Need help? Ask the community or hire an expert.
Go to Avira Answers
Date discovered:06/05/2005
In the wild:Yes
Reported Infections:Low to medium
Distribution Potential:Low
Damage Potential:Medium
Static file:Yes
File size:95.744 Bytes
MD5 checksum:19ad756af282a3af98dc50f3c40e51b0
IVDF version: - Friday, May 6, 2005

 General Aliases:
   •  Mcafee: Generic.dx
   •  Bitdefender: Trojan.Generic.3291040
   •  Eset: Win32/Poebot.NCA

Platforms / OS:
   • Windows 2000
   • Windows XP
   • Windows 2003

Side effects:
   • Third party control
   • Lowers security settings
   • Drops malicious files
   • Registry modification

 Files It copies itself to the following location:
   • %SYSDIR%\spooIsv.exe

It deletes the initially executed copy of itself.

It deletes the following file:
   • %malware execution directory%\kgorzsd.bat

The following file is created:

%malware execution directory%\kgorzsd.bat Furthermore it gets executed after it was fully created. This batch file is used to delete a file.

It tries to executes the following files:

– Filename:
   • cmd /c ""%malware execution directory%\kgorzsd.bat" "

– Filename:
   • %SYSDIR%\spooIsv.exe

 Registry The following registry key is added in order to run the process after reboot:

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • "Spooler SubSystem App"="%SYSDIR%\spooIsv.exe"

It creates the following entry in order to bypass the Windows XP firewall:

– [HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\
   • "%SYSDIR%\spooIsv.exe"="%SYSDIR%\spooIsv.exe:*:Enabled:Spooler
      SubSystem App"

 IRC To deliver system information and to provide remote control it connects to the following IRC Server:

Server: her.d0k**********.com
Port: 4466
Channel: #balengor
Nickname: d[cUnawXg]b

 File details Programming language:
The malware program was written in Borland C++.

Description inserted by Petre Galan on Thursday, August 12, 2010
Description updated by Petre Galan on Thursday, August 12, 2010

Back . . . .