Need help? Ask the community or hire an expert.
Go to Avira Answers
Date discovered:04/07/2006
In the wild:Yes
Reported Infections:Low to medium
Distribution Potential:Low to medium
Damage Potential:Medium
Static file:Yes
File size:229.376 Bytes
MD5 checksum:2a560ce28707e8ddfc35ec539df1932d
IVDF version: - Tuesday, July 4, 2006

 General Method of propagation:
   • Messenger

   •  Sophos: Mal/VBInject-T
   •  Bitdefender: Trojan.Generic.KD.12598
   •  Eset: Win32/Boberog.AQ

Platforms / OS:
   • Windows 2000
   • Windows XP
   • Windows 2003

Side effects:
   • Third party control
   • Lowers security settings
   • Drops malicious files
   • Registry modification

 Files It copies itself to the following location:
   • %HOME%\Application Data\msng.exe

The following file is created:


It tries to executes the following file:

– Filename:
   • "%HOME%\Application Data\msng.exe"

 Registry The following registry key is added in order to run the process after reboot:

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • "Windows System Guard"="%HOME%\Application Data\msng.exe"

It creates the following entry in order to bypass the Windows XP firewall:

– [HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\
   • "%HOME%\Application Data\msng.exe"="%HOME%\Application
      Data\msng.exe:*:Enabled:Windows System Guard"

 Messenger It is spreading via Messenger. The characteristics are described below:

– AIM Messenger
– Yahoo Messenger

The sent message looks like one of the following:

   • olhar para esta foto :D
     se p
      dette bildet :D
     bekijk deze foto :D
     schau mal das foto an :D
     look at this picture :D
     mira esta fotograf
     a :D
     regardez cette photo :D
     guardare quest'immagine :D
     vejte se na mou fotku :D
     ser p
      dette billede :D
     zd meg a k
     pet :D
     spojrzec na to zdjecie :D
     bu resmi bakmak :D
     katso t
      kuvaa :D
     uita-te la aceasta fotografie :D
     pozrite sa na t
     to fotografiu :D
     titta p
      denna bild :D
     poglej to fotografijo :D
     pogledaj to slike :D
     seen this?? :D

The URL then refers to a copy of the described malware. If the user downloads and executes this file the infection process will start again.

 IRC To deliver system information and to provide remote control it connects to the following IRC Server:

Server: u.mai**********.com
Port: 81
Channel: #newbin#
Nickname: n[USA|XP]%number%

 File details Programming language:
The malware program was written in Visual Basic.

Description inserted by Petre Galan on Monday, August 9, 2010
Description updated by Petre Galan on Thursday, August 12, 2010

Back . . . .