Virus:TR/Spy.188416.128
Date discovered:23/08/2010
Type:Trojan
In the wild:Yes
Reported Infections:Low
Distribution Potential:Low
Damage Potential:Low to medium
Static file:Yes
File size:188.416 Bytes
MD5 checksum:f9cb29a3558271d771ed4e201b27e1f5
IVDF version:7.10.10.242 - Monday, August 23, 2010

 General Method of propagation:
   • No own spreading routine


Aliases:
   •  Mcafee: Artemis!F9CB29A35582
   •  Kaspersky: Trojan.Win32.Buzus.ffys
   •  Microsoft: Trojan:Win32/Ircbrute
   •  Panda: Trj/CI.A
   •  PCTools: Backdoor.LolBot
   •  Eset: IRC/SdBot
   •  Sunbelt: Trojan.Win32.Ircbrute
   •  AhnLab: Worm/Win32.Palevo
   •  DrWeb: Trojan.DownLoader1.18394
   •  Ikarus: Trojan.Win32.Buzus


Platforms / OS:
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003
   • Windows Vista
   • Windows Server 2008
   • Windows 7


Side effects:
   • Lowers security settings
   • Drops files
   • Drops a malicious file
   • Registry modification

 Files It copies itself to the following location:
   • %WINDIR%\jusched.exe



It deletes the initially executed copy of itself.



The following files are created:

– Non malicious files:
   • %cookies%\index.dat
   • %HOME%\Local Settings\History\History.IE5\index.dat

– A file that is for temporary use and it might be deleted afterwards:
   • %temporary internet files%\Content.IE5\index.dat

 Registry The following registry keys are added in order to run the processes after reboot:

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • "Java developer Script Browse"="%WINDIR%\jusched.exe"

– HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   • "Java developer Script Browse"="%WINDIR%\jusched.exe"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\
   Install\Software\Microsoft\Windows\CurrentVersion\Run]
   • "Java developer Script Browse"="%WINDIR%\jusched.exe"

 IRC – This malware has the ability to collect and send the following information:
    • Username

 File details Programming language:
 The malware program was written in MS Visual C++.


Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.

Description inserted by Carlos Valero Llabata on Wednesday, August 25, 2010
Description updated by Carlos Valero Llabata on Wednesday, August 25, 2010

Back . . . .