Virus:BDS/Newartm.B
Date discovered:05/09/2006
Type:Backdoor Server
In the wild:No
Reported Infections:Low
Distribution Potential:Low
Damage Potential:Medium
Static file:Yes
File size:15.078 Bytes
MD5 checksum:7736c8ef4cfa2cd7a19bf0d0d2375f5d
VDF version:6.35.01.182
IVDF version:6.35.01.186 - Wednesday, September 6, 2006

 General Alias:
   •  Bitdefender: Backdoor.Newartm.B


Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP


Side effects:
   • Drops a malicious file
   • Registry modification
   • Third party control

 Files The following files are created:

– %ALLUSERSPROFILE%\Documents\Settings\desktop.ini Contains parameters used by the malware.
– %ALLUSERSPROFILE%\Documents\Settings\artm_new.dll

 Registry The following registry key is added in order to run the process after reboot:

– HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
   artm_newreg
   • "DllName"="%ALLUSERSPROFILE%\Documents\Settings\artm_new.dll"
   • "Startup"="artm_newreg"
   • "Impersonate"=dword:00000001
   • "Asynchronous"=dword:00000001

 Backdoor The following port is opened:

%PROGRAM FILES%\Internet Explorer\iexplore.exe on a random TCP port


Contact server:
All of the following:
   • http://msupdate.info/**********
   • http://msupdate.info/**********
   • http://msupdate.info/**********

As a result it may send some information. This is done via the HTTP GET request on a PHP script.


Sends information about:
    • Current malware status
    • Information about the Windows operating system

 Injection – It injects itself into a process.

    Process name:
   • %PROGRAM FILES%\Internet Explorer\iexplore.exe

   If successful, the malware process terminates while the injected part remains active.

 Miscellaneous Internet connection:

It queries with the name:
   • microsoft.com

 File details Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.

Description inserted by Bogdan Iliuta on Monday, September 18, 2006
Description updated by Andrei Ivanes on Friday, October 13, 2006

Back . . . .