3
-
![[HUN]PAStheLoD](https://media.sg.hu/forum/avatars/10334754621140968716.jpg "[HUN]PAStheLoD")
#3
Köszi köszi Billy boy ^.^ -
#2
Nyilván, ha egy programot (vagy vírust) Windows alá írnak, akkor azon tud működni... -
irkab1rka #1 http://www.f-secure.com/v-descs/myfip_h.shtml
When run, the worm copies under %SYSTEM% directory using the name 'kernel32dll.exe'. It creates a mutex named 'Meteo/EA[DCA]'. It installs the following registry key to ensure it will be executed next time the system is started:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Distributed File System" = "kernel32dll.exe"
The worm also creates a thread that adds the above registry key again if it is deleted.
If the worm is running under Windows NT-based system, it tries to inject code in address space of Explorer.exe. The injected code re-executes worm's file if the process terminates. The implementation seems to be quite unstable and it might crash Explorer.exe.
If the worm is running on Windows NT-based computer, it tries to hide its process by manipulating kernel data structures. This works only it worm is run under administrator privileges. If the system is Win9x-based, the worm tries to hide the process by issuing Win32 API call 'RegisterServiceProcess'.
Namost ugye unixon sajnos még regisztry sincs :DDD
mac-on sem... na vajon, melyik oprendszer is lehet veszélyben... hmmmmm....