Need help? Ask the community or hire an expert.
Go to Avira Answers
Date discovered:27/03/2008
In the wild:Yes
Reported Infections:Low
Distribution Potential:Low to medium
Damage Potential:Medium
Static file:Yes
File size:13.824 Bytes
MD5 checksum:d7de4f1f1f388613616ab2f68abeaa62
IVDF version:

 General Method of propagation:
   • Mapped network drives

   •  Mcafee: BackDoor-ACA.b
   •  Kaspersky: Worm.Win32.AutoRun.czg
   •  F-Secure: Worm.Win32.AutoRun.czg
   •  Grisoft: Flooder.EZD
   •  Eset: Win32/AutoRun.IX
   •  Bitdefender: Trojan.Autorun.PK

Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003

Side effects:
   • Drops files
   • Registry modification
   • Third party control

 Files It copies itself to the following locations:
   • %recycle bin%\S-1-5-21-1482476501-1644491937-682003330-1013\ise.exe
   • %drive%:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\ise.exe

The following files are created:

– Non malicious file:
   • %recycle

%drive%\autorun.inf This is a non malicious text file with the following content:
   • %code that runs malware%

 Registry The following registry key is added in order to run the process after reboot:

– [HKLM\Software\Microsoft\Active Setup\Installed Components\
   • StubPath="%recycle bin%\S-1-5-21-1482476501-1644491937-682003330-1013\ise.exe"

 IRC To deliver system information and to provide remote control it connects to the following IRC Server:

Port: 7000
Server password: trb123trb
Channel: #hisham#
Nickname: %random character string%

– Furthermore it has the ability to perform actions such as:
    • connect to IRC server
    • Join IRC channel
    • Perform DDoS attack

 Injection – It injects itself as a remote thread into a process.

    Process name:

   If successful, the malware process terminates while the injected part remains active.

Description inserted by Andrei Gherman on Wednesday, August 6, 2008
Description updated by Andrei Gherman on Wednesday, August 6, 2008

Back . . . .