live casino online

Llega como archivo adjunto a los mensajes de correo que otro malware/grayware/spyware o usuarios maliciosos env¨ªan como spam.

Se inyecta en todos los procesos en ejecuci¨®n para permanecer en memoria.

Infiltra un archivo AUTORUN.INF para que ejecute autom¨¢ticamente las copias que infiltra cuando un usuario accede a las unidades de un sistema afectado.

Ejecuta comandos desde un usuario remoto malicioso que pone en peligro el sistema afectado. Se conecta a un sitio Web para enviar y recibir informaci¨®n. However, as of this writing, the said sites are inaccessible.

Detalles de entrada

Llega como archivo adjunto a los mensajes de correo que otro malware/grayware/spyware o usuarios maliciosos env¨ªan como spam.

±õ²Ô²õ³Ù²¹±ô²¹³¦¾±¨®²Ô

Crea las siguientes copias de s¨ª mismo en el sistema afectado:

• %User Profile%\Application Data\KB{random number}.exe

(Nota: %User Profile% es la carpeta de perfil del usuario activo, que en el caso de Windows 98 y ME suele estar en C:\Windows\Profiles\{nombre de usuario}, en el caso de Windows NT en C:\WINNT\Profiles\{nombre de usuario} y en el caso de Windows 2000, XP y Server 2003 en C:\Documents and Settings\{nombre de usuario}).

Crea las carpetas siguientes:

• %User Profile%\Application Data\{random folder}

(Nota: %User Profile% es la carpeta de perfil del usuario activo, que en el caso de Windows 98 y ME suele estar en C:\Windows\Profiles\{nombre de usuario}, en el caso de Windows NT en C:\WINNT\Profiles\{nombre de usuario} y en el caso de Windows 2000, XP y Server 2003 en C:\Documents and Settings\{nombre de usuario}).

Se inyecta en todos los procesos en ejecuci¨®n para permanecer en memoria.

Agrega las siguientes exclusiones mutuas para garantizar que solo se ejecuta una de sus copias en todo momento:

• Local\XME%08X
• Local\XMF%08X
• Local\XMI%08X
• Local\XMM%08X
• Local\XMR%08X
• Local\XMS%08X

T¨¦cnica de inicio autom¨¢tico

Agrega las siguientes entradas de registro para permitir su ejecuci¨®n autom¨¢tica cada vez que se inicia el sistema:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
KB{random number}.exe = "%User Profile%\Application Data\KB{random number}.exe"

Otras modificaciones del sistema

Agrega las siguientes entradas de registro:

HKEY_CURRENT_USER\Software\Microsoft\
Windows NT\{random1}
{default} = "{hex numbers}"

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Internet Settings
GlobalUserOffline = "0"

±Ê°ù´Ç±è²¹²µ²¹³¦¾±¨®²Ô

Crea las carpetas siguientes en todas las unidades extra¨ªbles:

• {random folder}

Este malware infiltra la(s) siguiente(s) copia(s) de s¨ª mismo en todas las unidades extra¨ªbles:

• {random folder}\{random file name}.exe

Infiltra un archivo AUTORUN.INF para que ejecute autom¨¢ticamente las copias que infiltra cuando un usuario accede a las unidades de un sistema afectado.

Rutina de puerta trasera

Ejecuta los comandos siguientes desde un usuario remoto malicioso:

• Download and execute additional files
• Download other files
• Monitors cookies
• Steal login credentials
• Update itself
• Upload collected certificates and credentials

Se conecta a los sitios Web siguientes para enviar y recibir informaci¨®n:

• http://{BLOCKED}.{BLOCKED}.208.55:8080/mx5/B/in/
• http://{BLOCKED}.{BLOCKED}.134.110:8080/mx5/B/in/
• http://{BLOCKED}.{BLOCKED}.57.197:8080/mx5/B/in/
• http://{BLOCKED}.{BLOCKED}.147.52:8080/mx5/B/in/
• http://{BLOCKED}.{BLOCKED}.206.179:8080/mx5/B/in/
• http://{BLOCKED}.{BLOCKED}.164.18:8080/mx5/B/in/
• http://{BLOCKED}.{BLOCKED}.41.155:8080/mx5/B/in/
• http://{BLOCKED}.{BLOCKED}.199.100:8080/mx5/B/in/

However, as of this writing, the said sites are inaccessible.

Robo de informaci¨®n

Controla la actividad de Internet Explorer (IE) del sistema afectado, en particular la barra de direcciones. Recrea un sitio Web leg¨ªtimo con una p¨¢gina de inicio de sesi¨®n falsa cuando un usuario visita sitios de banca con las siguientes cadenas en la barra de direcciones y/o barra de t¨ªtulo:

• *sso.uboc.com/obc/forms/login.fcc?user_type=R*
• *sso.unionbank.com*
• *statebanktx.com/cgi-bin/prosperity.asp*
• *sterlingwires.com*
• *sunshinestatefederal.wblnk.com*
• *suntrust.com*
• *suntrust.com/access/oblix/apps/webgate/bin/webgate.dll?APP=OTM*
• *svbconnect*
• *svbconnect.com*
• *swedbank.lv*
• *tabbank.com*
• *tbb.ee*
• *tdcommercialbanking*
• *telepc.net*
• *top.capitalonebank.com*
• *towernet.capitalonebank.com*
• *trast.net*
• *trastnet.tkb.com.cy*
• *treas-mgt.frostbank.com*
• *treasury.pncbank.com*
• *treasury.wamu.com*
• *treasurydirect.tdbank.com*
• *treasurylinkweb.com*
• *treasurylinkweb.com/fnbo/cgi-bin/welcome.cgi*
• *treasurypathways.com*
• *treasurypro.umpquabank.com/cashplus/portalAPI*
• *treasuryservices.banknow.texascapitalbank.com*
• *trustmark.openbank.com*
• *trustweb.com*
• *trz.tranzact.org*
• *ub.lt*
• *unitedbankwi.com*
• *usgateway2.rbs.com*
• *valartis.at*
• *valartis.li*
• *vectrabank.com/busi_bank_00.jsp*
• *vpbank.com*
• *vpn1.*
• *vpn1.sandyspringbank.com*
• *wblnk.*
• *wblnk.com*
• *wbsavings.wblnk.com*
• *wcma.businesscenter.ml.com/bcprivate/asp/WCMALoginEA.aspx*
• *wcmfd/wcmpw*
• *web-access*
• *web.accessor.com*
• *.com/K1/*
• *.onlineaccess1.com*
• *.secure-banking.com*
• */Authentication/zbf/k*
• */Authentication/zbf/k/*
• */BB/LOGON/*
• */CASHplus/*
• */CLKCCM/*
• */CMMain.CFM*
• */Common/SignOn/*
• */Common/SignOn/Start.asp*
• */IBWS/*
• */LoginOLB/LoginOLB*
• */ach/*
• */cashman/*
• */cmWire*
• */cmserver/*
• */ebc_ebc1961/*
• */engine/login/businesslogin*
• */ibs.*
• */icm/*
• */icm2/*
• */inets/*
• */livewire/*
• */netbnx/*
• */olbb/*
• */phcp*
• */sbuser/*
• */smallbiz/*
• */wcmpw/*
• */webcm/*
• */wire/*
• */wires/*
• *1stunitedbankfl*
• *AchPayment*
• *BusinessAppsHome*
• *CLKCCM*
• *CorporateAccounts*
• *CorporateBankingWeb*
• *LoginCM*
• *LoginCM.aspx*
• *MemberACH*
• *Payroll.faces*
• *Pres_WA_Wires*
• *RBS_Commercial*
• *RsaGoIdAuthentication*
• *SwiftTransfer*
• *WireTransfer*
• *ablv.com*
• *access.jpmorgan.com*
• *access.rbsm.com/logon*
• *access.usbank.com*
• *accessbankplc.com*
• *accurint.com*
• *ach.shazam.net/webcm/customer.asp*
• *achieveaccess.citizensbank.com*
• *achweb.unionbank.com*
• *achworks.com*
• *achworks.com/EXEC*
• *alltimetreasury.pacificcapitalbank.com*
• *alphabank.com.cy*
• *anb.portalvault.com*
• *atbonlinebusiness.com*
• *auth.carolinetools.com/gk/eTreasury/Default.aspx*
• *auth.umb.com*
• *authmaster.nationalcity.com*
• *authmaster.nationalcity.com/tmgmt*
• *baltikums.com*
• *baltikums.eu*
• *bancfirstbusinessonline.com/bbw/cmserver/welcome/default/verify.cfm*
• *banesco.com.pa*
• *bankbyweb*
• *bankfirst.com*
• *banking.calbanktrust.com*
• *banking.calbanktrust.com/iLogin.jsp*
• *banking.firsttennessee.biz*
• *banknet.lv*
• *bankofamerica.com*
• *bankofbermuda.com*
• *bankofbermuda.com/1/2/idv.Authentication*
• *bankofcyprus.com*
• *bankonline.sboff.com*
• *bankonline.sboff.com/OFS2/InternetBanking*
• *bankonline.umpquabank.com*
• *bbo.1stsource.com*
• *bib.lv*
• *billauth*
• *billmenu*
• *bizcurrency.com*
• *blilk*
• *blilk.*
• *blilk.com*
• *bmoharrisprivatebankingonline.com*
• *bmomutualfunds.com*
• *bnycash.bankofny.com*
• *bob-w.*
• *bob.sovereignbank.com*
• *bolb-east.associatedbank.com*
• *bolb-west.associatedbank.com*
• *bolb.*
• *boveda.banamex.com.mx*
• *bscincky.com*
• *business-eb.ibanking-services.com/K1/sb_login.jsp*
• *business.macu.com*
• *business.macu.com/*
• *business.netbankerplus.com*
• *business_solutions*
• *businessaccess.citibank.citigroup.com*
• *businessbanking.cibc.com*
• *businessbanking.tdcommercialbanking.com/WBB/LoginDisplay*
• *businessclassonline.compassbank.com*
• *businesse-cashmanager.web-access.com/natpenn/cgi-bin/welcome.cgi*
• *businesslogin*
• *businesslogins.asp*
• *businessmanager.com*
• *businessmanager.com/signon*
• *businessonline.*
• *businessonline.huntington.com*
• *businessonline.tdbank.com*
• *businessportal.mibank.com*
• *butterfieldonline.ky*
• *bxs.com*
• *cashanalyzer.com*
• *cashman*
• *cashman.arvest.com*
• *cashmanager.mizuhoe-treasurer.com*
• *cashmgmt*
• *cashmgt*
• *cashplus*
• *cashproonline.bankofamerica.com*
• *cashproonline.bankofamerica.com/cpwportal/appmanager/cpo/public*
• *cashproweb.com/cpwportal*
• *cbbusinessonline.com*
• *cbbusinessonline.com/commercebankolen/control/BoleTransactional.commercebank*
• *cbs.firstcitizens.com*
• *ce.solutions-corporate.com/*
• *cencorpcu.com*
• *cencorpcu.com/*
• *cfgbusinessaccess.com*
• *checkgateway*
• *checkgateway.com/*
• *checkout.com/va/login*
• *cib.bankofthewest*
• *cib.bankofthewest.com*
• *cibconline.cibc.com*
• *cimbanque.net*
• *citizensbankmoneymanagergps.com*
• *cmachm.w*
• *cmbmnt.w*
• *cmol.bbt.com/auth*
• *cmserver*
• *cmwirp.w*
• *cnbsec1.*
• *colb.*
• *comerica*
• *comerica.com*
• *comerica.com/businessconnect/*
• *commercebusinessdirect.com*
• *commercial.wachovia.com*
• *commercialservices*
• *commercialservices.mandtbank.com*
• *connect.bankcolonial.com*
• *connect.colonialbank.com*
• *constitutioncorp.org*
• *constitutioncorp.org/www/index.asp*
• *corpACH*
• *corporate.epfc.com*
• *corporate.epfc.com/epfc/pfcinternet.nsf/cobrokers*
• *corporatebankingweb*
• *corporateconnect.net*
• *corporateonlinebanking.com/bbw/cmserver/welcome/default/verify.cfm*
• *corpower.coop*
• *createCorpWire*
• *createWire*
• *cs.directnet.com*
• *cu.com*
• *cu.org*
• *danskebanka.lv*
• *db-direct.db.com/u/eb/Login_Main.serv*
• *directline4biz.com*
• *directnet.com*
• *e-moneyger*
• *e-moneyger.com*
• *e-norvik.lv*
• *easywebcpo.td.com/waw/idp*
• *ebank.rcbcy.com*
• *ebanking-services*
• *ebanking-services.com*
• *ebc_ebc1961*
• *ebemo.bemobank.com*
• *ebill.highmark.com*
• *ecash.*
• *ecash.fsbnm.com*
• *ecash.mbvtonline.com*
• *ecm-transfers.unionbank.com*
• *ecms.unionbank.com*
• *efirstbank.com*
• *efirstbank.com/business/*
• *ekp.lv*
• *enternetbank.com*
• *enternetbank.com/exact4web/*
• *enterprise2.openbank.com*
• *epd.uscentral.org*
• *epd.uscentral.org/mfa/enterUsername.action*
• *eurobankefg.com*
• *eurobankefg.com.cy*
• *exact4web*
• *exness.com*
• *express.53.com*
• *express.53.com/express/*
• *express.53.com/express/logon.action*
• *expressdeposit.colonialbank.com*
• *fbmedirect.com*
• *ffinonline.com*
• *ffrontier.com*
• *firstbancorp.com*
• *firstbanks.com*
• *firstbanks.com/olb*
• *firstbanks.com/olb/login.asp*
• *firstcitizens.com*
• *firstcitizens.com/cb/servlet/cb/loginfcbnc.jsp*
• *onlinebanking.1stunitedbankfl.com*
• *onlinebanking.banksterling.com*
• *onlinebanking.banksterling.com/login2.asp*
• *onlinencr.com*
• *onlineserv/CM*
• *onlineserv/CM/adminLogin.cgi?state=login*
• *onlineserv/cm*
• *otm.suntrust.com*
• *pacificenterprisebank.com*
• *parex.lv*
• *passport.texascapitalbank.com*
• *pastabanka.lv*
• *paylinks.cunet.org*
• *paylinks.cunet.org/il.htm*
• *phcp/servlet*
• *piraeusbank.com*
• *portfolioonline.metavante.com*
• *premierview.membersunited.org*
• *premierview.membersunited.org/Core/login.aspx?ReturnUrl=%2fDefault.aspx*
• *privatbank.lv*
• *pub/html*
• *rbs.com/wps/portal/*
• *rbs.com/wps/portal/cb/applications*
• *rbscoutts.com*
• *rbsidigital.com*
• *rbsiibanking.com*
• *rbsm.com*
• *rbworld.lv*
• *rcbcy.com*
• *regions.com*
• *rietumu.lv*
• *royalbank.com/cgi-bin/rbaccess*
• *s2b.*
• *s2b.standardchartered.com*
• *sampopank*
• *sampopank.ee*
• *sandyspringbank.com*
• *scotiaconnect.scotiabank.com*
• *scotiaonline.scotiabank.com*
• *scottvalleybank.com*
• *scottvalleybank.com/OnlineBanking*
• *seb.ee*
• *seb.lt*
• *seb.lv*
• *secure-banking*
• *secure-eccu.org*
• *secure-eccu.org/Common/SignOn/Start.asp*
• *secure-nvboh.com/Common*
• *secure.1stfedbank.com*
• *web.accessor.com/ACMWeb/redirect.do?dealer=725*
• *webbankingforbusiness.mandtbank.com*
• *webcash*
• *webcashmgmt.com*
• *webexpress*
• *webexpress.tdbank.com/wcmfd/wcmpw/CustomerLogin*
• *webinfocus.mandtbank.com*
• *webinfocus.mandtbank.com/MANDT*
• *weblink.websterbank.com*
• *wellsoffice.wellsfargo.com*
• *westernbankcash.com*
• *westernetbank.com*
• *westfield.accounts-in-view.com*
• *wtdirect.com*
• *wtdirect.com/wtdirect/*
• *www.2checkout.com/va/login*
• *www.amegybank.com/*
• *www4.bmo.com*
• *www8.comerica.com*
• .associatedbank.com*
• *secure.1stfedbank.com/login_business.asp*
• *secure.ally.com*
• *secure.bancinternetgroup.com*
• *secure.currency.lloydstsb-offshore.com*
• *secure.dalhartfederal.com*
• *secure.dalhartfederal.com/engine/login/businesslogins.asp*
• *secure.fnbhutch.com*
• *secure.fsbperkasie.com*
• *secure.fsbperkasie.com/*
• *secure.fundsxpress.com*
• *secure.ltbbank.com*
• *secure.ltblv.com*
• *secure2.umb.com*
• *secure2.umb.com/icm2/ICMindex*
• *secure7.onlineaccess1.com*
• *securebanking.cbtks.com*
• *securebanking.cbtks.com/CoreFirst/Authentication/Login.aspx?c=1*
• *securentry*
• *securentry.calbanktrust.com*
• *securentrycorp.*
• *securentrycorp.amegybank.com*
• *secureport.texascapitalbank.com*
• *server14.cey-ebanking.com*
• *servlet/teller*
• *singlepoint.usbank.com*
• *site-secure.com/TekPortfolio*
• *snoras.com*
• *solutions-corporate.com*
• *springbankconnect.com/views/login/*
• *ssl.selectpayment.com/mp*
• *sso.uboc*
• *sso.uboc.com*
• *firstmutualonline.com/login_business.asp*
• *firstplacebankecomm.net/Common/SignOn/Start.asp*
• *fnfgbusinessonline.enterprisebanker.com*
• *fxpayments.americanexpress.com*
• *geonline.lv*
• *global-ebanking.com*
• *global-ebanking.com/eng/home.htm*
• *global1.onlinebank.com*
• *globalink.leumiusa.com*
• *goldleaf*
• *goldleafach.com*
• *guard.scotiabank.com/guard/scopr/logon/loginAction*
• *handelsbanken.lv*
• *harleysvillesavingsbank.com/Common/SignOn*
• *hbcash.exe*
• *hblibank.com*
• *hbproxy.exe*
• *hellenicnetbanking.com*
• *hillsbank.com*
• *hillsbank.com/default.cfm*
• *hiponet.lv*
• *hkbea*
• *hsbc.com.mx*
• *i-linija.lt*
• *ib.baltikums.com*
• *ib.dnb.lv*
• *ib.snoras.com*
• *ibanka.seb.lv*
• *ibanking-services.com*
• *ibbpl2.com*
• *ibbpowerlink.com*
• *ibbusinessnet.com*
• *ibcbankonline.ibc.com/ibccorpweb/core/login.aspx*
• *ibs.secure-banking*
• *ibs5.secure-banking*
• *ifxmanager.bankofny.com*
• *ifxmanager.bnymellon.com*
• *inetbanker*
• *injectreceiver*
• *internationalbanking.*
• *internationalpayments.*
• *internet-ebanking.com*
• *internetbanker.cc*
• *intrusttreasury.com/bbw/cmserver/welcome/default/verify.cfm*
• *itinternet.net*
• *itinternet.net/*
• *itreasury.amsouth.com*
• *itreasury.amsouth.com/phcp/servlet/CustomerLoginServlet*
• *jqueryaddonsv2.js*
• *ktt.key.com*
• *lakecitybank.webcashmgmt.com*
• *lakelandbank.com*
• *lasallebank.com/business_solutions.html*
• *libertymutualbusinessdirect.com*
• *lionbank.com*
• *login_business.asp*
• *loyalbank.com*
• *lv.unicreditbanking.net*
• *marfinbank.com.cy*
• *mbachexpress.com*
• *mcb-home.com/online*
• *merchantsbk.inetbanker.com*
• *metrobankdirect.com*
• *metrobankdirect.com/*
• *metrobankdirect.com/corp_login_page.asp*
• *midatlanticcorp.org*
• *midatlanticcorp.org/Phoenix/UI/IS/Login/Loginframe.htm*
• *moneymanagergps.com*
• *multinetbank.eu*
• *my.statestreet.com*
• *mybankfirstunited.wblnk.com*
• *mycorporate.org*
• *myonlineservices.cbolobank.com/ISRVCOMWebApplication/login/Login.jsp*
• *nashvillecitizensbank.com*
• *nationalcity.com/consultnc*
• *nbarizona.com/login_business.jsp*
• *nbb.controlsecure.com*
• *ncms-inc.com*
• *ncms-inc.com/*
• *netteller*
• *nfbconnect.com*
• *northbaybancorp.com*
• *northerntrust.com*
• *norvik.lv*
• *nsbank.com*
• *nsbank.com//biz*
• *nsbank.com//biz/index.jsp*
• *nsbank.com/biz*
• *ntrs.com*
• *nubi*
• *olb.*
• *olb.ent.com/business/*
• *online-offshore.lloydstsb.com*
• *online.1stnb.com*
• *online.alphabank.com.cy*
• *online.citadele.lv*
• *online.dollarbank.com*
• *online.ibl.com.lb*
• *online.lkb.lv*
• *online.ovcb.com*
• *online.usb.com.cy*
• *online.wilberbank.com*
• *onlineaccess1.com*
• *onlinebank.wesbanco.com*
• *onlinebanker*
• *onlinebanker.usbank.com*