Need help? Ask the community or hire an expert.
Go to Avira Answers
Date discovered:04/12/2008
Type:Backdoor Server
In the wild:Yes
Reported Infections:Low to medium
Distribution Potential:Low to medium
Damage Potential:Medium
Static file:Yes
File size:157.184 Bytes
MD5 checksum:f596b22087d6404d538825413e266131
IVDF version:

 General Method of propagation:
   • No own spreading routine

   •  Symantec: W32.Ackantta@mm
   •  Mcafee: W32/Xirtem@MM virus !!!
   •  Kaspersky: Trojan.Win32.Agent.asdj
   •  Grisoft: Downloader.Agent.APQJ
   •  Bitdefender: Backdoor.Bot.67413

It was previously detected as:
   •  TR/Dropper.Gen

Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003

Side effects:
   • Drops a file
   • Records keystrokes
   • Registry modification
   • Steals information
   • Third party control

 Files The following file is created:


 Registry –  HKCU\Software\Microsoft\Windows\CurrentVersion\Run
   • QnX"="c:\%malware execution directory%\qnx.exe

–  HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
   • "QnX"="c:\%malware execution directory%\qnx.exe"

The following registry keys are added in order to load the service after reboot:

– HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\
   • "StubPath"="\"c:\%malware execution directory%\qnx.exe\""

 Backdoor Contact server:
The following:
   • web1.**********.org

As a result it may send information and remote control could be provided.

Sends information about:
    • Information about running processes
    • Start keylog

 Stealing It tries to steal the following information:
– Passwords typed into 'password input fields'

 File details Programming language:
The malware program was written in MS Visual C++.

Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.

Description inserted by Alexander Neth on Thursday, December 4, 2008
Description updated by Alexander Neth on Thursday, December 4, 2008

Back . . . .