Mensaje
por msc hotline sat » 29 Nov 2005, 10:07
El CHP.DLL es un troyano creado posiblemente por un dropper segun indica McAfee:
[quote="McAfee"]
Trojan Name Risk Assessment
BackDoor-CPG Corporate User : Low
Home User : Low
Trojan Information
Discovery Date: 03/16/2005
Origin: Unknown
Length: 23,152 (exe) 61,440 (dll)
Type: Trojan
SubType: Remote Access
Minimum DAT: 4448 (03/16/2005)
Updated DAT: 4448 (03/16/2005)
Minimum Engine: 4.3.20
Description Added: 03/16/2005
Description Modified: 03/24/2005 9:15 PM (PT)
Description Menu
Trojan Characteristics
Symptoms
Method Of Infection
Removal Instructions
Variants / Aliases
Rate This page
Print This Page
Email This Page
Legend
Trojan Characteristics:
The trojan is installed via a dropper exe. When the exe runs, the following dll is created in the Windows system directory:
chp.dll (61,440)
The following registry keys are created:
HKEY_CURRENT_USER\Software\Classes\CLSID\
{0211C4D9-BC71-8916-38AD-9DEA5D213614}
HKEY_CLASSES_ROOT\CLSID\
{0211C4D9-BC71-8916-38AD-9DEA5D213614}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Explorer\SharedTaskScheduler
"{0211C4D9-BC71-8916-38AD-9DEA5D213614}"
The dll is loaded in the Windows Explorer process when the computer restarts. The trojan changes the Internet Explorer browser security settings by modifying the following registry keys. It disables the Windows firewall on XP system.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
Internet Settings\Zones
"1001" = 01, 00, 00, 00
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
Internet Settings\Zones
"1004" = 01, 00, 00, 00
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
Internet Settings\Zones
"1200" = 00, 00, 00, 00
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
Internet Settings\Zones
"1809" = 03, 00, 00, 00
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
Internet Settings\Zones
"1001" = 01, 00, 00, 00
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
Internet Settings\Zones
"1004" = 01, 00, 00, 00
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
Internet Settings\Zones
"1200" = 00, 00, 00, 00
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
Internet Settings\Zones
"1809" = 03, 00, 00, 00
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
WindowsUpdate\Auto Update
"AUOptions" = 01, 00, 00, 00
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\
WindowsUpdate "DoNotAllowXPSP2" = 01, 00, 00, 00
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\
DomainProfile
"EnableFirewall" = 00, 00, 00, 00
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\
StandardProfile
"EnableFirewall" = 00, 00, 00, 00
The trojan sends notification message to a specific web site via HTTP. The trojan searches the following files for email addresses:
C:\Documents and Settings\*.txt
C:\Documents and Settings\*.htm*
Information gathered is saved to a local file. The file is sent to a remote site via FTP. The trojan can perform various tasks on local machine, such as:
Download/execute files
Send spam emails
Top of Page
Symptoms
Existence of the files/Registry keys detailed above
Top of Page
Method Of Infection
Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, email, etc.
[/quote]
el cual es detectado como Backdoor CPG.
No hemos tenido incidencias con él, por lo que si se resiste a la eliminacion, mejor envienos una muestra a zonavirus@satinfo.es anexada a un mail en cuyo texto nos indique como referencia "REF BDCPG" y le contestaremos como respuesta de este Tema, indicandole la utilidad de eliminacion en la que hemos implementado su control y eliminacion.
saludos
ms, 29-11-2005
NOTA_ Y en este foro no se permite solicitar ayuda en privado, preguntas y respuestas han de postearse en el foro, para aprovechamiento de todos
saludos
ms, 29-11-2005
msc hotline sat Virus Research Engineer