virus Company data detected two variants powerscan.exe under such identification names: Antivirus Kaspersky AntiVirus : Not-a-virus: AdWare.PowerScan.b, d (extended set of antivirus database updates) Antivirus BitDefender Professional : ignored Antivirus DrWeb : Adware.PowerScan
The study of malicious code and development description: Broido Herman (aka VirusHunter)
Date Created: 18.09.2005
Date of last change: 13.12.2005
Author Description: Broido Herman (aka VirusHunter)
No comments:
Post a Comment