Virus:TR/Disabler.i.50
Date discovered:13/03/2009
Type:Trojan
In the wild:Yes
Reported Infections:Low
Distribution Potential:Low
Damage Potential:Medium
Static file:No
File size:29.377 Bytes
MD5 checksum:89c3f6763a379f4cf7ba0766b4798c26
VDF version:7.01.02.164
IVDF version:7.01.02.171 - Friday, March 13, 2009

 General Method of propagation:
   • No own spreading routine


Aliases:
   •  Mcafee: BackDoor-DIY
   •  Kaspersky: Trojan.Win32.Disabler.i
   •  F-Secure: Trojan.Win32.Disabler.i
   •  Eset: Win32/Disabler.I
   •  Bitdefender: Trojan.RegistryDisabler


Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Disable security applications
   • Lowers security settings
   • Registry modification
   • Third party control

 Files It copies itself to the following locations:
   • %home%\Start Menu\Programs\Startup\systemID.pif
   • %SYSDIR%\Flashy.exe

 Registry The following registry key is added in order to run the process after reboot:

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • Flashy Bot="%SYSDIR%\Flashy.exe"



The following registry key is added:

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
   • NoFolderOptions=dword:00000001



The following registry keys are changed:

Deactivate Windows XP Firewall:
– [HKLM\SYSTEM\ControlSet001\Services\SharedAccess]
   New value:
   • Start=dword:00000004

Disable Regedit and Task Manager:
– [HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
   New value:
   • "DisableTaskMgr" = 1
   • "DisableRegistryTools" = 1

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
   New value:
   • HideFileExt=dword:00000001
     Hidden=dword:00000002

 Backdoor The following port is opened:

– net.exe on TCP port 23 in order to provide a remote Shell.

 Miscellaneous Mutex:
It creates the following Mutex:
   • ||Flashy||

 File details Programming language:
 The malware program was written in MS Visual C++.


Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with the following runtime packer:
   • FSG 2.00

Description inserted by Ana Maria Niculescu on Monday, May 4, 2009
Description updated by Ana Maria Niculescu on Monday, May 4, 2009

Back . . . .