Virus:TR/Dldr.EbayBill.D
Date discovered:18/07/2006
Type:Trojan
Subtype:Downloader
In the wild:Yes
Reported Infections:Low
Distribution Potential:Low
Damage Potential:Medium
Static file:Yes
File size:17.408 Bytes
MD5 checksum:ca0E2fc83c794fa7be2aa3cae0a7ee0F
VDF version:6.35.00.172
IVDF version:6.35.00.211

 General Method of propagation:
   • No own spreading routine


Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Downloads malicious files
   • Drops files
   • Registry modification

 Files It copies itself to the following location:
   • %SYSDIR%\ipf.exe



The following files are created:

%SYSDIR%\drivers\winut.dat

 Registry One of the following values is added in order to run the process after reboot:

–  [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • "IPF"="%SYSDIR%\ipf.exe"



The following registry key is added:

– [HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\
   FirewallPolicy\StandardProfile\AuthorizedApplications\List]
   • "%malware execution directory%\%executed file%"="%malware execution directory%\%executed file%:*:Enabled:%executed file%"
   • "%SYSDIR%\ipf.exe"="%SYSDIR%\ipf.exe:*:Enabled:ipf"

 Backdoor Contact server:
All of the following:
   • http://www.dbspider.net/approach-som/images/**********
   • http://www.leads4sales.co.uk/images/main/**********
   • http://www.soloaguia.com/imagens/3/**********
   • http://www.dynafilmes.com.br/imagens/3/**********
   • http://www.spbfp.atlant.ru/sys/sys/**********
   • http://www.soloaguia.com/imagens/**********
   • http://www.docslv.com/gallery/bridge/**********
   • http://www.dynafilmes.com.br/imagens/**********
   • http://www.dreadwolf.net/**********
   • http://www.spbfp.atlant.ru/sys/**********
   • http://www.actsmiley.co.uk/img/**********

As a result remote control capability is provided. The servers answer is written to the file: %SYSDIR%\drivers\winut.dat


Remote control capabilities:
    • Download file

 Miscellaneous Mutex:
It creates the following Mutexes:
   • .t__!!x!!__t!!__
   • __[__z__l__s__]__


String:
Furthermore it contains the following strings:
   • The battle for middle earth
   • World Craft
   • Hallo god to be back haalllo.. Scooter the stdaium tehno experiance
   • Deed you miss me??
   • This is a mile mikhael city
   • This is a MonsterTune

 File details Programming language:
 The malware program was written in MS Visual C++.

Description inserted by Monica Ghitun on Tuesday, July 18, 2006
Description updated by Monica Ghitun on Wednesday, July 19, 2006

Back . . . .