Full description

Virus:	TR/Dldr.EbayBill.E
Date discovered:	20/07/2006
Type:	Trojan
Subtype:	Downloader
In the wild:	Yes
Reported Infections:	Low
Distribution Potential:	Low to medium
Damage Potential:	Medium
Static file:	Yes
File size:	20.277 Bytes
MD5 checksum:	d5c55a2222290c3b9fa47f0423058df1
VDF version:	6.35.00.193
IVDF version:	6.35.00.234

General Method of propagation:
   • No own spreading routine

Platforms / OS:
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003

Side effects:
   • Downloads a malicious file
   • Registry modification

Files It copies itself to the following location:
   • %SYSDIR%\ipf.exe

The following file is created:

– %SYSDIR%\drivers\winut.dat This is a non malicious text file with the following content:
   • http://actsmiley.co.uk/img/**********
     http://spbfp.atlant.ru/sys/**********
     http://dreadwolf.net/**********
     http://dynafilmes.com.br/imagens/**********
     http://docslv.com/gallery/bridge/**********
     http://soloaguia.com/imagens/**********
     http://spbfp.atlant.ru/sys/sys/**********
     http://dynafilmes.com.br/imagens/3/**********
     http://soloaguia.com/imagens/3/**********
     http://leads4sales.co.uk/images/main/**********
     http://dbspider.net/approach-som/images/**********

Registry The following registry key is added in order to run the process after reboot:

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • "IPF"="%SYSDIR%\ipf.exe"

It creates the following entry in order to bypass the Windows XP firewall:

– [HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\
   FirewallPolicy\StandardProfile\AuthorizedApplications\List]
   • "%malware execution directory%\%executed file%"="%malware execution directory%\%executed file%:*:Enabled:%executed file%"
   • "%SYSDIR%\ipf.exe"="%SYSDIR%\ipf.exe:*:Enabled:ipf"
   • "%PROGRAM FILES%\Internet Explorer\IEXPLORE.EXE"="%PROGRAM FILES%\Internet Explorer\IEXPLORE.EXE:*:Enabled:Internet Explorer"

Backdoor Contact server:
All of the following:
   • http://actsmiley.co.uk/img/**********
   • http://spbfp.atlant.ru/sys/**********
   • http://dreadwolf.net/**********
   • http://dynafilmes.com.br/imagens/**********
   • http://docslv.com/gallery/bridge/**********
   • http://soloaguia.com/imagens/**********
   • http://spbfp.atlant.ru/sys/sys/**********
   • http://dynafilmes.com.br/imagens/3/**********
   • http://soloaguia.com/imagens/3/**********
   • http://leads4sales.co.uk/images/main/**********
   • http://dbspider.net/approach-som/images/**********

Once connected it will retrieve an additional list of servers.
The servers answer is written to the file: %SYSDIR%\drivers\winut.dat

Remote control capabilities:
    • Download file

Miscellaneous Mutex:
It creates the following Mutex:
• GLOBALSUPERHANDLEPOSITIONZ

File details Programming language:
The malware program was written in MS Visual C++.

Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with the following runtime packer:
• FSG

Description inserted by Andrei Ivanes on Thursday, July 20, 2006
Description updated by Andrei Ivanes on Thursday, July 20, 2006

Back . . . .

Featured PC protection

Free products

Most popular

All products

Bundled Solutions

Workstation

Server

Bundled Solutions

Mail Gateways

Web Gateways

Collaboration Platforms

Home Products

Business Products

Virus Lab

More Support

Become an Avira Partner

Home Products

Business Products

Just want to evaluate a product?

Manuals and Tools