Need help? Ask the community or hire an expert.
Go to Avira Answers
Date discovered:23/07/2010
In the wild:Yes
Reported Infections:Low to medium
Distribution Potential:Medium
Damage Potential:Medium
Static file:No
File size:113.664 Bytes
MD5 checksum:1669696567d21ff756052a90e526cba3
IVDF version:

 General Method of propagation:
   • No own spreading routine

   •  Kaspersky: Worm.Win32.VBNA.akzw
   •  F-Secure: Worm:W32/Vobfus.BJ
   •  Microsoft: Worm:Win32/Vobfus.H
   •  Eset: Win32/AutoRun.VB.RP
   •  DrWeb: Win32.HLLW.Autoruner.25109
   •  Norman: W32/VBNA.BL

Platforms / OS:
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003
   • Windows Vista
   • Windows Server 2008
   • Windows 7

Side effects:
   • Downloads a malicious file
   • Drops a malicious file
   • Registry modification

 Files It copies itself to the following location:
   • %HOME%\%random character string%.exe

It tries to download a file:

– The location is the following:
   • http://co**********
It is saved on the local hard drive under: %HOME%\%random character string%.exe Furthermore this file gets executed after it was fully downloaded. Further investigation pointed out that this file is malware, too. Detected as: TR/Drop.PicHut.B.1

 Registry The following registry key is added in order to run the process after reboot:

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   • "cuaxiiz"="%HOME%\%random character string%.exe"

The following registry key is changed:

Various Explorer settings:

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
   Old value:
   • "ShowSuperHidden"=dword:00000001
   New value:
   • "ShowSuperHidden"=dword:00000000

 File details Programming language:
The malware program was written in Visual Basic.

Description inserted by Patrick Schoenherr on Friday, July 23, 2010
Description updated by Patrick Schoenherr on Friday, July 23, 2010

Back . . . .