Virus:TR/Crypter.F.13
Date discovered:29/07/2010
Type:Trojan
In the wild:Yes
Reported Infections:High
Distribution Potential:Medium to high
Damage Potential:Medium to high
Static file:Yes
File size:27.136 Bytes
MD5 checksum:ce66082bb9edc2494eb66a26186d51c5
IVDF version:7.10.09.252 - Thursday, July 29, 2010

 General Method of propagation:
   • No own spreading routine


Aliases:
   •  Mcafee: Spam-Mailbot.m
   •  Kaspersky: Backdoor.Win32.Bredolab.gii
   •  TrendMicro: TROJ_WALEDAC.AIT
   •  F-Secure: Trojan-Downloader:W32/Crypt.N
   •  Sophos: Troj/Agent-OCW
   •  Bitdefender: Trojan.Crypter.F
   •  Avast: Win32:Bredolab-DO
   •  Microsoft: TrojanDownloader:Win32/Waledac.C
   •  Panda: Bck/Bredolab.AZ
   •  VirusBuster: Trojan.Kryptik.ABNG
   •  Eset: Win32/TrojanDownloader.Bredolab.AN
   •  GData: Trojan.Crypter.F
   •  AhnLab: Win-Trojan/Bredolab.55808
   •  Authentium: W32/Trojan3.BWQ
   •  DrWeb: Trojan.DownLoad.41551
   •  Ikarus: Trojan.Win32.FakeAV


Platforms / OS:
   • Windows 98
   • Windows 2000
   • Windows XP
   • Windows Vista
   • Windows 7


Side effects:
   • Downloads malicious files


Right after execution the following information is displayed:


 Files It tries to download some files:

– The location is the following:
   • http://18**********g.exe
It is saved on the local hard drive under: %TEMPDIR%\_ex-68.exe Furthermore this file gets executed after it was fully downloaded. Further investigation pointed out that this file is malware, too. Detected as: TR/Fakealert.ajv.1


– The location is the following:
   • http://8**********t.exe
It is saved on the local hard drive under: %TEMPDIR%\_ex-08.exe Furthermore this file gets executed after it was fully downloaded. Further investigation pointed out that this file is malware, too. Detected as: TR/Spy.Sniff.E

 File details Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.

Description inserted by Carlos Valero Llabata on Thursday, August 12, 2010
Description updated by Carlos Valero Llabata on Thursday, August 12, 2010

Back . . . .