Need help? Ask the community or hire an expert.
Go to Avira Answers
Date discovered:18/06/2010
In the wild:Yes
Reported Infections:Low to medium
Distribution Potential:Low to medium
Damage Potential:Low to medium
Static file:Yes
File size:208.384 Bytes
MD5 checksum:3cb3ee6d74b6cef597d63be9be4c27f1
IVDF version:

 General Aliases:
   •  Bitdefender: Trojan.PWS.LdPinch.TUJ
   •  Panda: Trj/Spammer.AQF
   •  Eset: Win32/Spy.Delf.OGE

Platforms / OS:
   • Windows 2000
   • Windows XP
   • Windows 2003

Side effects:
   • Drops malicious files
   • Registry modification

 Files It copies itself to the following locations:
   • C:\Commonfiles\process.exe
   • C:\Commonfiles\process32.exe

It tries to execute the following files:

– Filename:
   • reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v process /d "C:\Commonfiles\process.exe" /f

– Filename:
   • reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v process32 /d "C:\Commonfiles\process32.exe" /f

– Filename:
   • C:\Commonfiles\\process32.exe

 Registry The following registry key is added in order to run the process after reboot:

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • "process"="C:\Commonfiles\process.exe"
   • "process32"="C:\Commonfiles\process32.exe"

 Email From:
The sender address is spoofed.

– Email addresses found in specific files on the system.

 Network Infection In order to ensure its propagation the malware attemps to connect to other machines as described below.

It makes use of the following Exploit:
– MS04-007 (ASN.1 Vulnerability)

 Miscellaneous String:
Furthermore it contains the following strings:

 File details Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.

Description inserted by Petre Galan on Wednesday, October 13, 2010
Description updated by Petre Galan on Wednesday, October 13, 2010

Back . . . .