Virus:TR/NSAnti.A.319
Date discovered:29/05/2006
Type:Trojan
In the wild:Yes
Reported Infections:Low
Distribution Potential:Low
Damage Potential:Low to medium
Static file:Yes
File size:283.656 Bytes
MD5 checksum:5164477c6eac422c840Dbf1d658f599b
VDF version:6.34.01.29
IVDF version:6.34.01.30 - Wednesday, May 3, 2006

 General Method of propagation:
   • No own spreading routine


Aliases:
   •  TrendMicro: BKDR_HUIGEZI.W
   •  Bitdefender: Trojan.NSAnti.A


Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Registry modification
   • Steals information

 Files It copies itself to the following location:
   • %WINDIR%\GAME.exe



It deletes the initially executed copy of itself.



The following file is created:

– A file that is for temporary use and it might be deleted afterwards:
   • %WINDIR%\uninstal.bat




It tries to execute the following file:

– Filename:
   • %WINDIR%\uninstal.bat
This batch file is used to delete a file.

 Registry The following registry keys are added in order to load the services after reboot:

– [HKLM\SYSTEM\ControlSet001\Services\Colume]
   • "Description"="╣▄└φ▒╕╖▌,╣╪▒╒║≤╜½▓╗─▄╜°╨╨╧╡═│╗╣╘¡"
   • "ImagePath"="%WINDIR%\GAME.exe"
   • "ObjectName"="LocalSystem"
   • "DisplayName"="Colume"
   • "ErrorControl"=dword:00000000
   • "Start"=dword:00000002
   • "Type"=dword:00000110

– [HKLM\SYSTEM\ControlSet001\Services\Colume\Security]
   • "Security"=%hex values%

– [HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_COLUME\0000\Control]
   • "ActiveService"="Colume"
   • "*NewlyCreated*"=dword:00000000

– [HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_COLUME]
   • "NextInstance"=dword:00000001

– [HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_COLUME\0000]
   • "DeviceDesc"="Colume"
   • "ClassGUID"="{8ECC055D-047F-11D1-A537-0000F8753ED1}"
   • "Class"="LegacyDriver"
   • "ConfigFlags"=dword:00000000
   • "Legacy"=dword:00000001
   • "Service"="Colume"

– [HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_COLUME\0000\Control]
   • "ActiveService"="Colume"
   • "*NewlyCreated*"=dword:00000000

– [HKLM\SYSTEM\ControlSet001\Control\ServiceCurrent]
   • @=dword:00000010

 Backdoor Contact server:
The following:
   • http://qcqcz.bd7x.com/**********

Besides, it periodically repeats the connection.

Sends information about:
    • Computer name
    • Information about the Windows operating system

 File details Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.

Description inserted by Alexandru Tudor on Monday, May 29, 2006
Description updated by Alexandru Tudor on Tuesday, June 6, 2006

Back . . . .