Find a Partner
This window is encrypted for your security.
Need help? Ask the community or hire an expert.
Go to Avira Answers
In the wild:
Low to medium
Low to medium
Medium to high
- Tuesday, February 10, 2009
Methods of propagation:
• Autorun feature
• Local network
• Mcafee: W32/Spybot.worm.gen virus
• Sophos: Mal/Generic-A
• Panda: W32/IRCBot.CKA.worm
• Eset: Win32/IRCBot.ANZ
• Bitdefender: Trojan.Generic.1763810
Platforms / OS:
• Windows 2000
• Windows XP
• Windows 2003
• Drops malicious files
• Registry modification
• Makes use of software vulnerability
• Third party control
It copies itself to the following locations:
It deletes the initially executed copy of itself.
The following file is created:
\autorun.inf This is a non malicious text file with the following content:
%code that runs malware%
\drivers\sysdrv32.sys Further investigation pointed out that this file is malware, too. Detected as: TR/Hacktool.Tcpz.A
The following registry key is added in order to run the process after reboot:
• "Description"="Provides control and info about management."
• "DisplayName"="WMI Management App"
The following registry keys are added in order to load the service after reboot:
• "DisplayName"="Play Port I/O Driver"
• "Group"="SST miniport drivers"
The following registry key is changed:
(Vulnerability in Server Service)
IP address generation:
It creates random IP addresses while it keeps the first octet from its own address. Afterwards it tries to establish a connection with the created addresses.
–It attempts to schedule a remote execution of the malware, on the newly infected machine. Therefore it uses the NetScheduleJobAdd function.
To deliver system information and to provide remote control it connects to the following IRC Server:
Server password: 3v1l$
– Furthermore it has the ability to perform actions such as:
• Disable network shares
• Enable network shares
• Perform network scan
The following port is opened:
\wmiprvse.exe on a random TCP port in order to provide an HTTP server.
Hides the following:
– Its own process
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.
Description inserted by Petre Galan on Monday, November 30, 2009
Description updated by Petre Galan on Monday, November 30, 2009