Virus:TR/Dldr.Amisa.1
Date discovered:10/05/2006
Type:Trojan
Subtype:Downloader
In the wild:No
Reported Infections:Low
Distribution Potential:Low
Damage Potential:Low to medium
Static file:Yes
File size:24.576 Bytes
MD5 checksum:9dca6a6c2aea76c882f294360Aa706e2
VDF version:6.34.01.57

 General Method of propagation:
   • No own spreading routine


Aliases:
   •  Kaspersky: Trojan-Downloader.Win32.VB.abj
   •  TrendMicro: TROJ_ADLOAD.CX


Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Downloads malicious files
   • Registry modification

 Files It tries to download some files:

– The location is the following:
   • http://www.nonameforthisdomain.com/**********?rnd=%number%
It is saved on the local hard drive under: %WINDIR%\teller2.chk

– The location is the following:
   • http://www.nonameforthisdomain.com/**********?rnd=%several random digits%&antisp=%number%
It is saved on the local hard drive under: %executed file%1.dat

 Registry The following registry key is added in order to run the process after reboot:

– HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   • "keyboard"="%malware execution directory%\%executed file%"



The following registry key including all values and subkeys is removed:
   • HKLM\Software\Microsoft\Windows\CurrentVersion\Run\winsysupd



The following registry keys are added:

– HKCU\Software\Microsoft\Internet Explorer\Search\
   SearchAssistant Explorer\Main
   • "Default_Search_URL"="http://searchbar.findthewebsiteyouneed.com"

– HKLM\SOFTWARE\Microsoft\Internet Explorer\Search
   • "SearchAssistant"="http://searchbar.findthewebsiteyouneed.com"

– HKLM\SOFTWARE\Microsoft\Internet Explorer\Main
   • "Search Page"="http://searchbar.findthewebsiteyouneed.com"

– HKCU\Software\Microsoft\Internet Explorer\Main
   • "Start Page"="http://www.findthewebsiteyouneed.com"
   • "Search Page"="http://searchbar.findthewebsiteyouneed.com"
   • "Search Bar"="http://searchbar.findthewebsiteyouneed.com"
   • "Default_Search_URL"="http://searchbar.findthewebsiteyouneed.com"

 Backdoor The following:
   • http://www.nonameforthisdomain.com/**********?rnd=%several random digits%&antisp=%number%



Remote control capabilities:
    • Download file
    • Edit registry

 File details Programming language:
 The malware program was written in Visual Basic.

Description inserted by Ionut Slaveanu on Wednesday, May 10, 2006
Description updated by Ionut Slaveanu on Friday, May 26, 2006

Back . . . .