Virus:TR/Enfal.E
Date discovered:05/08/2006
Type:Trojan
In the wild:No
Reported Infections:Low
Distribution Potential:Low
Damage Potential:Low to medium
Static file:Yes
File size:65.586 Bytes
MD5 checksum:a6707ce1a445eb7f75abdb82b23dbd8c
VDF version:6.35.01.53 - Saturday, August 5, 2006
IVDF version:6.35.01.53 - Saturday, August 5, 2006

 General Method of propagation:
   • No own spreading routine


Aliases:
   •  Mcafee: Enfal
   •  Kaspersky: Trojan.Win32.Enfal.d
   •  TrendMicro: WORM_AGENT.DJI
   •  Bitdefender: Trojan.Enfal.D


Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Registry modification

 Files It copies itself to the following locations:
   • %SYSDIR%\Winkrnl.exe
   • %SYSDIR%\DisMgnt.exe



It deletes the initially executed copy of itself.

 Registry The following registry key is changed:

– HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
   Old value:
   • "Userinit"="%sysdir%\userinit.exe,"
   New value:
   • "Userinit"="%sysdir%\userinit.exe,%sysdir%\DisMgnt.exe"

 Backdoor Contact server:
One of the following:
   • http://www.luck4us.com/http**********
   • http://www.luck4us.com/http**********
   • http://www.luck4us.com/http**********
   • http://www.luck4us.com/http**********
   • http://www.luck4us.com/http**********

The following:
   • http://www.luck4us.com**********

As a result it may send some information. Besides, it periodically repeats the connection. This is done via the HTTP POST method using a CGI script.


Sends information about:
    • Computer name
    • MAC address

 Injection – It injects itself as a remote thread into a process.

    Process name:
   • %WINDIR%\explorer.exe


 File details Programming language:
 The malware program was written in MS Visual C++.

Description inserted by Teodor Onisor on Tuesday, August 8, 2006
Description updated by Teodor Onisor on Tuesday, August 8, 2006

Back . . . .