Need help? Ask the community or hire an expert.
Go to Avira Answers
Virus:TR/Scar.apqx
Date discovered:20/11/2009
Type:Trojan
In the wild:Yes
Reported Infections:Low to medium
Distribution Potential:Low
Damage Potential:Low to medium
Static file:Yes
File size:43.008 Bytes
MD5 checksum:5cdef39df4850fe9d241490fe4305df2
IVDF version:7.10.01.43 - Friday, November 20, 2009

 General Aliases:
   •  Mcafee: W32/Koobface.worm.gen.d
   •  Sophos: W32/Koobface-V
   •  Panda: W32/Koobface.JT.worm
   •  Eset: Win32/Koobface.NCK
   •  Bitdefender: Win32.Worm.Koobface.AMW


Platforms / OS:
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Downloads malicious files
   • Drops malicious files
   • Registry modification

 Files It copies itself to the following location:
   • %drive%\windows\ld15.exe



It deletes the initially executed copy of itself.



It deletes the following files:
   • %TEMPDIR%\zpskon_1270677929.exe
   • %drive%\3.reg
   • %malware execution directory%\df1a245s4_1592.exe
   • %malware execution directory%\SelfDel.bat
   • %malware execution directory%\sd.dat
   • %WINDIR%\dxxdv34567.bat
   • %drive%\h.tmp
   • %TEMPDIR%\captcha.bat
   • %drive%\1.bat
   • %TEMPDIR%\zpskon_1270669724.exe
   • %HOME%\Local Settings\Application Data\rdr_1270658517.exe



The following files are created:

%drive%\3.reg This is a non malicious text file with the following content:
   • %code that runs malware%

%malware execution directory%\df1a245s4_1592.exe Further investigation pointed out that this file is malware, too. Detected as: TR/Dropper.Gen

– %HOME%\Local Settings\Application Data\010112010146100109.xxe
%TEMPDIR%\zpskon_1270682172.exe Further investigation pointed out that this file is malware, too. Detected as: BDS/Backdoor.Gen

– %HOME%\Local Settings\Application Data\010112010146115119.xxe
– %HOME%\Local Settings\Application Data\rdr_1270658517.exe Further investigation pointed out that this file is malware, too. Detected as: TR/Dropper.Gen

%drive%\windows\bill106.exe Further investigation pointed out that this file is malware, too. Detected as: TR/Dropper.Gen

%malware execution directory%\SelfDel.bat Furthermore it gets executed after it was fully created. This batch file is used to delete a file.
%SYSDIR%\drivers\etc\hosts
%TEMPDIR%\zpskon_1270677929.exe Further investigation pointed out that this file is malware, too. Detected as: TR/Dropper.Gen

%WINDIR%\fdgg34353edfgdfdf
%drive%\windows\bk23567.dat
– %HOME%\Local Settings\Application Data\0101120101465198.xxe
%drive%\h.tmp
%WINDIR%\dxxdv34567.bat Furthermore it gets executed after it was fully created. This batch file is used to delete a file.
%PROGRAM FILES%\webserver\webserver.exe Further investigation pointed out that this file is malware, too. Detected as: BDS/Backdoor.Gen

%malware execution directory%\sd.dat
%TEMPDIR%\captcha.bat Furthermore it gets executed after it was fully created. This batch file is used to delete a file.
%SYSDIR%\captcha.dll
%TEMPDIR%\zpskon_1270669724.exe Further investigation pointed out that this file is malware, too. Detected as: TR/ATRAPS.Gen

%drive%\1.bat Furthermore it gets executed after it was fully created. This batch file is used to delete a file.



It tries to download some files:

– The locations are the following:
   • http://banmismokingban.com/**********/?action=%character string%&v=%number%
   • http://uuviet.toila.net/**********/?action=%character string%&v=%number%
   • http://prospect-m.ru/**********/?action=%character string%&v=%number%
   • http://glyk.ch/**********/?action=%character string%&v=%number%
   • http://sindhpk.com/**********/?action=%character string%&v=%number%
   • http://www.smoketrend.de/**********/?action=%character string%&v=%number%
   • http://rabadanmakeupartist.com/**********/?action=%character string%&v=%number%
   • http://www.friesen-research.com/**********/?action=%character string%&v=%number%
   • http://azfatso.org/**********/?action=%character string%&v=%number%
   • http://lineaidea.it/**********/?action=%character string%&v=%number%
   • http://mysex.co.il/**********/?action=%character string%&v=%number%
   • http://daveshieldsmedia.com/**********/?action=%character string%&v=%number%
   • http://kingdom-shakers.com/**********/?action=%character string%&v=%number%
   • http://www.eurostandart.biz/**********/?action=%character string%&v=%number%
   • http://drpaulaprice.com/**********/?action=%character string%&v=%number%
   • http://eurorot.com/**********/?action=%character string%&v=%number%
   • http://rowanhenderson.com/**********/?action=%character string%&v=%number%
   • http://sigmai.co.il/**********/?action=%character string%&v=%number%
   • http://anlaegkp.dk/**********/?action=%character string%&v=%number%
   • http://inartdesigns.com/**********/?action=%character string%&v=%number%
   • http://inartdesigns.com/**********/?action=%character string%&ff=%number%&a=%number%&v=%number%&l=%number%&c_fb=%number%&c_ms=%number%&c_hi=%number%&c_tw=%number%&c_be=%number%&c_tg=%number%&c_nl=%number%&iedef=%number%
   • http://mdcoc.net/**********/?getexe=%character string%
   • http://www.idif.it/**********/?action=%character string%&v=%number%&crc=%number%
   • http://www.idif.it/**********/?action=%character string%&a=%number%&v=%number%&c_fb=%number%&ie=%character string%
   • http://www.person.doae.go.th/**********/?getexe=%character string%
   • http://www.person.doae.go.th/**********/?getexe=%character string%
   • http://www.person.doae.go.th/**********/?getexe=%character string%
   • http://www.person.doae.go.th/**********/?getexe=%character string%
   • http://amazingpets.org/**********/?action=%character string%&v=%number%&crc=%number%
   • http://amazingpets.org/**********/?action=%character string%&mode=%character string%&age=%number%&a=%number%&v=%number%&c_fb=%number%&ie=%character string%


– The location is the following:
   • http://insta-find.com/adm/**********


– The location is the following:
   • http://u07012010u.com/**********/?uptime=%number%&v=%number%&sub=%number%&ping=%number%&proxy=%number%&hits=%number%&noref=%number%&port=%number%




It tries to executes the following files:

– Filename:
   • %WINDIR%\ld15.exe


– Filename:
   • %TEMPDIR%\\zpskon_1270669724.exe


– Filename:
   • cmd /c c:\1.bat


– Filename:
   • zpskon_12706697


– Filename:
   • %TEMPDIR%\\zpskon_1270677929.exe


– Filename:
   • sc create "captcha" type= share start= auto binPath= "%SYSDIR%\svchost.exe -k captcha"


– Filename:
   • %TEMPDIR%\zpskon_1270677929.exe


– Filename:
   • %TEMPDIR%\\zpskon_1270682172.exe


– Filename:
   • reg add "HKLM\SYSTEM\CurrentControlSet\Services\captcha\parameters" /v ServiceDll /t REG_EXPAND_SZ /d "%WINDIR%\system


– Filename:
   • reg add HKLM\Software\Microsoft\Windows\CurrentVersion /v Port /t REG_DWORD /d 1002


– Filename:
   • netsh add allowedprogram "%PROGRAM FILES%\webserver\webserver.exe" webserver ENABLE


– Filename:
   • cmd /c %WINDIR%\dxxdv34567.bat


– Filename:
   • reg add "HKLM\SYSTEM\CurrentControlSet\Services\captcha" /v FailureActions /t REG_BINARY /d 0000000000000000000000000300


– Filename:
   • reg add "HKLM\SYSTEM\CurrentControlSet\Services\captcha" /v Type /t REG_DWORD /d 288 /f


– Filename:
   • reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\svchost" /v captcha /t REG_MULTI_SZ /d "captcha\0" /f


– Filename:
   • rundll32 captcha,ServiceMain


– Filename:
   • regedit /s c:\2.reg


– Filename:
   • netsh firewall add portopening TCP 1002 webserver ENABLE


– Filename:
   • netsh firewall add portopening TCP 53 webserver ENABLE


– Filename:
   • sc create "webserver" binPath= "%PROGRAM FILES%\webserver\webserver.exe" type= share start= auto


– Filename:
   • reg add "HKLM\SYSTEM\CurrentControlSet\Services\webserver" /v FailureActions /t REG_BINARY /d 00000000000000000000000003


– Filename:
   • sc start "webserver"


– Filename:
   • df1a245s4_1592.exe


– Filename:
   • cmd /c SelfDel.bat


– Filename:
   • %malware execution directory%\df1a245s4_1592.exe


– Filename:
   • %WINDIR%\bill106.exe


– Filename:
   • "%HOME%\Local Settings\Application Data\rdr_1270658517.exe"


– Filename:
   • cmd /c "%HOME%\Local Settings\Application Data\rdr_1270658517.exe" /res >%temp%\captcha.bat


– Filename:
   • "%HOME%\Local Settings\Application Data\rdr_1270658517.exe" /res


– Filename:
   • cmd /c "%temp%\captcha.bat"


– Filename:
   • netsh firewall add allowedprogram name="captcha" program="%SYSDIR%\svchost.exe" mode=ENABLE

 Registry The following registry key is added in order to run the process after reboot:

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • "sysldtray"="%WINDIR%\ld15.exe"
   • "sysfbtray"="%WINDIR%\bill106.exe"



The following registry keys are changed:

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion]
   New value:
   • "Port"=dword:0x000003ea

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost]
   New value:
   • "captcha"="captcha"

 Hosts The host file is modified as explained:

– Access to the following domain is redirected to another destination:
   • 85.13.206.115 u07012010u.com


 File details Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.

Description inserted by Petre Galan on Monday, April 12, 2010
Description updated by Petre Galan on Monday, April 12, 2010

Back . . . .