Hi folks,
Let us first give some details on the first Anubis report, that Left123 provided for us.
This is what I got on that, please correct or comment.
The analysis of the first Anubis report.
There is a known weakness in ntdll.dll, which later was patched with Q815021_WXP_SP2_x86_NLD.exe as far back as 2003.
Malware creates a copy of the file %System%\ADVAPI32.DLL later to modify and remove the legit ADVAPI32.DLL section object.
Extensive description found here:
http://www.f-secure.com/v-descs/backdoor_w32_tdss.shtmlBut this is for the complete malware, so what we discuss here is just the Backdoor.Win32.ZAccess (Sig-Id:61936921) part of the malware.
A bug in ATI Multimedia center is being used, as we read about e.g. "msacm.iac2", good for a generic find of this Subtype-N/A type of malware.
Device Control Communication - KsecDD = the security device server, it lives in c:\winnt\system32\drivers
About Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll
Dialog does not display the specific version of comctl32.dll, it causes Windows Explorer to crash repeatedly,
and is making an access violation when closing tabs,
the Common-Controls etc. is also found with Virtumonde and other fraudLoad trojan malware,
DRMClien.DLL is being used in malware for effective camouflage, it is used for managing content,
programmed to appear as a legit file as it may infect computers via dubious file-sharing tools.
msvfw32.dll could also appear to be a camouflage file.
tapi32.dll files may end up becoming corrupted as malware runs amoc on your comp.
WMASF.DLL is part of Windows Media Files and is also being used in attack code.
A a patched WS2_32.dll as part of Windows Socket is no fun issue, webpage loading slows up and many redirects found,
Non-system processes like msdmo.dll originate from malware you installed on your system, leads to errors that can be harmful.
urlmon.dll can get corrupted from this malware.
rtutils.dll is a camouflage file.
wmidx.dll in malware is also used to pose as a legit file.
wmvcore.dll is an application that does NOT appear to be a security risk, is the Windows Media Playback/Authoring Dll,
polonus