Need help? Ask the community or hire an expert.
Go to Avira Answers
Date discovered:02/12/2008
In the wild:Yes
Reported Infections:Low
Distribution Potential:Low
Damage Potential:Low
Static file:Yes
File size:8.704 Bytes
MD5 checksum:31ddc2ae38061b3b03571fd7f28ab788
IVDF version:

 General Aliases:
   •  Sophos: Troj/Drop-AD
   •  Grisoft: SHeur.CRFI

Platforms / OS:
   • Windows 2000
   • Windows XP
   • Windows 2003

Side effects:
   • Access to floppy disk
   • Drops malicious files
   • Registry modification

 Files It copies itself to the following locations:
   • %SYSDIR%\afido.exe
   • %drive%\afido.exe

It creates the following directory:
   • %TEMPDIR%\%random character string%.tmp

It deletes the following file:
   • %drive%\Autorun.inf

The following files are created:

%TEMPDIR%\%random character string%\b2e.exe Furthermore it gets executed after it was fully created. Further investigation pointed out that this file is malware, too.
%TEMPDIR%\%random character string%\batfile.bat

It tries to executes the following files:

– Filename:
   • %TEMPDIR%\%random character string%\b2e.exe
Furthermore it contains malicious code.

– Filename:
   • %TEMPDIR%\%random character string%\batfile.bat

 Registry One of the following values is added in order to run the process after reboot:

–  [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   • "opesys"="%SYSDIR%\afido.exe"

The following registry key is added:

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\
   • @="@SYS:DoesNotExist"

 File details Programming language:
The malware program was written in Assembler.

Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with the following runtime packer:
   • UPX

Description inserted by Petre Galan on Tuesday, July 7, 2009
Description updated by Petre Galan on Monday, August 17, 2009

Back . . . .