Virus:Worm/Mytob.HT
Date discovered:27/06/2005
Type:Worm
In the wild:Yes
Reported Infections:Medium
Distribution Potential:Medium
Damage Potential:Medium
Static file:Yes
File size:66.937 Bytes
MD5 checksum:e1fb8181d12248f0b633fcdda38141f9
IVDF version:6.31.00.110 - Monday, June 27, 2005

 General Method of propagation:
   • Email


Aliases:
   •  Mcafee: W32/Mytob.gen
   •  Sophos: W32/Mytob-KD
   •  Panda: W32/Mytob.QT.worm
   •  Eset: Win32/Mytob.VT
   •  Bitdefender: Win32.Netsky.DAN@mm


Platforms / OS:
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Blocks access to certain websites
   • Blocks access to security websites
   • Drops malicious files
   • Uses its own Email engine
   • Lowers security settings
   • Registry modification
   • Third party control

 Files It copies itself to the following location:
   • %SYSDIR%\ctech.exe



It overwrites a file.
%SYSDIR%\drivers\etc\hosts

 Registry The following registry key is added in order to run the process after reboot:

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
   • "WINDOWS SYSTEM"="ctech.exe"



One of the following values is added in order to run the process after reboot:

–  [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • "WINDOWS SYSTEM"="ctech.exe"



The following registry key is changed:

Deactivate Windows XP Firewall:
– [HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess]
   New value:
   • "Start"=dword:0x00000004

 Email It contains an integrated SMTP engine in order to send emails. A direct connection with the destination server will be established. The characteristics are described in the following:


From:
The sender address is spoofed.
Generated addresses. Please do not assume that it was the sender's intention to send this email to you. He might not know about his infection or might not even be infected at all. Furthermore it is possible that you will receive bounced emails telling you that you are infected. This might also not be the case.


To:
– Email addresses found in specific files on the system.
– Email addresses gathered from WAB (Windows Address Book)
– Generated addresses


Subject:
One of the following:
   • *DETECTED* Online User Violation
   • Important Notification
   • Notice of account limitation
   • Warning Message: Your services near to be closed.
   • You have successfully updated your password
   • YOUR ACCOUNT IS SUSPENDED FOR SECURITY REASONS
   • Your password has been successfully updated
   • Your password has been updated



Body:
– Contains HTML code.
The body of the email is one of the following:

   •
     
     
Dear user %s,

     
You have successfully updated the password of your %s account.

     
If you did not authorize this change or if you need assistance with your account, please contact %s customer service at: %s

     
Thank you for using %s!
     
The %s Support Team

     





     
+++ Attachment: No Virus (Clean)
     
+++ %s Antivirus - www.%s
     
     

   •
     
     
Dear user %s,

     
It has come to our attention that your %s User Profile ( x ) records are out of date. For further details see the attached document.

     
Thank you for using %s!
     
The %s Support Team

     





     
+++ Attachment: No Virus (Clean)
     
+++ %s Antivirus - www.%s
     
     

   •
     
     
Dear %s Member,

     
We have temporarily suspended your email account %s.

     
This might be due to either of the following reasons:

     
1. A recent change in your personal information (i.e. change of address).
     
2. Submiting invalid information during the initial sign up process.
     
3. An innability to accurately verify your selected option of subscription due to an internal error within our processors.
     
See the details to reactivate your %s account.

     
Sincerely,The %s Support Team

     





     
+++ Attachment: No Virus (Clean)
     
+++ %s Antivirus - www.%s
     
     

   •
     
     
Dear %s Member,

     
Your e-mail account was used to send a huge amount of unsolicited spam messages during the recent week. If you could please take 5-10 minutes out of your online experience and confirm the attached document so you will not run into any future problems with the online service.

     
If you choose to ignore our request, you leave us no choice but to cancel your membership.

     
Virtually yours,
     
The %s Support Team

     





     
+++ Attachment: No Virus found
     
+++ %s Antivirus - www.%s
     
     


Attachment:
The filename of the attachment is constructed out of the following:

–  It starts with one of the following:
   • important-details
   • accepted-password
   • account-details
   • account-info
   • account-password
   • account-report
   • document
   • email-details
   • email-password
   • updated-password
   • new-password
   • approved-password
   • password
   • readme

    The file extension is one of the following:
   • zip
   • pif
   • scr
   • exe
   • cmd
   • bat

The attachment is a copy of the malware itself.

 Mailing Search addresses:
It searches the following files for email addresses:
   • txt; htm; sht; jsp; cgi; xml; php; dbx; tbb; adb; html; wab


Address generation for TO field:
To generate addresses it uses the following strings:
   • john; josh; alex; michael; james; mike; kevin; david; george; sam;
      andrew; jose; leo; maria; jim; brian; serg; mary; ray; tom; peter;
      robert; bob; jane; joe; dan; dave; matt; steve; smith; stan; bill;
      bob; jack; fred; ted; paul; brent; sales; anna; brenda; claudia;
      debby; helen; jerry; jimmy; julie; linda; michael; frank; adam; sandra

It combines the result with domains that were found in files, which were previously searched for addresses.


Address generation for FROM field:
To generate addresses it uses the following strings:
   • support
   • administrator
   • mail
   • service
   • admin
   • info
   • register
   • webmaster

It combines the result with domains that were found in files, which were previously searched for addresses.


Prepend MX strings:
In order to get the IP address of the mail server it has the ability to prepend the following strings to the domain name:
   • mx
   • mail
   • smtp
   • mx1
   • mxs
   • mail1
   • relay
   • ns
   • gate

 IRC To deliver system information and to provide remote control it connects to the following IRC Server:

Server: server.ic**********.com
Port: 5190
Channel: #*legit
Nickname: [XDCC]-%random character string%
Password: legitshit



– This malware has the ability to collect and send information such as:
    • Free disk space
    • Free memory
    • Malware uptime
    • Size of memory
    • Information about the Windows operating system


– Furthermore it has the ability to perform actions such as:
    • Download file
    • Join IRC channel
    • Leave IRC channel
    • Updates itself
    • Visit a website

 Hosts The host file is modified as explained:

– In this case already existing entries remain unmodified.

– Access to the following domains is effectively blocked:
   • 127.0.0.1 www.symantec.com; 127.0.0.1 securityresponse.symantec.com;
      127.0.0.1 symantec.com; 127.0.0.1 www.sophos.com;
      127.0.0.1 sophos.com; 127.0.0.1 www.mcafee.com; 127.0.0.1 mcafee.com;
      127.0.0.1 liveupdate.symantecliveupdate.com;
      127.0.0.1 www.viruslist.com; 127.0.0.1 viruslist.com;
      127.0.0.1 viruslist.com; 127.0.0.1 f-secure.com;
      127.0.0.1 www.f-secure.com; 127.0.0.1 kaspersky.com;
      127.0.0.1 kaspersky-labs.com; 127.0.0.1 www.avp.com;
      127.0.0.1 www.kaspersky.com; 127.0.0.1 avp.com;
      127.0.0.1 www.networkassociates.com; 127.0.0.1 networkassociates.com;
      127.0.0.1 www.ca.com; 127.0.0.1 ca.com; 127.0.0.1 mast.mcafee.com;
      127.0.0.1 my-etrust.com; 127.0.0.1 www.my-etrust.com;
      127.0.0.1 download.mcafee.com; 127.0.0.1 dispatch.mcafee.com;
      127.0.0.1 secure.nai.com; 127.0.0.1 nai.com; 127.0.0.1 www.nai.com;
      127.0.0.1 update.symantec.com; 127.0.0.1 updates.symantec.com;
      127.0.0.1 us.mcafee.com; 127.0.0.1 liveupdate.symantec.com;
      127.0.0.1 customer.symantec.com; 127.0.0.1 rads.mcafee.com;
      127.0.0.1 trendmicro.com; 127.0.0.1 pandasoftware.com;
      127.0.0.1 www.pandasoftware.com; 127.0.0.1 www.trendmicro.com;
      127.0.0.1 www.grisoft.com; 127.0.0.1 www.microsoft.com;
      127.0.0.1 microsoft.com; 127.0.0.1 www.virustotal.com;
      127.0.0.1 virustotal.com; 127.0.0.1 www.amazon.com;
      127.0.0.1 www.amazon.co.uk; 127.0.0.1 www.amazon.ca;
      127.0.0.1 www.amazon.fr; 127.0.0.1 www.paypal.com;
      127.0.0.1 paypal.com; 127.0.0.1 moneybookers.com;
      127.0.0.1 www.moneybookers.com; 127.0.0.1 www.ebay.com;
      127.0.0.1 ebay.com


 Process termination The active processes memory is searched for the following strings. If successful the processes become terminated.:
   • ACKWIN32.EXE; ADAWARE.EXE; ADVXDWIN.EXE; AGENTSVR.EXE; AGENTW.EXE;
      ALERTSVC.EXE; ALEVIR.EXE; ALOGSERV.EXE; AMON9X.EXE; ANTI-TROJAN.EXE;
      ANTIVIRUS.EXE; ANTS.EXE; APIMONITOR.EXE; APLICA32.EXE; APVXDWIN.EXE;
      ARR.EXE; ATCON.EXE; ATGUARD.EXE; ATRO55EN.EXE; ATUPDATER.EXE;
      ATUPDATER.EXE; ATWATCH.EXE; AU.EXE; AUPDATE.EXE; AUPDATE.EXE;
      AUTODOWN.EXE; AUTODOWN.EXE; AUTOTRACE.EXE; AUTOTRACE.EXE;
      AUTOUPDATE.EXE; AUTOUPDATE.EXE; AVCONSOL.EXE; AVE32.EXE; AVGCC32.EXE;
      AVGCTRL.EXE; AVGNT.EXE; AVGSERV.EXE; AVGSERV9.EXE; AVGUARD.EXE;
      AVGW.EXE; AVKPOP.EXE; AVKSERV.EXE; AVKSERVICE.EXE; AVKWCTl9.EXE;
      AVLTMAIN.EXE; AVNT.EXE; AVP.EXE; AVP32.EXE; AVPCC.EXE; AVPDOS32.EXE;
      AVPM.EXE; AVPTC32.EXE; AVPUPD.EXE; AVPUPD.EXE; AVSCHED32.EXE;
      AVSYNMGR.EXE; AVWINNT.EXE; AVWUPD.EXE; AVWUPD32.EXE; AVWUPD32.EXE;
      AVWUPSRV.EXE; AVXMONITOR9X.EXE; AVXMONITORNT.EXE; AVXQUAR.EXE;
      AVXQUAR.EXE; BACKWEB.EXE; BARGAINS.EXE; BD_PROFESSIONAL.EXE;
      BEAGLE.EXE; BELT.EXE; BIDEF.EXE; BIDSERVER.EXE; BIPCP.EXE;
      BIPCPEVALSETUP.EXE; BISP.EXE; BLACKD.EXE; BLACKICE.EXE; BLSS.EXE;
      BOOTCONF.EXE; BOOTWARN.EXE; BORG2.EXE; BPC.EXE; BRASIL.EXE; BS120.EXE;
      BUNDLE.EXE; BVT.EXE; CCAPP.EXE; CCEVTMGR.EXE; CCPXYSVC.EXE; CDP.EXE;
      CFD.EXE; CFGWIZ.EXE; CFIADMIN.EXE; CFIAUDIT.EXE; CFIAUDIT.EXE;
      CFINET.EXE; CFINET32.EXE; CLEAN.EXE; CLEANER.EXE; CLEANER3.EXE;
      CLEANPC.EXE; CLICK.EXE; CMD32.EXE; CMESYS.EXE; CMGRDIAN.EXE;
      CMON016.EXE; CONNECTIONMONITOR.EXE; CPD.EXE; CPF9X206.EXE;
      CPFNT206.EXE; CTRL.EXE; CV.EXE; CWNB181.EXE; CWNTDWMO.EXE;
      CLAW95CF.EXE; DATEMANAGER.EXE; DCOMX.EXE; DEFALERT.EXE;
      DEFSCANGUI.EXE; DEFWATCH.EXE; DEPUTY.EXE; DIVX.EXE; DLLCACHE.EXE;
      DLLREG.EXE; DOORS.EXE; DPF.EXE; DPFSETUP.EXE; DPPS2.EXE; DRWATSON.EXE;
      DRWEB32.EXE; DRWEBUPW.EXE; DSSAGENT.EXE; DVP95.EXE; DVP95_0.EXE;
      ECENGINE.EXE; EFPEADM.EXE; EMSW.EXE; ENT.EXE; ESAFE.EXE; ESCANHNT.EXE;
      ESCANV95.EXE; ESPWATCH.EXE; ETHEREAL.EXE; ETRUSTCIPE.EXE; EVPN.EXE;
      EXANTIVIRUS-CNET.EXE; EXE.AVXW.EXE; EXPERT.EXE; EXPLORE.EXE;
      F-PROT.EXE; F-PROT95.EXE; F-STOPW.EXE; FAMEH32.EXE; FAST.EXE;
      FCH32.EXE; FIH32.EXE; FINDVIRU.EXE; FIREWALL.EXE; FNRB32.EXE;
      FP-WIN.EXE; FP-WIN_TRIAL.EXE; FPROT.EXE; FRW.EXE; FSAA.EXE; FSAV.EXE;
      FSAV32.EXE; FSAV530STBYB.EXE; FSAV530WTBYB.EXE; FSAV95.EXE;
      FSGK32.EXE; FSM32.EXE; FSMA32.EXE; FSMB32.EXE; GATOR.EXE; GBMENU.EXE;
      GBPOLL.EXE; GENERICS.EXE; GMT.EXE; GUARD.EXE; GUARDDOG.EXE;
      HACKTRACERSETUP.EXE; HBINST.EXE; HBSRV.EXE; HOTACTIO.EXE;
      HOTPATCH.EXE; HTLOG.EXE; HTPATCH.EXE; HWPE.EXE; HXDL.EXE; HXIUL.EXE;
      IAMAPP.EXE; IAMSERV.EXE; IAMSTATS.EXE; IBMASN.EXE; IBMAVSP.EXE;
      ICLOADNT.EXE; ICMON.EXE; ICSUPP95.EXE; ICSUPPNT.EXE; IDLE.EXE;
      IEDLL.EXE; IEDRIVER.EXE; IEXPLORER.EXE; IFACE.EXE; IFW2000.EXE;
      INETLNFO.EXE; INFUS.EXE; INFWIN.EXE; INIT.EXE; INTDEL.EXE; INTREN.EXE;
      IOMON98.EXE; ISTSVC.EXE; JAMMER.EXE; JDBGMRG.EXE; JEDI.EXE;
      KAVLITE40ENG.EXE; KAVPERS40ENG.EXE; KAVPF.EXE; KAZZA.EXE;
      KEENVALUE.EXE; KERIO-PF-213-EN-WIN.EXE; KERIO-WRL-421-EN-WIN.EXE;
      KERIO-WRP-421-EN-WIN.EXE; KERNEL32.EXE; KILLPROCESSSETUP161.EXE;
      LAUNCHER.EXE; LDNETMON.EXE; LDPRO.EXE; LDPROMENU.EXE; LDSCAN.EXE;
      LNETINFO.EXE; LOADER.EXE; LOCALNET.EXE; LOCKDOWN.EXE;
      LOCKDOWN2000.EXE; LOOKOUT.EXE; LORDPE.EXE; LSETUP.EXE; LUALL.EXE;
      LUALL.EXE; LUAU.EXE; LUCOMSERVER.EXE; LUINIT.EXE; LUSPT.EXE;
      MAPISVC32.EXE; MCAGENT.EXE; MCMNHDLR.EXE; MCSHIELD.EXE; MCTOOL.EXE;
      MCUPDATE.EXE; MCUPDATE.EXE; MCVSRTE.EXE; MCVSSHLD.EXE; MD.EXE;
      MFIN32.EXE; MFW2EN.EXE; MFWENG3.02D30.EXE; MGAVRTCL.EXE; MGAVRTE.EXE;
      MGHTML.EXE; MGUI.EXE; MINILOG.EXE; MMOD.EXE; MONITOR.EXE; MOOLIVE.EXE;
      MOSTAT.EXE; MPFAGENT.EXE; MPFSERVICE.EXE; MPFTRAY.EXE; MRFLUX.EXE;
      MSAPP.EXE; MSBB.EXE; MSBLAST.EXE; MSCACHE.EXE; MSCCN32.EXE;
      MSCMAN.EXE; MSCONFIG.EXE; MSDM.EXE; MSDOS.EXE; MSIEXEC16.EXE;
      MSINFO32.EXE; MSLAUGH.EXE; MSMGT.EXE; MSMSGRI32.EXE; MSSMMC32.EXE;
      MSSYS.EXE; MSVXD.EXE; MU0311AD.EXE; MWATCH.EXE; N32SCANW.EXE; NAV.EXE;
      AUTO-PROTECT.NAV80TRY.EXE; NAVAP.NAVAPSVC.EXE; NAVAPSVC.EXE;
      NAVAPW32.EXE; NAVDX.EXE; NAVLU32.EXE; NAVNT.EXE; NAVSTUB.EXE;
      NAVW32.EXE; NAVWNT.EXE; NC2000.EXE; NCINST4.EXE; NDD32.EXE;
      NEOMONITOR.EXE; NEOWATCHLOG.EXE; NETARMOR.EXE; NETD32.EXE;
      NETINFO.EXE; NETMON.EXE; NETSCANPRO.EXE; NETSPYHUNTER-1.2.EXE;
      NETSTAT.EXE; NETUTILS.EXE; NISSERV.EXE; NISUM.EXE; NMAIN.EXE;
      NOD32.EXE; NORMIST.EXE; NORTON_INTERNET_SECU_3.0_407.EXE;
      NOTSTART.EXE; NPF40_TW_98_NT_ME_2K.EXE; NPFMESSENGER.EXE;
      NPROTECT.EXE; NPSCHECK.EXE; NPSSVC.EXE; NSCHED32.EXE; NSSYS32.EXE;
      NSTASK32.EXE; NSUPDATE.EXE; NT.EXE; NTRTSCAN.EXE; NTVDM.EXE;
      NTXconfig.EXE; NUI.EXE; NUPGRADE.EXE; NUPGRADE.EXE; NVARCH16.EXE;
      NVC95.EXE; NVSVC32.EXE; NWINST4.EXE; NWSERVICE.EXE; NWTOOL16.EXE;
      OLLYDBG.EXE; ONSRVR.EXE; OPTIMIZE.EXE; OSTRONET.EXE; OTFIX.EXE;
      OUTPOST.EXE; OUTPOST.EXE; OUTPOSTINSTALL.EXE; OUTPOSTPROINSTALL.EXE;
      PADMIN.EXE; PANIXK.EXE; PATCH.EXE; PAVCL.EXE; PAVPROXY.EXE;
      PAVSCHED.EXE; PAVW.EXE; PCFWALLICON.EXE; PCIP10117_0.EXE; PCSCAN.EXE;
      PDSETUP.EXE; PERISCOPE.EXE; PERSFW.EXE; PERSWF.EXE; PF2.EXE;
      PFWADMIN.EXE; PGMONITR.EXE; PINGSCAN.EXE; PLATIN.EXE; POP3TRAP.EXE;
      POPROXY.EXE; POPSCAN.EXE; PORTDETECTIVE.EXE; PORTMONITOR.EXE;
      POWERSCAN.EXE; PPINUPDT.EXE; PPTBC.EXE; PPVSTOP.EXE; PRIZESURFER.EXE;
      PRMT.EXE; PRMVR.EXE; PROCDUMP.EXE; PROCESSMONITOR.EXE;
      PROCEXPLORERV1.0.EXE; PROGRAMAUDITOR.EXE; PROPORT.EXE; PROTECTX.EXE;
      PSPF.EXE; PURGE.EXE; QCONSOLE.EXE; QSERVER.EXE; RAPAPP.EXE; RAV7.EXE;
      RAV7WIN.EXE; RAV8WIN32ENG.EXE; RAY.EXE; RB32.EXE; RCSYNC.EXE;
      REALMON.EXE; REGED.EXE; REGEDIT.EXE; REGEDT32.EXE; RESCUE.EXE;
      RESCUE32.EXE; RRGUARD.EXE; RScash.EXE; RTVSCAN.EXE; RTVSCN95.EXE;
      RULAUNCH.EXE; RUN32DLL.EXE; RUNDLL.EXE; RUNDLL16.EXE; RUXDLL32.EXE;
      SAFEWEB.EXE; SAHAGENT.EXE; SAVE.EXE; SAVENOW.EXE; SBSERV.EXE; SC.EXE;
      SCAM32.EXE; SCAN32.EXE; SCAN95.EXE; SCANPM.EXE; SCRSCAN.EXE;
      SETUPVAMEEVAL.EXE; SETUP_FLOWPROTECTOR_US.EXE; SFC.EXE; SGSSFW32.EXE;
      SH.EXE; SHELLSPYINSTALL.EXE; SHN.EXE; SHOWBEHIND.EXE; SMC.EXE;
      SMS.EXE; SMSS32.EXE; SOAP.EXE; SOFI.EXE; SPERM.EXE; SPF.EXE;
      SPHINX.EXE; SPOLER.EXE; SPOOLCV.EXE; SPOOLSV32.EXE; SPYXX.EXE;
      SREXE.EXE; SRNG.EXE; SS3EDIT.EXE; SSGRATE.EXE; SSG_4104.EXE; ST2.EXE;
      START.EXE; STCLOADER.EXE; SUPFTRL.EXE; SUPPORT.EXE; SUPPORTER5.EXE;
      SVC.EXE; SVCHOSTC.EXE; SVCHOSTS.EXE; SVSHOST.EXE; SWEEP95.EXE;
      SWEEPNET.SWEEPSRV.SYS.SWNETSUP.EXE; SYMPROXYSVC.EXE; SYMTRAY.EXE;
      SYSEDIT.EXE; SYSTEM.EXE; SYSTEM32.EXE; SYSUPD.EXE; TASKMG.EXE;
      TASKMO.EXE; TASKMON.EXE; TAUMON.EXE; TBSCAN.EXE; TC.EXE; TCA.EXE;
      TCM.EXE; TDS-3.EXE; TDS2-NT.EXE; TEEKIDS.EXE; TFAK.EXE; TFAK5.EXE;
      TGBOB.EXE; TITANIN.EXE; TITANINXP.EXE; TRACERT.EXE; TRICKLER.EXE;
      TRJSCAN.EXE; TRJSETUP.EXE; TROJANTRAP3.EXE; TSADBOT.EXE; TVMD.EXE;
      TVTMD.EXE; UNDOBOOT.EXE; UPDAT.EXE; UPDATE.EXE; UPDATE.EXE;
      UPGRAD.EXE; UTPOST.EXE; VBCMSERV.EXE; VBCONS.EXE; VBUST.EXE;
      VBWIN9X.EXE; VBWINNTW.EXE; VCSETUP.EXE; VET32.EXE; VET95.EXE;
      VETTRAY.EXE; VFSETUP.EXE; VIR-HELP.EXE; VIRUSMDPERSONALFIREWALL.EXE;
      VNLAN300.EXE; VNPC3000.EXE; VPC32.EXE; VPC42.EXE; VPFW30S.EXE;
      VPTRAY.EXE; VSCAN40.EXE; VSCENU6.02D30.EXE; VSCHED.EXE; VSECOMR.EXE;
      VSHWIN32.EXE; VSISETUP.EXE; VSMAIN.EXE; VSMON.EXE; VSSTAT.EXE;
      VSWIN9XE.EXE; VSWINNTSE.EXE; VSWINPERSE.EXE; W32DSM89.EXE; W9X.EXE;
      WATCHDOG.EXE; WEBDAV.EXE; WEBSCANX.EXE; WEBTRAP.EXE; WFINDV32.EXE;
      WHOSWATCHINGME.EXE; WIMMUN32.EXE; WIN-BUGSFIX.EXE; WIN32.EXE;
      WIN32US.EXE; WINACTIVE.EXE; WINDOW.EXE; WINDOWS.EXE; WININETD.EXE;
      WININIT.EXE; WININITX.EXE; WINLOGIN.EXE; WINMAIN.EXE; WINNET.EXE;
      WINPPR32.EXE; WINRECON.EXE; WINSERVN.EXE; WINSSK32.EXE; WINSTART.EXE;
      WINSTART001.EXE; WINTSK32.EXE; WINUPDATE.EXE; WKUFIND.EXE; WNAD.EXE;
      WNT.EXE; WRADMIN.EXE; WRCTRL.EXE; WSBGATE.EXE; WUPDATER.EXE;
      WUPDT.EXE; WYVERNWORKSFIREWALL.EXE; XPF202EN.EXE; ZAPRO.EXE;
      ZAPSETUP3001.EXE; ZATUTOR.EXE; ZONALM2601.EXE; ZONEALARM.EXE;
      _AVP32.EXE; _AVPCC.EXE; _AVPM.EXE; CMD.EXE; TASKMGR.EXE; NEC.EXE


 Miscellaneous Anti debugging
It checks if one of the following files are present:
   • \\.\SICE
   • \\.\SIWVID
   • \\.\NTICE
   • \\.\REGSYS
   • \\.\REGVXG
   • \\.\FILEVXG
   • \\.\FILEM
   • \\.\TRW
   • \\.\ICEEXT

If successful, it terminates immediately.

 File details Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.

Description inserted by Petre Galan on Thursday, December 3, 2009
Description updated by Petre Galan on Thursday, December 3, 2009

Back . . . .