Du brauchst Hilfe? Frage die Community oder wende dich an einen Experten.
Zu Avira Answers
Virus:TR/Agent.8704.24
Date discovered:02/12/2008
Type:Trojan
In the wild:Yes
Reported Infections:Low
Distribution Potential:Low
Damage Potential:Low
Static file:Yes
File size:8.704 Bytes
MD5 checksum:31ddc2ae38061b3b03571fd7f28ab788
IVDF version:7.01.00.176 - Tuesday, December 2, 2008

 General Aliases:
   •  Sophos: Troj/Drop-AD
   •  Grisoft: SHeur.CRFI


Platforms / OS:
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
    Access to floppy disk
   • Drops malicious files
   • Registry modification

 Files It copies itself to the following locations:
   • %SYSDIR%\afido.exe
   • %drive%\afido.exe



It creates the following directory:
   • %TEMPDIR%\%random character string%.tmp



It deletes the following file:
   • %drive%\Autorun.inf



The following files are created:

%TEMPDIR%\%random character string%\b2e.exe Furthermore it gets executed after it was fully created. Further investigation pointed out that this file is malware, too.
%TEMPDIR%\%random character string%\batfile.bat



It tries to executes the following files:

Filename:
   • %TEMPDIR%\%random character string%\b2e.exe
Furthermore it contains malicious code.

Filename:
   • %TEMPDIR%\%random character string%\batfile.bat

 Registry One of the following values is added in order to run the process after reboot:

  [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   • "opesys"="%SYSDIR%\afido.exe"



The following registry key is added:

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\
   Autorun.inf]
   • @="@SYS:DoesNotExist"

 File details Programming language:
The malware program was written in Assembler.


Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with the following runtime packer:
   • UPX

Die Beschreibung wurde erstellt von Petre Galan am Dienstag, 7. Juli 2009
Die Beschreibung wurde geändert von Petre Galan am Montag, 17. August 2009

zurück . . . .