Need help? Ask the community or hire an expert.
Go to Avira Answers
Virus:W32/Dzan.a
Date discovered:16/01/2007
Type:File infector
In the wild:Yes
Reported Infections:Low
Distribution Potential:Low to medium
Damage Potential:Medium
Static file:No
File size:~65.000 Bytes
IVDF version:6.37.00.172 - Tuesday, January 16, 2007

 General Method of propagation:
   • Infects files
   • Mapped network drives


Aliases:
   •  Symantec: W32.Dizan
   •  Mcafee: W32/Dzan.b
   •  Kaspersky: Virus.Win32.Dzan.a
   •  Sophos: W32/Dzan-A
   •  VirusBuster: Win32.Dzan.A
   •  Eset: Win32/Dzan.A
   •  Bitdefender: Win32.Dzan.B


Platforms / OS:
   • Windows NT
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Drops a malicious file
   • Infects files
   • Registry modification
   • Third party control

 Files It copies itself to the following location:
   • %SYSDIR%\mmc.exe

 File infection Infector type:

Appender - The virus main code is added at the end of the infected file.
– The last section of the file is modified to include the virus code.

Damaging - The files may be improperly infected. This results in infected files that are broken and crash.


Stealth:
No stealth techinques used. It modifies the OEP (Original Entry Point) of the infected file to point to the virus code.


Method:

This memory-resistent infector remains active in memory.


Infection length:

Approximately 61.000 Bytes


The following file is infected:

By file type:
   • *.exe

Files in any of the following directories:
   • %all directories%

 Registry The following registry keys are added in order to load the services after reboot:

– [HKLM\SYSTEM\CurrentControlSet\Services\mmc]
   • "Type"=dword:00000010
   • "Start"=dword:00000002
   • "ErrorControl"=dword:00000001
   • "ImagePath"=%SYSDIR%\mmc.exe
   • "DisplayName"="Smart Card Supervisor"
   • "ObjectName"="LocalSystem"

– [HKLM\SYSTEM\CurrentControlSet\Services\mmc\Security]
   • "Security"=%hex values%

– [HKLM\SYSTEM\CurrentControlSet\Services\mmc\Enum]
   • "0"="Root\\LEGACY_MMC\\0000"
   • "Count"=dword:00000001
   • "NextInstance"=dword:00000001

– [HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MMC]
   • "NextInstance"=dword:00000001

– [HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MMC\0000]
   • "Service"="mmc"
   • "Legacy"=dword:00000001
   • "ConfigFlags"=dword:00000000
   • "Class"="LegacyDriver"
   • "ClassGUID"="{8ECC055D-047F-11D1-A537-0000F8753ED1}"
   • "DeviceDesc"="Smart Card Supervisor"

– [HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MMC\0000\Control]
   • "*NewlyCreated*"=dword:00000000
   • "ActiveService"="mmc"

 Backdoor The following port is opened:

%SYSDIR%\mmc.exe on TCP port 3000

 File details Programming language:
The malware program was written in MS Visual C++.

Description inserted by Daniel Constantin on Wednesday, March 31, 2010
Description updated by Daniel Constantin on Wednesday, March 31, 2010

Back . . . .