Need help? Ask the community or hire an expert.
Go to Avira Answers
Virus:TR/Mserve.A
Date discovered:13/12/2012
Type:Trojan
In the wild:No
Reported Infections:Low
Distribution Potential:Low
Damage Potential:Medium
Static file:Yes
File size:45.056 Bytes
MD5 checksum:4ff337aae7b67ab35a9992943e709da9
VDF version:7.11.53.216

 General Method of propagation:
   • No own spreading routine


Aliases:
   •  Symantec: PWSteal.Flecsip
   •  Mcafee: Keylog-KSpy.
   •  Kaspersky: Trojan-Spy.Win32.Agent.fa
   •  TrendMicro: TROJ_AGENT.VJ
   •  VirusBuster: TrojanSpy.Agent.RM


Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP


Side effects:
   • Uses its own Email engine
   • Records keystrokes
   • Steals information

 Files It copies itself to the following location:
   • %SYSDIR%\msserv.exe



The following file is created:

%SYSDIR%\servms.dll This file contains collected keystrokes.

 Registry The following registry key is added in order to run the process after reboot:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • "msserv"="%SYSDIR%\\msserv.exe"

 Email It doesn't have its own spreading routine but it has the ability to send an email. It is most likely that the receiver is the author. The characteristics are described below:


From:
The sender of the email is the following:
   • troyan@rambler.ru


To:
The recipient of the email is the following:
   • usabunker2@yandex.ru


Subject:
The following:
   • LOG: %random character string%



Body:
The contents is the same as in the file: servms.dll

 Stealing It tries to steal the following information:
     Keystrokes
     Window information
     Browser window
     Login information

 Miscellaneous String:
Furthermore it contains the following string:
   • coded by Flex[IP] <www.blacklogic.net>

 File details Programming language:
The malware program was written in MS Visual C++.

Description inserted by Sergiu Oprea on Wednesday, August 3, 2005
Description updated by Sergiu Oprea on Tuesday, August 30, 2005

Back . . . .