Find a Partner
This window is encrypted for your security.
Need help? Ask the community or hire an expert.
Go to Avira Answers
In the wild:
Low to medium
Low to medium
- Monday, February 15, 2010
Method of propagation:
• Autorun feature
• Peer to Peer
• Sophos: Troj/Nyrate-L
• Panda: W32/P2Pworm.GA
• Eset: Win32/Peerfrag.EC
• Bitdefender: Backdoor.Tofsee.Gen
Platforms / OS:
• Windows 2000
• Windows XP
• Windows 2003
• Drops malicious files
• Registry modification
It copies itself to the following locations:
The following files are created:
\autorun.inf This is a non malicious text file with the following content:
%code that runs malware%
The following registry key is added in order to run the process after reboot:
– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
• "Taskman"="%recycle bin%\
In order to infect other systems in the Peer to Peer network community the following action is performed: It retrieves shared folders by querying the following registry keys:
• Software\Microsoft\Windows\CurrentVersion\Uninstall\eMule Plus_is1
It searches for directories that contain the following substring:
• \Local Settings\Application Data\Ares\My Shared Folder
It is spreading via Messenger. The characteristics are described below:
– MSN Messenger
The URL then refers to a copy of the described malware. If the user downloads and executes this file the infection process will start again.
The following port is opened:
– dig**********.cn on UDP port 44403
– It injects itself as a remote thread into a process.
The malware program was written in MS Visual C++.
Description inserted by Petre Galan on Wednesday, June 30, 2010
Description updated by Petre Galan on Wednesday, June 30, 2010