Need help? Ask the community or hire an expert.
Go to Avira Answers
Virus:BDS/VB.awr.35
Date discovered:19/03/2007
Type:Backdoor Server
In the wild:No
Reported Infections:Low
Distribution Potential:Low
Damage Potential:Medium
Static file:Yes
File size:420.299 Bytes
MD5 checksum:ecf789e622ab53b9761595f51e63423a
VDF version:6.38.00.74
IVDF version:6.38.00.76 - Monday, March 19, 2007

 General Method of propagation:
   • No own spreading routine


Alias:
   •  Kaspersky: Backdoor.Win32.VB.awr
   •  F-Secure: Backdoor.Win32.VB.awr


Platforms / OS:
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Blocks access to security websites
   • Records keystrokes
   • Registry modification
   • Steals information
   • Third party control

 Files It copies itself to the following location:
   • %WINDIR%\scvhost.exe



The following files are created:

Non malicious file:
   • %WINDIR%\MSWINSCK.OCX

%SYSDIR%\offlog.txt This file contains collected keystrokes.

 Registry The following registry keys are added in order to run the processes after reboot:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RUNSERVICES]
   • "Windows Update"="%WINDIR%\scvhost.exe"
   • "msconfig"="%WINDIR%\scvhost.exe"
   • "icq lite"="%WINDIR%\scvhost.exe"
   • "Update Checker"="%WINDIR%\scvhost.exe"
   • "AntiVir"="%WINDIR%\scvhost.exe"
   • @="%WINDIR%\scvhost.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • "Windows Update"="%WINDIR%\scvhost.exe"
   • "msconfig"="%WINDIR%\scvhost.exe"
   • "icq lite"="%WINDIR%\scvhost.exe"
   • "Update Checker"="%WINDIR%\scvhost.exe"
   • "AntiVir"="%WINDIR%\scvhost.exe"
   • @="%WINDIR%\scvhost.exe"

[HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows]
   • "run"="%WINDIR%\scvhost.exe"

 Hosts The host file is modified as explained:

In this case existing entries are deleted.

Access to the following domains is effectively blocked:
   • dl1.avgate.net
   • dl2.avgate.net
   • dl3.avgate.net
   • dl4.avgate.net
   • dl5.avgate.net
   • dl6.avgate.net
   • dl7.avgate.net
   • dl8.avgate.net
   • dl9.avgate.net


 Backdoor Contact server:
The following:
   • arcrol3**********:1338

As a result it may send information and remote control could be provided.

 File details Programming language:
The malware program was written in Visual Basic.

Description inserted by Gabriel Mustata on Friday, March 16, 2007
Description updated by Andrei Gherman on Monday, March 26, 2007

Back . . . .