Need help? Ask the community or hire an expert.
Go to Avira Answers
Virus:TR/Inject.81409.BI
Date discovered:22/04/2010
Type:Trojan
In the wild:Yes
Reported Infections:Low to medium
Distribution Potential:Low
Damage Potential:Medium
Static file:Yes
File size:81.409 Bytes
MD5 checksum:b2dfa22025a1043e3a12837222f6753f
IVDF version:7.10.06.171 - Thursday, April 22, 2010

 General Aliases:
   •  Sophos: Troj/Delf-FEP
   •  Panda: W32/IRCbot.CXC
   •  Eset: Win32/Boberog.AQ
   •  Bitdefender: Trojan.Generic.KD.8165


Platforms / OS:
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Drops malicious files
   • Lowers security settings
   • Registry modification
   • Third party control

 Files It copies itself to the following location:
   • %TEMPDIR%\nvdis.exe



The following file is created:

%TEMPDIR%\google_cache112.tmp



It tries to executes the following files:

Filename:
   • netsh firewall add allowedprogram %TEMPDIR%\nvdis.exe WindowsSafety ENABLE


Filename:
   • taskkill /IM winlog.exe


Filename:
   • taskkill /IM svchost.exe


Filename:
   • taskkill /IM csrss.exe


Filename:
   • taskkill /IM lsass.exe


Filename:
   • "%TEMPDIR%\nvdis.exe"

 Registry The following registry keys are added in order to run the processes after reboot:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   • "Google Updater"="%TEMPDIR%\nvdis.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • "Google Updater"="%TEMPDIR%\nvdis.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\
   Run]
   • "MicrosoftCorp"="%TEMPDIR%\nvdis.exe"

–  [HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\
   FirewallPolicy\StandardProfile\AuthorizedApplications\List]
   • %TEMPDIR%\nvdis.exe

 IRC To deliver system information and to provide remote control it connects to the following IRC Server:

Server: rix.mes**********.su
Port: 1234
Channel: #l#
Nickname: {NEW}[USA][XP-%Windows version%]%number%

 Process termination List of processes that are terminated:
   • winlog.exe
   • svchost.exe
   • csrss.exe
   • lsass.exe


 File details Programming language:
The malware program was written in Delphi.

Description inserted by Petre Galan on Tuesday, July 6, 2010
Description updated by Petre Galan on Tuesday, July 6, 2010

Back . . . .