Alias

Backdoor:Win32/IRCbot.gen!Z (Microsoft); W32.Spybot.Worm (Symantec); Net-Worm.Win32.Kolab.dja (Kaspersky); Backdoor.IRCBot (Sunbelt); Trojan horse Generic2_c.VMU (AVG)

 Plataforma:

Windows 2000, Windows XP, Windows Server 2003

 Riesgo general:
 Potencial de destrucción:
 Potencial de distribución:
 Infección divulgada:
Bajo
Medio
High
Crítico

  • Tipo de malware
    Worm

  • Destructivo?
    No

  • Cifrado
     

  • In the Wild:

  Resumen y descripción

Este malware se elimina tras la ejecución.

  Detalles técnicos

Tamaño del archivo 797,901 bytes
Tipo de archivo EXE
Residente en memoria
Fecha de recepción de las muestras iniciales 29 May 2013

Instalación

Crea las siguientes copias de sí mismo en el sistema afectado:

  • %System%\svchosts.exe

(Nota: %System% es la carpeta del sistema de Windows, que en el caso de Windows 98 y ME suele estar en C:\Windows\System, en el caso de Windows NT y 2000 en C:\WINNT\System32 y en el caso de Windows XP y Server 2003 en C:\Windows\System32).

)

Crea las carpetas siguientes:

  • %User Profile%\Application Data\TEMP

(Nota: %User Profile% es la carpeta de perfil del usuario activo, que en el caso de Windows 98 y ME suele estar en C:\Windows\Profiles\{nombre de usuario}, en el caso de Windows NT en C:\WINNT\Profiles\{nombre de usuario} y en el caso de Windows 2000, XP y Server 2003 en C:\Documents and Settings\{nombre de usuario}).

)

Técnica de inicio automático

Agrega las siguientes entradas de registro para permitir su ejecución automática cada vez que se inicia el sistema:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
Microsoft Windows = "svchosts.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\RunServices
Microsoft Windows = "svchosts.exe"

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
Microsoft Windows = "svchosts.exe"

Otras modificaciones del sistema

Agrega las siguientes entradas de registro como parte de la rutina de instalación:

HKEY_LOCAL_MACHINE\Software\Licenses

HKEY_CLASSES_ROOT\CLSID\{5A1F69E1-4543-1A28-DEF4-60C1678BC9C9}

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{5A1F69E1-4543-1A28-DEF4-60C1678BC9C9}\InprocServer32

HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows\CurrentVersion\RunServices

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Control\SecurityProviders\SCHANNEL\
Protocols\PCT1.0\Server

Agrega las siguientes entradas de registro:

HKEY_LOCAL_MACHINE\SOFTWARE\Licenses
{K7C0DB872A3F777C0} = "{random values}"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{5A1F69E1-4543-1A28-DEF4-60C1678BC9C9}\InprocServer32
ThreadingModel = "Both"

HKEY_LOCAL_MACHINE\SOFTWARE\Licenses
{I096D2C313C1DD1E8} = "{random values}"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Ole
EnableRemoteConnect = "N"

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Control\SecurityProviders\SCHANNEL\
Protocols\PCT1.0\Server
Enabled = "{random values}"

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\lanmanserver\parameters
AutoShareWks = "0"

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\lanmanserver\parameters
AutoShareServer = "0"

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\Tcpip\Parameters
AllowUnqualifiedQuery = "0"

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\Tcpip\Parameters
PrioritizeRecordData = "1"

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\Tcpip\Parameters
TCP1320Opts = "3"

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\Tcpip\Parameters
KeepAliveTime = "2328"

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\Tcpip\Parameters
BcastQueryTimeout = "2ee"

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\Tcpip\Parameters
BcastNameQueryCount = "1"

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\Tcpip\Parameters
CacheTimeout = "ea6"

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\Tcpip\Parameters
Size/Small/Medium/Large = "3"

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\Tcpip\Parameters
LargeBufferSize = "1"

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\Tcpip\Parameters
SynAckProtect = "2"

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\Tcpip\Parameters
PerformRouterDiscovery = "0"

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\Tcpip\Parameters
EnablePMTUBHDetect = "0"

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\Tcpip\Parameters
FastSendDatagramThreshold = "4"

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\Tcpip\Parameters
StandardAddressLength = "18"

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\Tcpip\Parameters
DefaultReceiveWindow = "4"

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\Tcpip\Parameters
DefaultSendWindow = "4"

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\Tcpip\Parameters
BufferMultiplier = "2"

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\Tcpip\Parameters
PriorityBoost = "2"

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\Tcpip\Parameters
IrpStackSize = "4"

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\Tcpip\Parameters
IgnorePushBitOnReceives = "0"

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\Tcpip\Parameters
DisableAddressSharing = "0"

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\Tcpip\Parameters
AllowUserRawAccess = "0"

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\Tcpip\Parameters
DisableRawSecurity = "0"

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\Tcpip\Parameters
DynamicBacklogGrowthDelta = "32"

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\Tcpip\Parameters
FastCopyReceiveThreshold = "4"

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\Tcpip\Parameters
LargeBufferListDepth = "a"

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\Tcpip\Parameters
MaxActiveTransmitFileCount = "2"

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\Tcpip\Parameters
MaxFastTransmit = "4"

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\Tcpip\Parameters
OverheadChargeGranularity = "1"

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\Tcpip\Parameters
SmallBufferListDepth = "2"

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\Tcpip\Parameters
SmallerBufferSize = "8"

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\Tcpip\Parameters
TransmitWorker = "2"

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\Tcpip\Parameters
DNSQueryTimeouts = "1"

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\Tcpip\Parameters
DefaultRegistrationTTL = "14"

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\Tcpip\Parameters
DisableReplaceAddressesInConflicts = "0"

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\Tcpip\Parameters
DisableReverseAddressRegistrations = "1"

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\Tcpip\Parameters
UpdateSecurityLevel = "0"

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\Tcpip\Parameters
DisjointNameSpace = "1"

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\Tcpip\Parameters
QueryIpMatching = "0"

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\Tcpip\Parameters
NoNameReleaseOnDemand = "1"

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\Tcpip\Parameters
EnableDeadGWDetect = "0"

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\Tcpip\Parameters
EnableFastRouteLookup = "1"

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\Tcpip\Parameters
MaxFreeTcbs = "7d"

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\Tcpip\Parameters
MaxHashTableSize = "8"

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\Tcpip\Parameters
SackOpts = "1"

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\Tcpip\Parameters
Tcp1323Opts = "3"

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\Tcpip\Parameters
TcpMaxDupAcks = "1"

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\Tcpip\Parameters
TcpRecvSegmentSize = "585"

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\Tcpip\Parameters
TcpSendSegmentSize = "585"

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\Tcpip\Parameters
DefaultTTL = "3"

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\Tcpip\Parameters
TcpMaxHalfOpen = "4b"

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\Tcpip\Parameters
TcpMaxHalfOpenRetried = "5"

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\Tcpip\Parameters
TcpTimedWaitDelay = "0"

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\Tcpip\Parameters
MaxNormLookupMemory = "3d4"

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\Tcpip\Parameters
FFPControlFlags = "1"

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\Tcpip\Parameters
FFPFastForwardingCacheSize = "3d4"

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\Tcpip\Parameters
MaxForwardBufferMemory = "19df7"

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\Tcpip\Parameters
MaxFreeTWTcbs = "7d"

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\Tcpip\Parameters
GlobalMaxTcpWindowSize = "7d2"

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\Tcpip\Parameters
EnablePMTUDiscovery = "1"

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\Tcpip\Parameters
ForwardBufferMemory = "19df7"

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Internet Settings
MaxConnectionsPer1_0Server = "5"

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Internet Settings
MaxConnectionsPerServer = "5"

Modifica las siguientes entradas de registro:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
RFC1156Agent\CurrentVersion\Parameters
TrapPollTimeMilliSecs = "3a98"

(Note: The default value data of the said registry entry is 3a98.)

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\SharedAccess
Start = "4"

(Note: The default value data of the said registry entry is 2.)

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\wuauserv
Start = "4"

(Note: The default value data of the said registry entry is 2.)

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\wscsvc
Start = "4"

(Note: The default value data of the said registry entry is 2.)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Ole
EnableDCOM = "N"

(Note: The default value data of the said registry entry is Y.)

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Control\Lsa
restrictanonymous = "1"

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\Tcpip\Parameters
ForwardBroadcasts = "0"

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\Tcpip\Parameters
IPEnableRouter = "0"

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\Tcpip\Parameters
UseDomainNameDevolution = "1"

(Note: The default value data of the said registry entry is 1.)

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\Tcpip\Parameters
EnableICMPRedirect = "0"

(Note: The default value data of the said registry entry is 1.)

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\Tcpip\Parameters
DeadGWDetectDefault = "1"

(Note: The default value data of the said registry entry is 1.)

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\Tcpip\Parameters
DontAddDefaultGatewayDefault = "0"

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\Tcpip\Parameters
EnableSecurityFilters = "1"

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\Tcpip\Parameters
TcpWindowSize = "7d2"

(Note: The default value data of the said registry entry is faf0.)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Tracing\
Microsoft\Imapi
LogSessionName = "stdout"

(Note: The default value data of the said registry entry is {random values}.)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Tracing\
Microsoft\Imapi
Active = "1"

(Note: The default value data of the said registry entry is 1.)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Tracing\
Microsoft\Imapi
ControlFlags = "1"

(Note: The default value data of the said registry entry is 1.)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Tracing\
Microsoft\Imapi\ImapiSvc
Guid = "8107d8e9-e323-49f5-bba2-abc35c243dca"

(Note: The default value data of the said registry entry is 8107d8e9-e323-49f5-bba2-abc35c243dca.)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Tracing\
Microsoft\Imapi\ImapiSvc
BitNames = "{random characters}"

(Note: The default value data of the said registry entry is ImapiDebugError ImapiDebugWarning ImapiDebugTrace ImapiDebugInfo ImapiDebugX ImapiDebugSort.)

Elimina las siguientes claves de registro:

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{5A1F69E1-4543-1A28-DEF4-60C1678BC9C9}\Version

Rutina de infiltración

Infiltra los archivos siguientes:

  • %User Profile%\Application Data\TEMP:CC8ADF7F
  • %System Root%\a.bat
  • %User Temp%\1.reg
  • %Temp%\d9b3upat.TMP

(Nota: %User Profile% es la carpeta de perfil del usuario activo, que en el caso de Windows 98 y ME suele estar en C:\Windows\Profiles\{nombre de usuario}, en el caso de Windows NT en C:\WINNT\Profiles\{nombre de usuario} y en el caso de Windows 2000, XP y Server 2003 en C:\Documents and Settings\{nombre de usuario}).

. %System Root% es la carpeta raíz, normalmente C:\. También es la ubicación del sistema operativo).

. %User Temp% es la carpeta Temp del usuario activo, que en el caso de Windows 2000, XP y Server 2003 suele estar en C:\Documents and Settings\{nombre de usuario}\Local Settings\Temp).

. %Temp% es la carpeta de archivos temporales de Windows, que suele estar en C:\Windows\Temp o C:\WINNT\Temp).

)

Otros detalles

Este malware se elimina tras la ejecución.

  Soluciones

Motor de exploración mínimo 9.300

Step 1

Los usuarios de Windows ME y XP, antes de llevar a cabo cualquier exploración, deben comprobar que tienen desactivada la opción Restaurar sistema para permitir la exploración completa del equipo.

Step 2

Reiniciar en modo seguro

[ aprenda más ]

Step 3

Eliminar esta clave del Registro

[ aprenda más ]

Importante: si modifica el Registro de Windows incorrectamente, podría hacer que el sistema funcione mal de manera irreversible. Lleve a cabo este paso solo si sabe cómo hacerlo o si puede contar con ayuda de su administrador del sistema. De lo contrario, lea este artículo de Microsoft antes de modificar el Registro del equipo.

  • In HKEY_LOCAL_MACHINE\Software
    • Licenses
  • In HKEY_CLASSES_ROOT\CLSID
    • {5A1F69E1-4543-1A28-DEF4-60C1678BC9C9}
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5A1F69E1-4543-1A28-DEF4-60C1678BC9C9}
    • InprocServer32
  • In HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
    • RunServices
  • In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT1.0
    • Server

Step 4

Eliminar este valor del Registro

[ aprenda más ]

Importante: si modifica el Registro de Windows incorrectamente, podría hacer que el sistema funcione mal de manera irreversible. Lleve a cabo este paso solo si sabe cómo hacerlo o si puede contar con ayuda de su administrador del sistema. De lo contrario, lea este artículo de Microsoft antes de modificar el Registro del equipo.

  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    • Microsoft Windows = "svchosts.exe"
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
    • Microsoft Windows = "svchosts.exe"
  • In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
    • Microsoft Windows = "svchosts.exe"
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Licenses
    • {K7C0DB872A3F777C0} = "{random values}"
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5A1F69E1-4543-1A28-DEF4-60C1678BC9C9}\InprocServer32
    • ThreadingModel = "Both"
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Licenses
    • {I096D2C313C1DD1E8} = "{random values}"
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole
    • EnableRemoteConnect = "N"
  • In HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SecurityProviders\SCHANNEL\Protocols\PCT1.0\Server
    • Enabled = "{random values}"
  • In HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\lanmanserver\parameters
    • AutoShareWks = "0"
  • In HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\lanmanserver\parameters
    • AutoShareServer = "0"
  • In HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters
    • AllowUnqualifiedQuery = "0"
  • In HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters
    • PrioritizeRecordData = "1"
  • In HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters
    • TCP1320Opts = "3"
  • In HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters
    • KeepAliveTime = "2328"
  • In HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters
    • BcastQueryTimeout = "2ee"
  • In HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters
    • BcastNameQueryCount = "1"
  • In HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters
    • CacheTimeout = "ea6"
  • In HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters
    • Size/Small/Medium/Large = "3"
  • In HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters
    • LargeBufferSize = "1"
  • In HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters
    • SynAckProtect = "2"
  • In HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters
    • PerformRouterDiscovery = "0"
  • In HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters
    • EnablePMTUBHDetect = "0"
  • In HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters
    • FastSendDatagramThreshold = "4"
  • In HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters
    • StandardAddressLength = "18"
  • In HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters
    • DefaultReceiveWindow = "4"
  • In HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters
    • DefaultSendWindow = "4"
  • In HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters
    • BufferMultiplier = "2"
  • In HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters
    • PriorityBoost = "2"
  • In HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters
    • IrpStackSize = "4"
  • In HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters
    • IgnorePushBitOnReceives = "0"
  • In HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters
    • DisableAddressSharing = "0"
  • In HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters
    • AllowUserRawAccess = "0"
  • In HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters
    • DisableRawSecurity = "0"
  • In HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters
    • DynamicBacklogGrowthDelta = "32"
  • In HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters
    • FastCopyReceiveThreshold = "4"
  • In HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters
    • LargeBufferListDepth = "a"
  • In HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters
    • MaxActiveTransmitFileCount = "2"
  • In HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters
    • MaxFastTransmit = "4"
  • In HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters
    • OverheadChargeGranularity = "1"
  • In HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters
    • SmallBufferListDepth = "2"
  • In HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters
    • SmallerBufferSize = "8"
  • In HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters
    • TransmitWorker = "2"
  • In HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters
    • DNSQueryTimeouts = "1"
  • In HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters
    • DefaultRegistrationTTL = "14"
  • In HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters
    • DisableReplaceAddressesInConflicts = "0"
  • In HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters
    • DisableReverseAddressRegistrations = "1"
  • In HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters
    • UpdateSecurityLevel = "0"
  • In HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters
    • DisjointNameSpace = "1"
  • In HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters
    • QueryIpMatching = "0"
  • In HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters
    • NoNameReleaseOnDemand = "1"
  • In HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters
    • EnableDeadGWDetect = "0"
  • In HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters
    • EnableFastRouteLookup = "1"
  • In HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters
    • MaxFreeTcbs = "7d"
  • In HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters
    • MaxHashTableSize = "8"
  • In HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters
    • SackOpts = "1"
  • In HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters
    • Tcp1323Opts = "3"
  • In HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters
    • TcpMaxDupAcks = "1"
  • In HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters
    • TcpRecvSegmentSize = "585"
  • In HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters
    • TcpSendSegmentSize = "585"
  • In HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters
    • DefaultTTL = "3"
  • In HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters
    • TcpMaxHalfOpen = "4b"
  • In HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters
    • TcpMaxHalfOpenRetried = "5"
  • In HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters
    • TcpTimedWaitDelay = "0"
  • In HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters
    • MaxNormLookupMemory = "3d4"
  • In HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters
    • FFPControlFlags = "1"
  • In HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters
    • FFPFastForwardingCacheSize = "3d4"
  • In HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters
    • MaxForwardBufferMemory = "19df7"
  • In HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters
    • MaxFreeTWTcbs = "7d"
  • In HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters
    • GlobalMaxTcpWindowSize = "7d2"
  • In HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters
    • EnablePMTUDiscovery = "1"
  • In HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters
    • ForwardBufferMemory = "19df7"
  • In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
    • MaxConnectionsPer1_0Server = "5"
  • In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
    • MaxConnectionsPerServer = "5"

Step 5

Restaurar este valor del Registro modificado

[ aprenda más ]

Importante: si modifica el Registro de Windows incorrectamente, podría hacer que el sistema funcione mal de manera irreversible. Lleve a cabo este paso solo si sabe cómo hacerlo o si puede contar con ayuda de su administrador del sistema. De lo contrario, lea este artículo de Microsoft antes de modificar el Registro del equipo.

  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RFC1156Agent\CurrentVersion\Parameters
    • From: TrapPollTimeMilliSecs = "3a98"
      To: TrapPollTimeMilliSecs = ""3a98""
  • In HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess
    • From: Start = "4"
      To: Start = ""2""
  • In HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\wuauserv
    • From: Start = "4"
      To: Start = ""2""
  • In HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\wscsvc
    • From: Start = "4"
      To: Start = ""2""
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole
    • From: EnableDCOM = "N"
      To: EnableDCOM = ""Y""
  • In HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa
    • restrictanonymous = "1"
  • In HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters
    • ForwardBroadcasts = "0"
  • In HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters
    • IPEnableRouter = "0"
  • In HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters
    • From: UseDomainNameDevolution = "1"
      To: UseDomainNameDevolution = ""1""
  • In HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters
    • From: EnableICMPRedirect = "0"
      To: EnableICMPRedirect = ""1""
  • In HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters
    • From: DeadGWDetectDefault = "1"
      To: DeadGWDetectDefault = ""1""
  • In HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters
    • DontAddDefaultGatewayDefault = "0"
  • In HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters
    • EnableSecurityFilters = "1"
  • In HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters
    • From: TcpWindowSize = "7d2"
      To: TcpWindowSize = ""faf0""
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\Imapi
    • From: LogSessionName = "stdout"
      To: LogSessionName = ""{random values}""
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\Imapi
    • From: Active = "1"
      To: Active = ""1""
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\Imapi
    • From: ControlFlags = "1"
      To: ControlFlags = ""1""
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\Imapi\ImapiSvc
    • From: Guid = "8107d8e9-e323-49f5-bba2-abc35c243dca"
      To: Guid = ""8107d8e9-e323-49f5-bba2-abc35c243dca""
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\Imapi\ImapiSvc
    • From: BitNames = "{random characters}"
      To: BitNames = "" ImapiDebugError ImapiDebugWarning ImapiDebugTrace ImapiDebugInfo ImapiDebugX ImapiDebugSort""

Step 6

Buscar y eliminar estos archivos

[ aprenda más ]
Puede que algunos de los archivos del componente estén ocultos. Asegúrese de que tiene activada la casilla Buscar archivos y carpetas ocultos en la opción "Más opciones avanzadas" para que el resultado de la búsqueda incluya todos los archivos y carpetas ocultos.
  • %User Profile%\Application Data\TEMP:CC8ADF7F
  • %System Root%\a.bat
  • %User Temp%\1.reg
  • %Temp%\d9b3upat.TMP

Step 7

Buscar y eliminar esta carpeta

[ aprenda más ]
Asegúrese de que tiene activada la casilla Buscar archivos y carpetas ocultos en la opción Más opciones avanzadas para que el resultado de la búsqueda incluya todas las carpetas ocultas.
  • %User Profile%\Application Data\TEMP

Step 8

Reinicie en modo normal y explore el equipo con su producto de Trend Micro para buscar los archivos identificados como WORM_KOLAB.EB En caso de que el producto de Trend Micro ya haya limpiado, eliminado o puesto en cuarentena los archivos detectados, no serán necesarios más pasos. Puede optar simplemente por eliminar los archivos en cuarentena. Consulte esta página de Base de conocimientos para obtener más información.


Rellene nuestra encuesta!