Need help? Ask the community or hire an expert.
Go to Avira Answers
Virus:ADSPY/IEHlpr.F.2
Date discovered:05/10/2006
Type:Trojan
In the wild:No
Reported Infections:Low
Distribution Potential:Low
Damage Potential:Low to medium
Static file:Yes
File size:30.208 Bytes
MD5 checksum:4242246b3403cfc7809fd4604967953d
VDF version:6.35.01.196
IVDF version:6.35.01.200 - Friday, September 8, 2006

 General Method of propagation:
   • No own spreading routine


Alias:
   •  Kaspersky: Trojan-Dropper.Win32.Agent.atg


Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Drops files
   • Registry modification

 Files It copies itself to the following location:
   • %WINDIR%\fonts\msshapi.dll



The following files are created:

– %WINDIR%\Fonts\winhelp.ini This file contains collected information about the system.
– %WINDIR%\Fonts\mms.exe Furthermore it gets executed after it was fully created.

 Registry It registers a browser helper object (BHO) by adding the following key:

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\
   Browser Helper Objects\{02C9B9AB-6372-46C5-B356-773FAF3B6B1E}]


The following registry keys are added:

– [HKCR\IEHelper.WinHelper]
   • @="internet explorer helper"

– [HKCR\IEHelper.WinHelper\CLSID]
   • @="{02C9B9AB-6372-46C5-B356-773FAF3B6B1E}"

– [HKCR\IEHelper.WinHelper\CurVer]
   • @="IEHelper.WinHelper.1"

– [HKCR\IEHelper.WinHelper.1]
   • @="internet explorer helper"

– [HKCR\IEHelper.WinHelper.1\CLSID]
   • @="{02C9B9AB-6372-46C5-B356-773FAF3B6B1E}"

– [HKCR\CLSID\{02C9B9AB-6372-46C5-B356-773FAF3B6B1E}]
   • @="internet explorer helper"

– [HKCR\CLSID\{02C9B9AB-6372-46C5-B356-773FAF3B6B1E}\InprocServer32]
   • @="%malware execution directory%\%executed file%"
   • "ThreadingModel"="Apartment"

– [HKCR\CLSID\{02C9B9AB-6372-46C5-B356-773FAF3B6B1E}\ProgID]
   • @="IEHelper.WinHelper.1"

– [HKCR\CLSID\{02C9B9AB-6372-46C5-B356-773FAF3B6B1E}\Programmable]
– [HKCR\CLSID\{02C9B9AB-6372-46C5-B356-773FAF3B6B1E}\TypeLib]
   • @="{964DDEFF-B16C-4113-8FF7-8E83B53C8ED8}"

– [HKCR\CLSID\{02C9B9AB-6372-46C5-B356-773FAF3B6B1E}\
   VersionIndependentProgID]
   • @="IEHelper.WinHelper"

– [HKCR\TypeLib\{964DDEFF-B16C-4113-8FF7-8E83B53C8ED8}\1.0]
   • @="IEHelper 1.0 Type Library"

– [HKCR\TypeLib\{964DDEFF-B16C-4113-8FF7-8E83B53C8ED8}\1.0\0\win32]
   • @="%malware execution directory%\%executed file%"

– [HKCR\TypeLib\{964DDEFF-B16C-4113-8FF7-8E83B53C8ED8}\1.0\FLAGS]
   • @="0"

– [HKCR\TypeLib\{964DDEFF-B16C-4113-8FF7-8E83B53C8ED8}\1.0\HELPDIR]
   • @="%malware execution directory%"

– [HKCR\Interface\{D922591D-7893-412B-B801-C3B2F31BE4C9}]
   • @="IWinHelper"

– [HKCR\Interface\{D922591D-7893-412B-B801-C3B2F31BE4C9}\
   ProxyStubClsid]
   • @="{00020424-0000-0000-C000-000000000046}"

– [HKCR\Interface\{D922591D-7893-412B-B801-C3B2F31BE4C9}\
   ProxyStubClsid32]
   • @="{00020424-0000-0000-C000-000000000046}"

– [HKCR\Interface\{D922591D-7893-412B-B801-C3B2F31BE4C9}\TypeLib]
   • @="{964DDEFF-B16C-4113-8FF7-8E83B53C8ED8}"
   • "Version"="1.0"

 Backdoor Contact server:
All of the following:
   • http://www.update.coolv.cn/advertise/**********
   • http://www.update.coolv.cn/files/**********
   • http://www.update.coolv.cn/**********

Once connected it will retrieve an additional list of servers.


Sends information about:
    • Computer name
    • CPU speed
    • Current user
    • Free disk space
    • Free memory
    • Size of memory
    • System time
    • Information about the Windows operating system


Remote control capabilities:
    • Visit a website

 File details Programming language:
The malware program was written in MS Visual C++.


Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.

Description inserted by Monica Ghitun on Thursday, October 5, 2006
Description updated by Andrei Ivanes on Friday, October 27, 2006

Back . . . .