Need help? Ask the community or hire an expert.
Go to Avira Answers
Date discovered:14/06/2006
In the wild:No
Reported Infections:Low
Distribution Potential:Low
Damage Potential:Medium
Static file:Yes
File size:47.629 Bytes
MD5 checksum:5b00c4a26bfb132b7c5b8692949d227b
VDF version:
IVDF version: - Thursday, June 15, 2006

 General Method of propagation:
   • No own spreading routine

   •  Kaspersky:
   •  TrendMicro: TROJ_VUNDO.BC
   •  Bitdefender: Trojan.Virtumod.T

Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003

Side effects:
   • Drops a file
   • Drops a malicious file
   • Third party control

 Files It deletes the initially executed copy of itself.

The following files are created:

%SYSDIR%\%seven-digit random character string%.dll Further investigation pointed out that this file is malware, too. Detected as: ADSPY/Virtumonde.B

%TEMPDIR%\removalfile.bat Furthermore it gets executed after it was fully created. This batch file is used to delete a file.

 Registry The following registry keys are added:

– [HKCR\CLSID\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}\InprocServer32]
   • @="%SYSDIR%\%seven-digit random character string%.dll"
   • "ThreadingModel"="Both"

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\
   • "{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}"=""

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
   • "Asynchronous"=dword:00000001
   • "DllName"="%seven-digit random character string%"
   • "Impersonate"=dword:00000000
   • "Logon"="Logon"
   • "Logoff"="Logoff"

 Backdoor Contact server:
All of the following:
   • http://85.12.25.**********

As a result it may send information and remote control could be provided.

Sends information about:
    • Current malware status

Remote control capabilities:
    • Download file

 Injection –  It injects the following file into a process: %SYSDIR%\%seven-digit random character string%.dll

    All of the following processes:
   • explorer.exe

 Rootkit Technology It is a malware-specific technology. The malware hides its presence from system utilities, security applications and in the end, from the user.

Hides the following:
– Its own files

Description inserted by Marius T. Nicolae on Wednesday, September 6, 2006
Description updated by Andrei Ivanes on Tuesday, December 5, 2006

Back . . . .