Find a Partner
This window is encrypted for your security.
Need help? Ask the community or hire an expert.
Go to Avira Answers
In the wild:
Low to medium
Low to medium
- Wednesday, May 12, 2010
Methods of propagation:
• Autorun feature
• Peer to Peer
• Sophos: Mal/Koobface-D
• Bitdefender: Trojan.Generic.KD.11119
• Panda: W32/IRCBot.CWZ
• Eset: Win32/Peerfrag.FD
Platforms / OS:
• Windows 2000
• Windows XP
• Windows 2003
• Drops malicious files
• Registry modification
It copies itself to the following locations:
The following files are created:
\autorun.inf This is a non malicious text file with the following content:
%code that runs malware%
The following registry key is added in order to run the process after reboot:
– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
In order to infect other systems in the Peer to Peer network community the following action is performed: It retrieves shared folders by querying the following registry keys:
• Software\Microsoft\Windows\CurrentVersion\Uninstall\eMule Plus_is1
It searches for directories that contain the following substring:
• \Local Settings\Application Data\Ares\My Shared Folder
It is spreading via Messenger. The characteristics are described below:
– Windows Live Messenger
The URL then refers to a copy of the described malware. If the user downloads and executes this file the infection process will start again.
The following port is opened:
– ms.bes**********.com on UDP port 1863
– It injects itself as a remote thread into a process.
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.
Description inserted by Petre Galan on Wednesday, August 18, 2010
Description updated by Petre Galan on Thursday, August 19, 2010