Need help? Ask the community or hire an expert.
Go to Avira Answers
Virus:ADSPY/Boran.O.1
Date discovered:05/10/2006
Type:Trojan
In the wild:No
Reported Infections:Low
Distribution Potential:Low
Damage Potential:Medium
Static file:Yes
File size:131.072 Bytes
MD5 checksum:3c6f191fe0a913c40E7139d66ba0f7ac
VDF version:6.35.01.09
IVDF version:6.35.01.09

 General Method of propagation:
   • No own spreading routine


Alias:
   •  Eset: Win32/Adware.Boran


Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Downloads files
   • Registry modification
   • Makes use of software vulnerability

 Files It tries to download some files:

The location is the following:
   • http://www.update.borlander.cn/updadini/**********
It is saved on the local hard drive under: %malware execution directory%\updadini.ini Furthermore this file gets executed after it was fully downloaded. This file may contain further download locations and might serve as source for new threats.

The location is the following:
   • http://www.update.borlander.cn/updstd/**********
It is saved on the local hard drive under: %malware execution directory%\updstdex.ini Furthermore this file gets executed after it was fully downloaded.

The location is the following:
   • http://www.update.borlander.cn/updstd/**********
It is saved on the local hard drive under: %malware execution directory%\updstdup.ini Furthermore this file gets executed after it was fully downloaded. This file may contain further download locations and might serve as source for new threats.

 Registry It registers a browser helper object (BHO) by adding the following key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\
   Browser Helper Objects\{6A512BF7-EC78-4e8d-9841-6C02E8FA9838}]
   • @="stdup"



The following registry keys are added:

[HKCR\CLSID\{6A512BF7-EC78-4e8d-9841-6C02E8FA9838}\InprocServer32]
   • @="%malware execution directory%\%executed file%"
   • "ThreadingModel"="Apartment"

[HKCR\CLSID\{6A512BF7-EC78-4e8d-9841-6C02E8FA9838}\ProgID]
   • @="Ad.AxObj.1"

[HKCR\CLSID\{6A512BF7-EC78-4e8d-9841-6C02E8FA9838}\Programmable]
[HKCR\CLSID\{6A512BF7-EC78-4e8d-9841-6C02E8FA9838}\TypeLib]
   • @="{22F87D75-7DD1-4545-94B3-CA80C0F462C6}"

[HKCR\CLSID\{6A512BF7-EC78-4e8d-9841-6C02E8FA9838}\
   VersionIndependentProgID]
   • @="Ad.AxObj"

[HKCR\TypeLib\{22F87D75-7DD1-4545-94B3-CA80C0F462C6}\1.0]
   • @="Ad 1.0 Type Library"

[HKCR\TypeLib\{22F87D75-7DD1-4545-94B3-CA80C0F462C6}\1.0\0\win32]
   • @="%malware execution directory%\%executed file%"

[HKCR\TypeLib\{22F87D75-7DD1-4545-94B3-CA80C0F462C6}\1.0\FLAGS]
   • @="0"

[HKCR\TypeLib\{22F87D75-7DD1-4545-94B3-CA80C0F462C6}\1.0\HELPDIR]
   • @="%malware execution directoy%"

[HKCR\Interface\{AB45CE36-C280-4525-BCF9-1BD01D3E4B57}]
   • @="IAxObj"

[HKCR\Interface\{AB45CE36-C280-4525-BCF9-1BD01D3E4B57}\
   ProxyStubClsid]
   • @="{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{AB45CE36-C280-4525-BCF9-1BD01D3E4B57}\
   ProxyStubClsid32]
   • @="{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{AB45CE36-C280-4525-BCF9-1BD01D3E4B57}\TypeLib]
   • @="{22F87D75-7DD1-4545-94B3-CA80C0F462C6}"
   • "Version"="1.0"

[HKCR\Ad.AxObj]
   • @="stdup"

[HKCR\Ad.AxObj\CLSID]
   • @="{6A512BF7-EC78-4e8d-9841-6C02E8FA9838}"

[HKCR\Ad.AxObj\CurVer]
   • @="Ad.AxObj.1"

[HKLM\SOFTWARE\Stdup]
   • "stdup"="3.2.2.2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\
   {6A512BF7-EC78-4e8d-9841-6C02E8FA9838}]
   • "DisplayName"="WinStdup"
   • "UninstallString"="%SYSDIR%\rundll32.exe %malware execution directory%\%executed file%,Uninstall"

[HKCR\CLSID\{6A512BF7-EC78-4e8d-9841-6C02E8FA9838}]
   • @="stdup"

 Backdoor Contact server:
All of the following:
   • http://www.borlander.com.cn/**********
   • http://www.borlander.com.cn/**********
   • http://www.borlander.com.cn/jsp/**********

Once connected it will retrieve an additional list of servers.
As a result it may send information and remote control could be provided. This is done via the HTTP GET request on a PHP script.


Sends information about:
     Current malware status
     Malware uptime


Remote control capabilities:
     Visit a website

 File details Programming language:
The malware program was written in MS Visual C++.


Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.

Description inserted by Monica Ghitun on Friday, October 6, 2006
Description updated by Andrei Ivanes on Friday, October 27, 2006

Back . . . .