Need help? Ask the community or hire an expert.
Go to Avira Answers
Date discovered:01/03/2010
In the wild:Yes
Reported Infections:Low to medium
Distribution Potential:Low to medium
Damage Potential:Low to medium
Static file:Yes
File size:197.632 Bytes
MD5 checksum:c1142cb0380b0bba40eceffdb6c54110
IVDF version:

 General Method of propagation:
   • Email

   •  Sophos: W32/Autorun-BBI
   •  Panda: W32/P2PWorm.GW
   •  Eset: Win32/SpamTool.Tedroo.AL
   •  Bitdefender: Worm.Generic.231551

Platforms / OS:
   • Windows 2000
   • Windows XP
   • Windows 2003

Side effects:
   • Downloads a malicious file
   • Drops malicious files
   • Uses its own Email engine
   • Registry modification
   • Steals information

 Files It copies itself to the following location:
   • %SYSDIR%\msvmcls64.exe

It tries to download a file:

– The locations are the following:
   •**********?id=%number%&tick=%number%&ver=%number%&smtp=%character string%
   •**********?task=%number%&id=%character string%

 Registry The following registry key is added in order to run the process after reboot:

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • "MS Virtual CLS"="%SYSDIR%\msvmcls64.exe"

The following registry key is added:

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\BITS]
   • "host"="%character string%"
   • "id"="%character string%"
   • "ii"="%number%"

 Email It contains an integrated SMTP engine in order to send emails. A direct connection with the destination server will be established. The characteristics are described in the following:

The sender address is spoofed.

– Email addresses found in specific files on the system.

– Contains HTML code.


The attachment is a copy of the malware itself.

 Mailing MX Server:
It has the ability to contact one of the following MX servers:

 File details Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.

Description inserted by Petre Galan on Thursday, May 13, 2010
Description updated by Petre Galan on Thursday, May 13, 2010

Back . . . .