Need help? Ask the community or hire an expert.
Go to Avira Answers
Virus:ADSPY/Boran.O.2
Date discovered:05/10/2006
Type:Trojan
In the wild:No
Reported Infections:Low
Distribution Potential:Low
Damage Potential:Medium
Static file:Yes
File size:40.960 Bytes
MD5 checksum:1f4b04a85768205ae5452415dc843e3d
VDF version:6.35.01.196
IVDF version:6.35.01.200 - Friday, September 8, 2006

 General Method of propagation:
   • No own spreading routine


Alias:
   •  Eset: Win32/Adware.Boran


Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Downloads files
   • Registry modification
   • Makes use of software vulnerability

 Files It tries to download some files:

– The location is the following:
   • http://www.update.borlander.cn/updadini/**********
It is saved on the local hard drive under: %malware execution directory%\updadini.ini Furthermore this file gets executed after it was fully downloaded. This file may contain further download locations and might serve as source for new threats.

– The location is the following:
   • http://www.update.borlander.cn/updstd/**********
It is saved on the local hard drive under: %malware execution directory%\updstdex.ini Furthermore this file gets executed after it was fully downloaded.

– The location is the following:
   • http://www.update.borlander.cn/updstd/**********
It is saved on the local hard drive under: %malware execution directory%\updstdup.ini Furthermore this file gets executed after it was fully downloaded. This file may contain further download locations and might serve as source for new threats.

 Registry It registers a browser helper object (BHO) by adding the following key:

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\
   Browser Helper Objects\{6A512BF7-EC78-4e8d-9841-6C02E8FA9838}]
   • @="stdup"



The following registry keys are added:

– [HKCR\CLSID\{6A512BF7-EC78-4e8d-9841-6C02E8FA9838}\InprocServer32]
   • @="%SYSDIR%\stdup.dll"
   • "ThreadingModel"="Apartment"

– [HKCR\CLSID\{6A512BF7-EC78-4e8d-9841-6C02E8FA9838}\ProgID]
   • @="Ad.AxObj.1"

– [HKCR\CLSID\{6A512BF7-EC78-4e8d-9841-6C02E8FA9838}\Programmable]
– [HKCR\CLSID\{6A512BF7-EC78-4e8d-9841-6C02E8FA9838}\TypeLib]
   • @="{22F87D75-7DD1-4545-94B3-CA80C0F462C6}"

– [HKCR\CLSID\{6A512BF7-EC78-4e8d-9841-6C02E8FA9838}\
   VersionIndependentProgID]
   • @="Ad.AxObj"

– [HKCR\TypeLib\{22F87D75-7DD1-4545-94B3-CA80C0F462C6}\1.0]
   • @="Ad 1.0 Type Library"

– [HKCR\TypeLib\{22F87D75-7DD1-4545-94B3-CA80C0F462C6}\1.0\0\win32]
   • @="%malware execution directory%\%executed file%"

– [HKCR\TypeLib\{22F87D75-7DD1-4545-94B3-CA80C0F462C6}\1.0\FLAGS]
   • @="0"

– [HKCR\TypeLib\{22F87D75-7DD1-4545-94B3-CA80C0F462C6}\1.0\HELPDIR]
   • @="%malware execution directoy%"

– [HKCR\Interface\{AB45CE36-C280-4525-BCF9-1BD01D3E4B57}]
   • @="IAxObj"

– [HKCR\Interface\{AB45CE36-C280-4525-BCF9-1BD01D3E4B57}\
   ProxyStubClsid]
   • @="{00020424-0000-0000-C000-000000000046}"

– [HKCR\Interface\{AB45CE36-C280-4525-BCF9-1BD01D3E4B57}\
   ProxyStubClsid32]
   • @="{00020424-0000-0000-C000-000000000046}"

– [HKCR\Interface\{AB45CE36-C280-4525-BCF9-1BD01D3E4B57}\TypeLib]
   • @="{22F87D75-7DD1-4545-94B3-CA80C0F462C6}"
   • "Version"="1.0"

– [HKCR\Ad.AxObj]
   • @="stdup"

– [HKCR\Ad.AxObj\CLSID]
   • @="{6A512BF7-EC78-4e8d-9841-6C02E8FA9838}"

– [HKCR\Ad.AxObj\CurVer]
   • @="Ad.AxObj.1"

– [HKLM\SOFTWARE\Stdup]
   • "stdup"="3.2.1.8"
   • "regup"="01c6e9b74e600380"
   • "pid"="30574EFA8247A1B90B30060F409F5F5B"
   • "reg"="30574EFA8247A1B90B30060F409F5F5B"

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\
   {6A512BF7-EC78-4e8d-9841-6C02E8FA9838}]
   • "DisplayName"="WinStdup"
   • "UninstallString"="%SYSDIR%\rundll32.exe %malware execution directory%\%executed file%,Uninstall"

– [HKCR\CLSID\{6A512BF7-EC78-4e8d-9841-6C02E8FA9838}]
   • @="stdup"

– [HKLM\SOFTWARE\Stdup\up]
   • "3.2.1.8"="1"

 Backdoor Contact server:
All of the following:
   • http://www.borlander.com.cn/**********
   • http://www.borlander.com.cn/**********
   • http://www.borlander.com.cn/jsp/**********

Once connected it will retrieve an additional list of servers.
As a result it may send information and remote control could be provided. This is done via the HTTP GET request on a PHP script.


Sends information about:
    • Current malware status
    • Malware uptime


Remote control capabilities:
    • Visit a website

 File details Programming language:
The malware program was written in MS Visual C++.


Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.

Description inserted by Monica Ghitun on Friday, October 6, 2006
Description updated by Andrei Ivanes on Friday, October 27, 2006

Back . . . .