Du brauchst Hilfe? Frage die Community oder wende dich an einen Experten.
Zu Avira Answers
Date discovered:09/06/2011
In the wild:Yes
Reported Infections:Low
Distribution Potential:Low to medium
Damage Potential:Medium
File size:3.328.947 Bytes
MD5 checksum:8A6D83F8E169F2508F978C1B7D57D13F
VDF version:
IVDF version:

 General Method of propagation:
   • Autorun feature

   •  Kaspersky: Worm.Win32.AutoRun.hud
   •  TrendMicro: WORM_OTORUN.HU
   •  Microsoft: Worm:Win32/Colowned.A

Platforms / OS:
   • Windows 2000
   • Windows XP
   • Windows 2003
   • Windows Vista
   • Windows 7

Side effects:
   • Third party control
   • Drops files
   • Registry modification

 Files It copies itself to the following locations:
   • %APPDATA%\taskhost.exe
   • %drive%\viewDrive.exe

%drive%\autorun.inf This is a non malicious text file with the following content:
   • %code that runs malware%

It tries to download a file:

– The location is the following:
   • http://link.colo.**********.hu:31099/l.txt
This file may contain further download locations and might serve as source for new threats.

 Registry To each registry key one of the values is added in order to run the processes after reboot:

–  [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   • "Windows Task Host"="%APPDATA%\taskhost.exe"

–  [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • "Windows Task Host"="%APPDATA%\taskhost.exe"

 Backdoor The following port is opened:

– svchost.exe on UDP port 1033

Contact server:
The following:
   • http://link.colo.**********.hu:31099

 Injection – It injects itself as a remote thread into processes.

    Process name:
   • svchost.exe

 File details Programming language:
The malware program was written in MS Visual C++.

Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.

Die Beschreibung wurde erstellt von Andrei Ilie am Montag, 1. August 2011
Die Beschreibung wurde geändert von Andrei Ilie am Dienstag, 2. August 2011

zurück . . . .