Need help? Ask the community or hire an expert.
Go to Avira Answers
Date discovered:04/12/2008
In the wild:Yes
Reported Infections:Low to medium
Distribution Potential:Medium
Damage Potential:Low to medium
Static file:Yes
File size:449.024 Bytes
MD5 checksum:0Aa203943d1e264973b2993ca09ef4c3
IVDF version:

 General Method of propagation:
   • Email

   •  Symantec: W32.Ackantta@mm
   •  Mcafee: W32/Xirtem@MM virus !!!
   •  Kaspersky: Trojan-Banker.Win32.Banker.abbi
   •  Grisoft: Downloader.Agent.APQJ
   •  Bitdefender: Win32.Worm.McMaggot.A

It was previously detected as:
   •  TR/Dropper.Gen

Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003

Side effects:
   • Drops a malicious file
   • Uses its own Email engine
   • Lowers security settings
   • Registry modification

 Files It copies itself to the following location:
   • %SYSDIR%\vxworks.exe

The following file is created:

%SYSDIR%\qnx.exe Furthermore it gets executed after it was fully created. Further investigation pointed out that this file is malware, too. Detected as: BDS/McMaggot.A

 Registry One of the following values is added in order to run the process after reboot:

–  HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   • Wind River Systems"="c:\windows\\system32\\vxworks.exe

The following registry keys are changed:

– HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\
   New value:
   • c:\windows\\system32\\vxworks.exe"="c:\windows\\system32\\vxworks.exe:*:Enabled:Explorer

 Email It contains an integrated SMTP engine in order to send emails. A direct connection with the destination server will be established. The characteristics are described in the following:

The sender address is spoofed.
The sender of the email is one of the following:

One of the following:
   • Coca Cola is proud to accounce our new Christmas Promotion.
   • Mcdonalds wishes you Merry Christmas!
   • You've received A Hallmark E-Card!

The filename of the attachment is one of the following:

The attachment is an archive containing a copy of the malware itself.

 File details Programming language:
The malware program was written in MS Visual C++.

Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.

Description inserted by Alexander Neth on Thursday, December 4, 2008
Description updated by Alexander Neth on Thursday, December 4, 2008

Back . . . .