Need help? Ask the community or hire an expert.
Go to Avira Answers
Date discovered:13/12/2012
Type:Backdoor Server
In the wild:No
Reported Infections:Low
Distribution Potential:Low
Damage Potential:Low to medium
Static file:Yes
File size:347.272 Bytes
MD5 checksum:b5ca37ed32410574fbc5fa1aca343259
VDF version:

 General Method of propagation:
   • No own spreading routine

   •  Symantec: Backdoor.Graybird.K
   •  Mcafee: BackDoor-ARR.svr
   •  Kaspersky:
   •  VirusBuster: Backdoor.Hupigon.AB!AU
   •  Bitdefender: Backdoor.Hupigon.BO

Platforms / OS:
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP

Side effects:
   • Registry modification
   • Steals information
   • Third party control

 Files It copies itself to the following location:
   • %SYSDIR%\Vrwx.exe

It deletes the initially executed copy of itself.

The following file is created:

%SYSDIR%\Deleteme.bat Furthermore it gets executed after it was fully created.

 Registry The following registry keys are added in order to load the services after reboot:

– [HKLM\SYSTEM\CurrentControlSet\Services\Videorwx]
   • "Type"=dword:00000110
   • "Start"=dword:00000002
   • "ErrorControl"=dword:00000000
   • "DisplayName"="Windows Video"
   • "ObjectName"="LocalSystem"
   • "Description"="ΪϵͳÌṩ±ØÒªµÄ·þÎñ"

– [HKLM\SYSTEM\CurrentControlSet\Services\Videorwx\Security]
   • "Security"=hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,\

– [HKLM\SYSTEM\CurrentControlSet\Services\Videorwx]
   • "ImagePath"=hex(2):43,00,3a,00,5c,00,57,00,49,00,4e,00,44,00,4f,00,57,00,53,00,\

 Backdoor The following ports are opened:

%executed file% on TCP port 1983 in order to provide backdoor capabilities.
%executed file% on UDP port 1981 in order to provide backdoor capabilities.

 Miscellaneous Mutex:
It creates the following Mutex:
   • eed3bd3a-a1ad-4e99-987b-d7cb3fcfa7f0

 File details Programming language:
The malware program was written in Delphi.

Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.

Description inserted by Victor Tone on Tuesday, August 2, 2005
Description updated by Victor Tone on Friday, August 26, 2005

Back . . . .