Virus:TR/Autorun.142336
Date discovered:22/09/2009
Type:Trojan
In the wild:Yes
Reported Infections:Medium
Distribution Potential:Medium
Damage Potential:Medium
Static file:Yes
File size:142.336 Bytes
MD5 checksum:32503a19483ea4a61e44386e8979be1b
IVDF version:7.01.06.20 - Tuesday, September 22, 2009

 General Aliases:
   •  Symantec: W32.SillyDC
   •  Mcafee: PWS-Banker trojan !!!
   •  Kaspersky: IM-Worm.Win32.Agent.nz
   •  Sophos: Mal/Generic-A
   •  Eset: Win32/AutoRun.Agent.PE worm
   •  Bitdefender: Trojan.LdPinch.NCX


Platforms / OS:
   • Windows 2000
   • Windows XP
   • Windows 2003
   • Drops a malicious file
   • Registry modification

 Files It copies itself to the following location:
   • %recycle bin%\winse32.exe

 Registry The following registry key is added:

– [HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\
   {28ABC5C0-4FCB-11CF-AAX5-81CX1C635612}]
   • "StubPath"="%recycle bin%\winse32.exe"

 IRC To deliver system information and to provide remote control it connects to the following IRC Server:

Server: **********.dns2go.com
Port: 7000
Server password: 01470147
Nickname: hmvzcv

 Injection – It injects a backdoor routine into a process.

    Process name:
   • %WINDIR%\explorer.exe


 File details Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.

Description inserted by Petre Galan on Thursday, October 15, 2009

Back . . . .