Virus:TR/Agent.172032.6
Date discovered:16/04/2007
Type:Trojan
In the wild:Yes
Reported Infections:Low
Distribution Potential:Low
Damage Potential:Low to medium
Static file:Yes
File size:172.032 Bytes
MD5 checksum:50fcc03125d42d7e1251d006eba8b12a
VDF version:6.38.00.220
IVDF version:6.38.00.224 - Monday, April 16, 2007

 General    • No own spreading routine


Aliases:
   •  Mcafee: W32/Zaflen.a
   •  Kaspersky: Worm.Win32.VB.gr
   •  F-Secure: Worm.Win32.VB.gr
   •  Sophos: W32/Lovelet-AD
   •  Panda: W32/Nedro.C.worm
   •  Eset: Win32/VB.BP
   •  Bitdefender: Win32.Worm.VB.TC


Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Disable security applications
   • Drops malicious files
   • Registry modification

 Files It copies itself to the following locations:
   • %WINDIR%\lsass.exe
   • %SYSDIR%\mskernel.exe
   • %WINDIR%\setup\mskernel.exe
   • %WINDIR%\services.exe
   • %WINDIR%\gorgle\csrss.exe
   • %ALLUSERSPROFILE%\Desktop\Microsoft Word Document.scr
   • %ALLUSERSPROFILE%\Start Menu\Programs\Microsoft Word Document.scr
   • %ALLUSERSPROFILE%\Start Menu\New Microsoft Word Document.scr
   • %ALLUSERSPROFILE%\Start Menu\Programs\Startup\folderwiz.com
   • %HOME%\NetHood\Hot Picture.com
   • %HOME%\My Documents\My Picture.com
   • %HOME%\PrintHood\Printing Information.com
   • %HOME%\Recent\New Microsoft Word Document.scr
   • %HOME%\SendTo\Image Editor.com
   • %HOME%\Start Menu\Image Viewer.com
   • %HOME%\My Documents\My Picture.com
   • %HOME%\My Documents\MyPictures\mskernel.exe
   • %HOME%\My Documents\Rated R Pictures.com
   • %WINDIR%\AutoRun.ini
   • C:\CoolWorld.exe
   • %WINDIR%\agila.scr
   • %HOME%\Local Settings\Application Data\Microsoft\CD Burning\CoolWorld.exe



The following file is created:

– C:\autorun.inf This is a non malicious text file with the following content:
   • [autorun]
     open=CoolWorld.exe
     shell\open=Open
     shell\open\Command=CoolWorld.exe
     shell\open\Default=1
     shell\explore=Explore
     shell\explore\Command=CoolWorld.exe

 Registry The following registry keys are added in order to run the processes after reboot:

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
   • Shell="explorer.exe "%WINDIR%\services.exe""
   • Userinit="%SYSDIR%\userinit.exe,%WINDIR%\gorgle\csrss.exe,"

– [HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
   Run]
   • (Default)="%SYSDIR%\mskernel.exe"

– [HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
   • (Default)="\WINDOWS\lsass.exe"
   • WinRun="%WINDIR%\AutoRun.ini"



The following registry keys are added:

– [HKCR\Folder\shell\About Us\Command]
– [HKLM\Software\Microsoft\Windows\System\Malicious]
   • Sams32="0212"



The following registry keys are changed:

Various Explorer settings:
– [HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
   New value:
   • Run=dword:00000001
   • NoFolderOptions=dword:00000001
   • NoRun=dword:00000001

Disable Regedit and Task Manager:
– [HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System]
   New value:
   • DisableRegistryTools=dword:00000001

– [HKCR\avifile\shell\open\command]
   New value:
   • (Default)=""%WINDIR%\setup\mskernel.exe" "

– [HKCR\piffile\shell\open\command]
   New value:
   • (Default)=""%WINDIR%\setup\mskernel.exe" "

– [HKCR\artfile\shell\open\command]
   New value:
   • (Default)=""%WINDIR%\setup\mskernel.exe" "

– [HKCR\datfile\shell\open\command]
   New value:
   • (Default)=""%WINDIR%\setup\mskernel.exe" "

– [HKCR\exefile]
   New value:
   • NeverShowExt="

– [HKCR\scrfile]
   New value:
   • NeverShowExt="
     (Default)="Microsoft Word Document"

– [HKCR\batfile]
   New value:
   • NeverShowExt="

– [HKCR\comfile]
   New value:
   • NeverShowExt="
     (Default)="JPEG Image"

– [HKCR\comfile\defaulticon]
   New value:
   • (Default)="shimgvw.dll,3"

– [HKLM\SOFTWARE\Microsoft\Windows]
   New value:
   • ScanningSystemDrive="False"

– [HKCR\batfile\shell\edit\command]
   New value:
   • (Default)=hex(2):73,00,68,00,75,00,74,00,64,00,6f,00,77,00,6e,00,20,00,2d,00,73,00,20,00,2d,00,66,00,20,00,2d,00,74,00,20,00,30,00,00,00

– [HKCR\inifile\shell\open\command]
   New value:
   • (Default)=hex(2):22,00,25,00,31,00,22,00,20,00,25,00,2a,00,00,00

 Process termination List of processes that are terminated:
   • avgctrl.exe; kav.exe; avgamsvr.exe; avgserv.exe; avgmsvr.exe;
      avgcc32.exe; avgcc.exe; avginet.exe; avgupsvc.exe; avgemc.exe;
      avgnt.exe; avgregcl.exe; avgserv9.exe; avgw.exe; alogserv.exe;
      avsynmgr.exe; Mpfsheild.exe; MpfAgent.exe; mpf.exe; MpfConsole.exe;
      mcagent.exe; mcappins.exe; McDash.exe; mcdetect.exe; mcinfo.exe;
      mcmnhdlr.exe; mcshield.exe; mctskshd.exe; mcupdate.exe; mcvsescn.exe;
      mcvsshld.exe; avpcc.exe; mcvsftsn.exe; mcvsrte.exe; vstskmgr.exe;
      vsmain.exe; vshwin32.exe; pccpfw.exe; pccclient.exe; pcclient.exe;
      pccguide.exe; pccnt.exe; pccntmon.exe; pccntupd.exe; PcCtlCom.exe;
      pcscan.exe; avpm.exe; kavsvc.exe; AVENGINE.EXE; nisserv.exe;
      NISUM.exe; Navapsvc.exe; NMain.exe; Navapw32.exe; VetMsg.exe;
      VetTray.exe; Vet32.exe; VetNT.exe; vsmon.exe; zlclient.exe; zapro.exe;
      zonealarm.exe; APVXDWIN.EXE; AVLITE.EXE; AVLTMAIN.EXE; AVTASK.EXE;
      LUPGCONF.EXE; PAVSRV51.EXE; PavPrSrv.exe


 File details Programming language:
 The malware program was written in Visual Basic.

Description inserted by Ernest Szocs on Wednesday, November 7, 2007
Description updated by Ernest Szocs on Thursday, November 8, 2007

Back . . . .
 
 
 
 

© 2013 Avira Operations GmbH & Co. KG. All rights reserved.

My Account

https:// This window is encrypted for your security.