Need help? Ask the community or hire an expert.
Go to Avira Answers
Virus:TR/Drop.Decay.atv
Date discovered:23/10/2009
Type:Trojan
Subtype:Dropper
In the wild:Yes
Reported Infections:Low to medium
Distribution Potential:Low to medium
Damage Potential:Medium
Static file:Yes
File size:70.656 Bytes
MD5 checksum:3bd03a49f0a4ffd9220e1e1b2890663a
IVDF version:7.01.06.142 - Friday, October 23, 2009

 General Method of propagation:
Autorun feature


Platforms / OS:
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Lowers security settings
   • Registry modification
   • Third party control

 Files It copies itself to the following locations:
   • %WINDIR%\conmsyrtl.exe
   • %drive%\driver\usb\usb3.EXE



The following files are created:

%drive%\driver\usb\Desktop.ini
%drive%\autorun.inf This is a non malicious text file with the following content:
   • %code that runs malware%

 Registry To each registry key one of the values is added in order to run the processes after reboot:

  [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • "Sistema de Comm"="conmsyrtl.exe"

  [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\
   Install\Software\Microsoft\Windows\CurrentVersion\Run]
   • "Sistema de Comm"="conmsyrtl.exe"



The following registry key is changed:

[HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\
   FirewallPolicy\StandardProfile\AuthorizedApplications\List]
   New value:
   • "%malware execution directory%\%executed file%"="%malware execution directory%\%executed file%:*:Enabled:Sistema de Comm"

 P2P    It searches for directories that contain one of the following substrings:
   • winmx\shared\
   • tesla\files\
   • limewire\shared\
   • morpheus\my shared folder\
   • emule\incoming\
   • edonkey2000\incoming\
   • bearshare\shared\
   • grokster\my grokster\
   • icq\shared folder\
   • kazaa lite k++\my shared folder\
   • kazaa lite\my shared folder\
   • kazaa\my shared folder\

   If successful, the following files are created:
   • headjobs.scr; ilovetofuck.scr; FREEPORN.exe,fuckshitcunt.scr;
      Autoloader.exe; Wireshark.exe; DDOSPING.exe; ScreenMelter.exe;
      How-to-make-money.exe; Ebooks.exe; WildHorneyTeens.scr;
      RapidsharePREMIUM.exe; LimeWireCrack.exe; Porno.MPEG.exe; image.scr;
      VistaUltimate-Crack.exe; paris-hilton.scr; MSNHacks.exe;
      YahooCracker.exe; HotmailHacker.exe

   These files are copies of the malware itself.

 Messenger It is spreading via Messenger. The characteristics are described below:

 AIM Messenger
 MSN Messenger

 IRC To deliver system information and to provide remote control it connects to the following IRC Server:

Server: ns3.metr**********.com
Port: 6567
Server password: pr1v4d0onl1n3r
Channel: #delawich#
Nickname: [SH|USA|00|P|%number%]
Password: c1rc0s0leil


 Furthermore it has the ability to perform actions such as:
     Launch DDoS SYN flood
    • Download file
     Updates itself
     Visit a website

 File details Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.

Description inserted by Petre Galan on Wednesday, February 3, 2010
Description updated by Petre Galan on Friday, February 5, 2010

Back . . . .