Need help? Ask the community or hire an expert.
Go to Avira Answers
Virus:Worm/aut.pzo.42496
Date discovered:07/10/2008
Type:Worm
In the wild:Yes
Reported Infections:Low to medium
Distribution Potential:Low to medium
Damage Potential:Low to medium
Static file:Yes
File size:42.496 Bytes
MD5 checksum:3dd62cac84240e01681cf5887e0ee5da
IVDF version:7.00.07.04 - Tuesday, October 7, 2008

 General Aliases:
   •  Panda: W32/Autorun.AEE.worm
   •  Eset: Win32/TrojanDownloader.FakeAlert.LF
   •  Bitdefender: Win32.Worm.Autorun.MG


Platforms / OS:
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Downloads malicious files
   • Drops malicious files
   • Lowers security settings
   • Registry modification

 Files It copies itself to the following location:
   • %PROGRAM FILES%\Microsoft Common\wuauclt.exe



It deletes the initially executed copy of itself.



The following files are created:

%SYSDIR%\lowsec\user.ds
%SYSDIR%\lowsec\local.ds
%SYSDIR%\sdra64.exe Further investigation pointed out that this file is malware, too. Detected as: TR/Crypt.ZPACK.Gen

%TEMPDIR%\rld10.tmp Further investigation pointed out that this file is malware, too. Detected as: TR/Crypt.ZPACK.Gen




It tries to download some files:

The locations are the following:
   • http://aaszxy.ru/load1/**********?v=1&id=76108&rs=%number%&cc=0&uid=1
   • http://aaszxy.ru/load1/**********?v=1&rs=%number%&n=1&uid=1


The location is the following:
   • http://aaszxr.ru/us/**********
Further investigation pointed out that this file is malware, too.

The locations are the following:
   • http://001.bladespoon.cn/z28/a**********
   • http://001.bladespoon.cn/z28/c**********

 Registry The following registry key is added:

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\explorer.exe]
   • "Debugger"="%PROGRAM FILES%\Microsoft Common\wuauclt.exe"



The following registry keys are changed:

Deactivate Windows XP Firewall:
[HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\
   FirewallPolicy\StandardProfile]
   New value:
   • "EnableFirewall"=dword:0x00000000

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
   New value:
   • "Userinit"="%SYSDIR%\userinit.exe,%SYSDIR%\sdra64.exe,"

 File details Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.

Description inserted by Petre Galan on Monday, November 30, 2009
Description updated by Petre Galan on Monday, November 30, 2009

Back . . . .