Find a Partner
This window is encrypted for your security.
Need help? Ask the community or hire an expert.
Go to Avira Answers
In the wild:
Low to medium
Low to medium
- Wednesday, February 11, 2009
Methods of propagation:
• Autorun feature
• Local network
• Panda: W32/IRCBot.CKA.worm
• Eset: Win32/AutoRun.Agent.JD
• Bitdefender: Trojan.Generic.1704532
Platforms / OS:
• Windows 2000
• Windows XP
• Windows 2003
• Drops malicious files
• Registry modification
• Third party control
It copies itself to the following locations:
The following files are created:
\autorun.inf This is a non malicious text file with the following content:
%code that runs malware%
The following registry key is added in order to run the process after reboot:
• "Description"="Provides control and info about management."
• "DisplayName"="WMI Management App"
The following registry key is changed:
It is spreading via Messenger. The characteristics are described below:
– AIM Messenger
– MSN Messenger
It makes use of the following Exploits:
(Vulnerability in Server Service)
IP address generation:
It creates random IP addresses while it keeps the first octet from its own address. Afterwards it tries to establish a connection with the created addresses.
–It attempts to schedule a remote execution of the malware, on the newly infected machine. Therefore it uses the NetScheduleJobAdd function.
To deliver system information and to provide remote control it connects to the following IRC Server:
Server password: 3v1l$
– Furthermore it has the ability to perform actions such as:
• Execute file
• Perform network scan
• Shut down system
• Updates itself
The following port is opened:
– explorer.exe on TCP port 33097 in order to provide an HTTP server.
It checks if one of the following files are present:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.
Description inserted by Petre Galan on Thursday, February 25, 2010
Description updated by Petre Galan on Friday, February 26, 2010