Need help? Ask the community or hire an expert.
Go to Avira Answers
Virus:TR/Siscos.VZ
Date discovered:18/06/2010
Type:Trojan
In the wild:Yes
Reported Infections:Low to medium
Distribution Potential:Low to medium
Damage Potential:Low to medium
Static file:Yes
File size:208.384 Bytes
MD5 checksum:3cb3ee6d74b6cef597d63be9be4c27f1
IVDF version:7.10.08.123 - Friday, June 18, 2010

 General Aliases:
   •  Bitdefender: Trojan.PWS.LdPinch.TUJ
   •  Panda: Trj/Spammer.AQF
   •  Eset: Win32/Spy.Delf.OGE


Platforms / OS:
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Drops malicious files
   • Registry modification

 Files It copies itself to the following locations:
   • C:\Commonfiles\process.exe
   • C:\Commonfiles\process32.exe




It tries to execute the following files:

– Filename:
   • reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v process /d "C:\Commonfiles\process.exe" /f


– Filename:
   • reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v process32 /d "C:\Commonfiles\process32.exe" /f


– Filename:
   • C:\Commonfiles\\process32.exe

 Registry The following registry key is added in order to run the process after reboot:

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • "process"="C:\Commonfiles\process.exe"
   • "process32"="C:\Commonfiles\process32.exe"

 Email From:
The sender address is spoofed.


To:
– Email addresses found in specific files on the system.

 Network Infection In order to ensure its propagation the malware attemps to connect to other machines as described below.


Exploit:
It makes use of the following Exploit:
– MS04-007 (ASN.1 Vulnerability)

 Miscellaneous String:
Furthermore it contains the following strings:
   • https://login.globo.com/login/1
   • https://login.globo.com/login/1948
   • http://authmail.ig.com.br/Autenticacao/ig.com.br/login.jsp
   • https://mail.google.com/mail/contacts/ui/ContactManager?
   • http://mail.mailig.ig.com.br/mail/contacts/ui/ContactManager?

 File details Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.

Description inserted by Petre Galan on Wednesday, October 13, 2010
Description updated by Petre Galan on Wednesday, October 13, 2010

Back . . . .