Virus:TR/Injector.bzge
Date discovered:26/07/2010
Type:Trojan
In the wild:Yes
Reported Infections:Low
Distribution Potential:Low to medium
Damage Potential:Low
Static file:Yes
File size:20.992 Bytes
MD5 checksum:2219e3865430d68d24e0d76faf5861e4
IVDF version:7.10.09.221 - Tuesday, July 27, 2010

 General Method of propagation:
   • No own spreading routine


Aliases:
   •  Mcafee: Artemis!2219E3865430
   •  Microsoft: Trojan:Win32/Meredrop
   •  AVG: Cryptic.AQX
   •  Panda: Trj/CI.A
   •  Eset: Win32/Oficla.HZ
   •  Sunbelt: Trojan.Win32.Sasfis.a
   •  DrWeb: Trojan.MulDrop1.40399


Platforms / OS:
   • Windows 98
   • Windows 98 SE
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003
   • Windows Vista
   • Windows 7


Side effects:
   • Drops a file
   • Drops a malicious file
   • Registry modification

 Files The following files are created:

%TEMPDIR%\1.tmp Furthermore it gets executed after it was fully created. This is a non malicious text file that contains information about the program itself.
%SYSDIR%\%random character string%.yeo Furthermore it gets executed after it was fully created. Further investigation pointed out that this file is malware, too. Detected as: TR/Agent.20480.AB

 Registry The following registry key is changed:

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
   Old value:
   • "Shell"="Explorer.exe"
   New value:
   • Shell="Explorer.exe rundll32.exe %random character string%.yeo upptdvf"

 File details Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.

Description inserted by Carlos Valero Llabata on Monday, August 9, 2010
Description updated by Carlos Valero Llabata on Monday, August 9, 2010

Back . . . .