Need to fix your PC?
Hire an Expert
Virus:TR/Devis.45056.22
Date discovered:13/08/2010
Type:Trojan
In the wild:Yes
Reported Infections:Low to medium
Distribution Potential:Low
Damage Potential:Medium
Static file:Yes
File size:45056 Bytes
MD5 checksum:fa8d63f8aebc11a357433c556df5cfc4
VDF version:7.10.04.147
IVDF version:7.10.10.182 - Friday, August 13, 2010

 General Method of propagation:
   • No own spreading routine


Aliases:
   •  Kaspersky: Trojan.Win32.Pincav.aequ
   •  TrendMicro: TROJ_AGENT.ZJA
   •  F-Secure: Trojan.Win32.Pincav.aequ
   •  Sophos: Mal/Rimecud-E
   •  Bitdefender: Rootkit.38546
   •  Eset: Win32/Injector.CSV


Platforms / OS:
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Third party control
   • Can be used to modify system settings that allow or augment potential malware behaviour.
   • Registry modification

 Files It copies itself to the following location:
   • %SYSDIR%\sysdevop.exe



It deletes the initially executed copy of itself.

 Registry The following registry key is added in order to run the process after reboot:

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • "System Development Operations"="%SYSDIR%\sysdevop.exe"



The following registry keys including all values and subkeys are removed:
   • [HKLM\SYSTEM\ControlSet001\Control\SafeBoot]
   • [HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Minimal]
   • [HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\AppMgmt]
   • [HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Base]
   • [HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Boot Bus Extender]
   • [HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Boot file system]
   • [HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\CryptSvc]
   • [HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\DcomLaunch]
   • [HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\dmadmin]
   • [HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\dmboot.sys]
   • [HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\dmio.sys]
   • [HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\dmload.sys]
   • [HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\dmserver]
   • [HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\EventLog]
   • [HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\File system]
   • [HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Filter]
   • [HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\HelpSvc]
   • [HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Netlogon]
   • [HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\PCI Configuration]
   • [HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\PlugPlay]
   • [HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\PNP Filter]
   • [HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Primary disk]
   • [HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\RpcSs]
   • [HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SCSI Class]
   • [HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\sermouse.sys]
   • [HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\sr.sys]
   • [HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SRService]
   • [HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\System Bus Extender]
   • [HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\vds]
   • [HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\vga.sys]
   • [HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\vgasave.sys]
   • [HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\WinMgmt]
   • [HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\{36FC9E60-C465-11CF-8056-444553540000}]
   • [HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\{4D36E965-E325-11CE-BFC1-08002BE10318}]
   • [HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}]
   • [HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\{4D36E969-E325-11CE-BFC1-08002BE10318}]
   • [HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\{4D36E96A-E325-11CE-BFC1-08002BE10318}]
   • [HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\{4D36E96B-E325-11CE-BFC1-08002BE10318}]
   • [HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\{4D36E96F-E325-11CE-BFC1-08002BE10318}]
   • [HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\{4D36E977-E325-11CE-BFC1-08002BE10318}]
   • [HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\{4D36E97B-E325-11CE-BFC1-08002BE10318}]
   • [HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\{4D36E97D-E325-11CE-BFC1-08002BE10318}]
   • [HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\{4D36E980-E325-11CE-BFC1-08002BE10318}]
   • [HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
   • [HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\{71A27CDD-812A-11D0-BEC7-08002BE2092F}]
   • [HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\{745A17A0-74D3-11D0-B6FE-00A0C90F57DA}]
   • [HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network]
   • [HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\AFD]
   • [HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\AppMgmt]
   • [HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\Base]
   • [HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\Boot Bus Extender]
   • [HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\Boot file system]
   • [HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\Browser]
   • [HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\CryptSvc]
   • [HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\DcomLaunch]
   • [HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\Dhcp]
   • [HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\dmadmin]
   • [HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\dmboot.sys]
   • [HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\dmio.sys]
   • [HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\dmload.sys]
   • [HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\dmserver]
   • [HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\DnsCache]
   • [HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\EventLog]
   • [HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\File system]
   • [HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\Filter]
   • [HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\HelpSvc]
   • [HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\ip6fw.sys]
   • [HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\ipnat.sys]
   • [HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\LanmanServer]
   • [HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\LanmanWorkstation]
   • [HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\LmHosts]
   • [HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\Messenger]
   • [HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\NDIS]
   • [HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\NDIS Wrapper]
   • [HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\Ndisuio]
   • [HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\NetBIOS]
   • [HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\NetBIOSGroup]
   • [HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\NetBT]
   • [HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\NetDDEGroup]
   • [HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\Netlogon]
   • [HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\NetMan]
   • [HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\Network]
   • [HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\NetworkProvider]
   • [HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\nm]
   • [HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\nm.sys]
   • [HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\NtLmSsp]
   • [HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\PCI Configuration]
   • [HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\PlugPlay]
   • [HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\PNP Filter]
   • [HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\PNP_TDI]
   • [HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\Primary disk]
   • [HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\rdpcdd.sys]
   • [HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\rdpdd.sys]
   • [HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\rdpwd.sys]
   • [HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\rdsessmgr]
   • [HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\RpcSs]
   • [HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\SCSI Class]
   • [HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\sermouse.sys]
   • [HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\sharedaccess]
   • [HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\sr.sys]
   • [HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\SRService]
   • [HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\Streams Drivers]
   • [HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\System Bus Extender]
   • [HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\Tcpip]
   • [HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\TDI]
   • [HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\tdpipe.sys]
   • [HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\tdtcp.sys]
   • [HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\termservice]
   • [HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\UploadMgr]
   • [HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\vga.sys]
   • [HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\vgasave.sys]
   • [HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\WinMgmt]
   • [HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\WZCSVC]
   • [HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\{36FC9E60-C465-11CF-8056-444553540000}]
   • [HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\{4D36E965-E325-11CE-BFC1-08002BE10318}]
   • [HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\{4D36E967-E325-11CE-BFC1-08002BE10318}]
   • [HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\{4D36E969-E325-11CE-BFC1-08002BE10318}]
   • [HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\{4D36E96A-E325-11CE-BFC1-08002BE10318}]
   • [HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\{4D36E96B-E325-11CE-BFC1-08002BE10318}]
   • [HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\{4D36E96F-E325-11CE-BFC1-08002BE10318}]
   • [HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}]
   • [HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\{4D36E973-E325-11CE-BFC1-08002BE10318}]
   • [HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\{4D36E974-E325-11CE-BFC1-08002BE10318}]
   • [HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\{4D36E975-E325-11CE-BFC1-08002BE10318}]
   • [HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\{4D36E977-E325-11CE-BFC1-08002BE10318}]
   • [HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\{4D36E97B-E325-11CE-BFC1-08002BE10318}]
   • [HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\{4D36E97D-E325-11CE-BFC1-08002BE10318}]
   • [HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\{4D36E980-E325-11CE-BFC1-08002BE10318}]
   • [HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\{71A27CDD-812A-11D0-BEC7-08002BE2092F}]
   • [HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\{745A17A0-74D3-11D0-B6FE-00A0C90F57DA}]



The following registry key is added:

– [HKCU\Software\Microsoft\Windows\CurrentVersion\App]
   • "new"="yes"

 IRC To deliver system information and to provide remote control it connects to the following IRC Server:

Server: r0x.fucklamerz.ru
Port: 3030
Channel: #rox
Nickname: n{USA|XP}gurguda


– Furthermore it has the ability to perform actions such as:
    • connect to IRC server
    • Join IRC channel

 Injection – It injects itself as a remote thread into a process.

    Process name:
   • explorer.exe


 File details Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.

Description inserted by Ana Maria Niculescu on Friday, October 1, 2010
Description updated by Ana Maria Niculescu on Friday, October 8, 2010

Back . . . .
 
 
 
 

© 2013 Avira Operations GmbH & Co. KG. All rights reserved.

My Account

https:// This window is encrypted for your security.