Virus:EXP/MS08-067.C
Date discovered:11/11/2008
Type:Exploit
In the wild:Yes
Reported Infections:Low to medium
Distribution Potential:Low
Damage Potential:Medium
Static file:No
File size:~ 19.533 Bytes
IVDF version:7.01.00.66 - Tuesday, November 11, 2008

 General Method of propagation:
   • No own spreading routine


Aliases:
   •  Symantec: Downloader
   •  Kaspersky: Trojan-Downloader.Win32.Agent.aoxg
   •  TrendMicro: TROJ_MAXIMUS.AO
   •  F-Secure: Trojan-Downloader.Win32.Agent.aoxg
   •  Sophos: Exp/MS08067-A
   •  Bitdefender: Exploit.MS08-067.D
   •  Grisoft: Agent.ALNC
   •  Eset: Win32/Exploit.MS08-067.A


Platforms / OS:
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Downloads a malicious file
   • Drops a malicious file
   • Makes use of software vulnerability
      •  http://technet.microsoft.com/en-us/security/advisory/958963

 Files The following file is created:

%TEMPDIR%\suchots.exe Furthermore it gets executed after it was fully created. Further investigation pointed out that this file is malware, too. Detected as: TR/Expl.IMG-WMF.EX.2




It tries to download a file:

– The location is the following:
   • http://down.yznylsf.cn/**********/ko.exe
It is saved on the local hard drive under: %malware execution directory%\ko.exe Furthermore this file gets executed after it was fully downloaded. Further investigation pointed out that this file is malware, too. Detected as: TR/Crypt.XDR.Gen

 File details Programming language:
 The malware program was written in MS Visual C++.


Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with the following runtime packer:
   • FSG

Description inserted by Thomas Wegele on Wednesday, November 19, 2008
Description updated by Philipp Wolf on Friday, September 9, 2011

Back . . . .