Need help? Ask the community or hire an expert.
Go to Avira Answers
Date discovered:22/04/2010
In the wild:Yes
Reported Infections:Low to medium
Distribution Potential:Low
Damage Potential:Medium
Static file:Yes
File size:81.409 Bytes
MD5 checksum:b2dfa22025a1043e3a12837222f6753f
IVDF version:

 General Aliases:
   •  Sophos: Troj/Delf-FEP
   •  Panda: W32/IRCbot.CXC
   •  Eset: Win32/Boberog.AQ
   •  Bitdefender: Trojan.Generic.KD.8165

Platforms / OS:
   • Windows 2000
   • Windows XP
   • Windows 2003

Side effects:
   • Drops malicious files
   • Lowers security settings
   • Registry modification
   • Third party control

 Files It copies itself to the following location:
   • %TEMPDIR%\nvdis.exe

The following file is created:


It tries to executes the following files:

– Filename:
   • netsh firewall add allowedprogram %TEMPDIR%\nvdis.exe WindowsSafety ENABLE

– Filename:
   • taskkill /IM winlog.exe

– Filename:
   • taskkill /IM svchost.exe

– Filename:
   • taskkill /IM csrss.exe

– Filename:
   • taskkill /IM lsass.exe

– Filename:
   • "%TEMPDIR%\nvdis.exe"

 Registry The following registry keys are added in order to run the processes after reboot:

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   • "Google Updater"="%TEMPDIR%\nvdis.exe"

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • "Google Updater"="%TEMPDIR%\nvdis.exe"

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\
   • "MicrosoftCorp"="%TEMPDIR%\nvdis.exe"

–  [HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\
   • %TEMPDIR%\nvdis.exe

 IRC To deliver system information and to provide remote control it connects to the following IRC Server:

Server: rix.mes**********.su
Port: 1234
Channel: #l#
Nickname: {NEW}[USA][XP-%Windows version%]%number%

 Process termination List of processes that are terminated:
   • winlog.exe
   • svchost.exe
   • csrss.exe
   • lsass.exe

 File details Programming language:
The malware program was written in Delphi.

Description inserted by Petre Galan on Tuesday, July 6, 2010
Description updated by Petre Galan on Tuesday, July 6, 2010

Back . . . .