Need help? Ask the community or hire an expert.
Go to Avira Answers
Date discovered:16/01/2007
Type:File infector
In the wild:Yes
Reported Infections:Low
Distribution Potential:Low to medium
Damage Potential:Medium
Static file:No
File size:~65.000 Bytes
IVDF version: - Tuesday, January 16, 2007

 General Method of propagation:
   • Infects files
   • Mapped network drives

   •  Symantec: W32.Dizan
   •  Mcafee: W32/Dzan.b
   •  Kaspersky: Virus.Win32.Dzan.a
   •  Sophos: W32/Dzan-A
   •  VirusBuster: Win32.Dzan.A
   •  Eset: Win32/Dzan.A
   •  Bitdefender: Win32.Dzan.B

Platforms / OS:
   • Windows NT
   • Windows 2000
   • Windows XP
   • Windows 2003

Side effects:
   • Drops a malicious file
   • Infects files
   • Registry modification
   • Third party control

 Files It copies itself to the following location:
   • %SYSDIR%\mmc.exe

 File infection Infector type:

Appender - The virus main code is added at the end of the infected file.
– The last section of the file is modified to include the virus code.

Damaging - The files may be improperly infected. This results in infected files that are broken and crash.

No stealth techinques used. It modifies the OEP (Original Entry Point) of the infected file to point to the virus code.


This memory-resistent infector remains active in memory.

Infection length:

Approximately 61.000 Bytes

The following file is infected:

By file type:
   • *.exe

Files in any of the following directories:
   • %all directories%

 Registry The following registry keys are added in order to load the services after reboot:

– [HKLM\SYSTEM\CurrentControlSet\Services\mmc]
   • "Type"=dword:00000010
   • "Start"=dword:00000002
   • "ErrorControl"=dword:00000001
   • "ImagePath"=%SYSDIR%\mmc.exe
   • "DisplayName"="Smart Card Supervisor"
   • "ObjectName"="LocalSystem"

– [HKLM\SYSTEM\CurrentControlSet\Services\mmc\Security]
   • "Security"=%hex values%

– [HKLM\SYSTEM\CurrentControlSet\Services\mmc\Enum]
   • "0"="Root\\LEGACY_MMC\\0000"
   • "Count"=dword:00000001
   • "NextInstance"=dword:00000001

– [HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MMC]
   • "NextInstance"=dword:00000001

– [HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MMC\0000]
   • "Service"="mmc"
   • "Legacy"=dword:00000001
   • "ConfigFlags"=dword:00000000
   • "Class"="LegacyDriver"
   • "ClassGUID"="{8ECC055D-047F-11D1-A537-0000F8753ED1}"
   • "DeviceDesc"="Smart Card Supervisor"

– [HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MMC\0000\Control]
   • "*NewlyCreated*"=dword:00000000
   • "ActiveService"="mmc"

 Backdoor The following port is opened:

%SYSDIR%\mmc.exe on TCP port 3000

 File details Programming language:
The malware program was written in MS Visual C++.

Description inserted by Daniel Constantin on Wednesday, March 31, 2010
Description updated by Daniel Constantin on Wednesday, March 31, 2010

Back . . . .