Après...Fausses alertes TrojanSPM/LX* - WinAntivirus Pro 2007
Voici une nouvelle infection qui ajoute une icône à côté de l'horloge ouvrant des alertes :
"Windows has detected detected spywares infection! Click this Message to install the last update of Windows Software"
Le fond d'écran est modifié... offrant un message sur fond bleu "Warning! You're in danger, Your computer is infected with spywares!"
ainsi que des popups... :
Des popups alerte "Security Monitor: WARNING!" s'ouvrent avec le message "Attention! System detected a potential hazard (TrojanSPM/Lx) on your computer"
La page de démarrage de votre navigateur WEB est modifiée vers l'adresse http://safe-strip-download.com ou des propositions insitantes pour vous faire télécharger le rogue SafeStrip
Le fichier HOSTS de Windows est modifié afin d'empécher la mise à jour des antivirus, la connexion sur des sites d'antivirus etc..
10.18.250.4 ad.doubleclick.net
10.18.250.4 ad.fastclick.net
10.18.250.4 ads.fastclick.net
10.18.250.4 ar.atwola.com
10.18.250.4 atdmt.com
10.18.250.4 avp.ch
10.18.250.4 avp.com
10.18.250.4 avp.ru
10.18.250.4 awaps.net
10.18.250.4 banner.fastclick.net
10.18.250.4 banners.fastclick.net
10.18.250.4 ca.com
10.18.250.4 click.atdmt.com
10.18.250.4 clicks.atdmt.com
10.18.250.4 customer.symantec.com
10.18.250.4 dispatch.mcafee.com
10.18.250.4 download.mcafee.com
10.18.250.4 downloads-us1.kaspersky-labs.com
10.18.250.4 downloads-us2.kaspersky-labs.com
10.18.250.4 downloads-us3.kaspersky-labs.com
10.18.250.4 downloads1.kaspersky-labs.com
10.18.250.4 downloads2.kaspersky-labs.com
10.18.250.4 downloads3.kaspersky-labs.com
10.18.250.4 downloads4.kaspersky-labs.com
10.18.250.4 engine.awaps.net
10.18.250.4 f-secure.com
10.18.250.4 fastclick.net
10.18.250.4 ftp.avp.ch
10.18.250.4 ftp.downloads1.kaspersky-labs.com
10.18.250.4 ftp.downloads2.kaspersky-labs.com
10.18.250.4 ftp.downloads3.kaspersky-labs.com
10.18.250.4 ftp.f-secure.com
10.18.250.4 ftp.kasperskylab.ru
10.18.250.4 ftp.sophos.com
10.18.250.4 ids.kaspersky-labs.com
10.18.250.4 kaspersky-labs.com
10.18.250.4 kaspersky.com
10.18.250.4 liveupdate.symantec.com
10.18.250.4 liveupdate.symantecliveupdate.com
10.18.250.4 mast.mcafee.com
10.18.250.4 mcafee.com
10.18.250.4 media.fastclick.net
10.18.250.4 my-etrust.com
10.18.250.4 nai.com
10.18.250.4 networkassociates.com
10.18.250.4 norton.com
10.18.250.4 phx.corporate-ir.net
10.18.250.4 rads.mcafee.com
10.18.250.4 secure.nai.com
10.18.250.4 securityresponse.symantec.com
10.18.250.4 service1.symantec.com
10.18.250.4 sophos.com
10.18.250.4 spd.atdmt.com
10.18.250.4 symantec.com
10.18.250.4 trendmicro.com
10.18.250.4 update.symantec.com
10.18.250.4 updates.symantec.com
10.18.250.4 updates1.kaspersky-labs.com
10.18.250.4 updates2.kaspersky-labs.com
10.18.250.4 updates3.kaspersky-labs.com
10.18.250.4 updates4.kaspersky-labs.com
10.18.250.4 updates5.kaspersky-labs.com
10.18.250.4 us.mcafee.com
10.18.250.4 vil.nai.com
10.18.250.4 viruslist.com
10.18.250.4 viruslist.ru
10.18.250.4 virusscan.jotti.org
10.18.250.4 virustotal.com
10.18.250.4 http://www.avp.ch
10.18.250.4 http://www.avp.com
10.18.250.4 http://www.avp.ru
10.18.250.4 http://www.awaps.net
10.18.250.4 http://www.ca.com
10.18.250.4 http://www.f-secure.com
10.18.250.4 http://www.fastclick.net
10.18.250.4 http://www.grisoft.com
10.18.250.4 http://www.kaspersky-labs.com
10.18.250.4 http://www.kaspersky.com
10.18.250.4 http://www.kaspersky.ru
10.18.250.4 http://www.mcafee.com
10.18.250.4 http://www.my-etrust.com
10.18.250.4 http://www.nai.com
10.18.250.4 http://www.networkassociates.com
10.18.250.4 http://www.sophos.com
10.18.250.4 http://www.symantec.com
10.18.250.4 http://www.trendmicro.com
10.18.250.4 http://www.viruslist.com
10.18.250.4 http://www.viruslist.ru
10.18.250.4 http://www.virustotal.com
L'infection ajoute les lignes suivantes sur HijackThis :
O4 - HKLM\..\Run: [sware] C:\Program Files\WinMsg\SWARE.EXE
O4 - HKLM\..\Run: [bal] C:\Program Files\WinMsg\SYSMONMS.EXE
O4 - HKCU\..\Run: [SafeStrip] C:\Program Files\SafeStrip\SafeStrip.exe