Du brauchst Hilfe? Frage die Community oder wende dich an einen Experten.
Zu Avira Answers
Date discovered:09/12/2009
In the wild:Yes
Reported Infections:Low
Distribution Potential:Low to medium
Damage Potential:Low to medium
Static file:Yes
File size:196.096 Bytes
MD5 checksum:d93c0dea37ebfacb9d475085b712fad0
IVDF version: - Wednesday, December 9, 2009

 General Method of propagation:
   • Email

   •  Panda: W32/Kolabc.AW.worm
   •  Eset: Win32/Delf.OXF
   •  Bitdefender: IRC-Worm.Generic.8682

Platforms / OS:
   • Windows 2000
   • Windows XP
   • Windows 2003

Side effects:
   • Downloads a malicious file
   • Drops malicious files
   • Registry modification

 Files It copies itself to the following location:
   • %SYSDIR%\msvmcls64.exe

It tries to download some files:

– The location is the following:
   •**********?id=%number%&tick=%number%&ver=486&smtp=%character string%

– The location is the following:

 Registry One of the following values is added in order to run the process after reboot:

–  [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • "MS Virtual CLS"="%SYSDIR%\msvmcls64.exe"

The following registry key is added:

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\BITS]
   • "host"=""
   • "id"="23318476078427455795981961071089"
   • "ii"="1"

 Email It contains an integrated SMTP engine in order to send emails. A direct connection with the destination server will be established. The characteristics are described in the following:

Generated addresses. Please do not assume that it was the sender's intention to send this email to you. He might not know about his infection or might not even be infected at all. Furthermore it is possible that you will receive bounced emails telling you that you are infected. This might also not be the case.

– Email addresses found in specific files on the system.

– Contains HTML code.


The attachment is a copy of the malware itself.

 Mailing MX Server:
It has the ability to contact one of the following MX servers:
   • hotmail.com
   • yahoo.com
   • aol.com
   • google.com
   • mail.com

 File details Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.

Die Beschreibung wurde erstellt von Petre Galan am Mittwoch, 31. März 2010
Die Beschreibung wurde geändert von Petre Galan am Mittwoch, 31. März 2010

zurück . . . .