Need help? Ask the community or hire an expert.
Go to Avira Answers
Date discovered:12/01/2010
In the wild:Yes
Reported Infections:Low to medium
Distribution Potential:Low to medium
Damage Potential:Low to medium
Static file:Yes
File size:207.872 Bytes
MD5 checksum:d4689ed810452de9c0fe6f3ea6b25b7b
IVDF version:

 General Method of propagation:
   • Email

   •  Panda: Bck/IRCbot.CTX
   •  Eset: Win32/SpamTool.Tedroo.AL
   •  Bitdefender: Worm.Generic.220500

Platforms / OS:
   • Windows 2000
   • Windows XP
   • Windows 2003

Side effects:
   • Downloads malicious files
   • Drops a malicious file
   • Registry modification

 Files It copies itself to the following location:
   • %SYSDIR%\msvmcls64.exe

It tries to download some files:

– The location is the following:
   •**********?id=%number%&tick=%number%&ver=%number%&smtp=%character string%

– The location is the following:
   •**********?task=%number%&id=%character string%

 Registry One of the following values is added in order to run the process after reboot:

–  [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • "MS Virtual CLS"="%SYSDIR%\msvmcls64.exe"

The following registry key is added:

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\BITS]
   • "host" = "%character string"
   • "id" = "%character string%"
   • "ii" = "%number%"

 Email It contains an integrated SMTP engine in order to send emails. A direct connection with the destination server will be established. The characteristics are described in the following:

The sender address is spoofed.

– Email addresses found in specific files on the system.

– Contains HTML code.

The attachment is a copy of the malware itself.

 Mailing MX Server:
It has the ability to contact one of the following MX servers:

 File details Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.

Description inserted by Petre Galan on Thursday, April 8, 2010
Description updated by Petre Galan on Thursday, April 8, 2010

Back . . . .