Need help? Ask the community or hire an expert.
Go to Avira Answers
Date discovered:27/01/2010
In the wild:Yes
Reported Infections:Low to medium
Distribution Potential:Low to medium
Damage Potential:Low to medium
Static file:Yes
File size:110.592 Bytes
MD5 checksum:b4ad15b31d6dcd311312b3fcdefd6b1c
IVDF version:

 General Method of propagation:
   • Peer to Peer

   •  Sophos: Troj/Agent-MND
   •  Panda: W32/Dursg.A.worm
   •  Eset: Win32/Dursg.A
   •  Bitdefender: Trojan.Generic.IS.437939

Platforms / OS:
   • Windows 2000
   • Windows XP
   • Windows 2003

Side effects:
   • Downloads malicious files
   • Drops malicious files
   • Registry modification

 Files It copies itself to the following location:
   • %HOME%\Application Data\SystemProc\lsass.exe

It deletes the initially executed copy of itself.

The following files are created:

%PROGRAM FILES%\Mozilla Firefox\extensions\{8CE11043-9A15-4207-A565-0C94C42D590D}\chrome.manifest
%PROGRAM FILES%\Mozilla Firefox\extensions\{8CE11043-9A15-4207-A565-0C94C42D590D}\install.rdf
– C:\confin.sys
%PROGRAM FILES%\Mozilla Firefox\extensions\{8CE11043-9A15-4207-A565-0C94C42D590D}\chrome\content\timer.xul

It tries to download some files:

– The location is the following:
   •**********?aid=%character string%

– The location is the following:
   •**********?sd=%character string%&aid=%character string%

It tries to executes the following file:

– Filename:
   • "%HOME%\Application Data\SystemProc\lsass.exe"

 Registry The following registry key is added in order to run the process after reboot:

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\
   • "RTHDBPL"="%HOME%\Application Data\SystemProc\lsass.exe"

 P2P It searches for the following directories:
   • %PROGRAM FILES%\winmx\shared\
   • %PROGRAM FILES%\tesla\files\
   • %PROGRAM FILES%\limewire\shared\
   • %PROGRAM FILES%\morpheus\my shared folder\
   • %PROGRAM FILES%\emule\incoming\
   • %PROGRAM FILES%\edonkey2000\incoming\
   • %PROGRAM FILES%\bearshare\shared\
   • %PROGRAM FILES%\grokster\my grokster\
   • %PROGRAM FILES%\icq\shared folder\
   • %PROGRAM FILES%\kazaa lite k++\my shared folder\
   • %PROGRAM FILES%\kazaa lite\my shared folder\
   • %PROGRAM FILES%\kazaa\my shared folder\

   If successful, the following files are created:
   • DivX 5.0 Pro KeyGen.exe; Counter-Strike KeyGen.exe; IP Nuker.exe;
      Website Hacker.exe; Keylogger.exe; AOL Password Cracker.exe; ICQ
      Hacker.exe; AOL Instant Messenger (AIM) Hacker.exe; MSN Password
      Cracker.exe; Microsoft Visual Studio KeyGen.exe; Microsoft Visual
      Basic KeyGen.exe; Microsoft Visual C++ KeyGen.exe; Sub7 2.3
      Private.exe; sdbot with NetBIOS Spread.exe; L0pht 4.0 Windows Password
      Cracker.exe; Windows Password Cracker.exe; NetBIOS Cracker.exe;
      NetBIOS Hacker.exe; DCOM Exploit.exe; Norton Anti-Virus 2005
      Enterprise Crack.exe; Hotmail Cracker.exe; Hotmail Hacker.exe; Brutus
      FTP Cracker.exe; FTP Cracker.exe; Password Cracker.exe; Half-Life 2
      Downloader.exe; UT 2003 KeyGen.exe; Windows 2003 Advanced Server

 File details Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.

Description inserted by Petre Galan on Thursday, April 22, 2010
Description updated by Petre Galan on Thursday, April 22, 2010

Back . . . .