Need help? Ask the community or hire an expert.
Go to Avira Answers
Virus:TR/Spy.110592.183
Date discovered:01/07/2010
Type:Trojan
In the wild:Yes
Reported Infections:Low to medium
Distribution Potential:Low to medium
Damage Potential:Low to medium
Static file:Yes
File size:110.592 Bytes
MD5 checksum:f5fbace6277850112bfe9f7c10e47676
IVDF version:7.10.08.241 - Thursday, July 1, 2010

 General Method of propagation:
    Autorun feature


Aliases:
   •  Bitdefender: Trojan.VB.Agent.GN
   •  Panda: W32/Autorun.KAE
   •  Eset: Win32/AutoRun.VB.RS


Platforms / OS:
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Lowers security settings
   • Drops malicious files
   • Registry modification

 Files It copies itself to the following locations:
   • C:\ebd0d60b76dde7ef6728686c-6c4a2f-c7de\All Users\{90120000-0030-0000-0000-0000000FF1CE}-c\drivers\csrss.exe
   • C:\ebd0d60b76dde7ef6728686c-6c4a2f-c7de\All Users\{90120000-002C-0409-0000-0000000FF1CE}-C\Proof.en\MSWinUpdate.exe
   • C:\ebd0d60b76dde7ef6728686c-6c4a2f-c7de\All Users\{90120000-0030-0000-0000-0000000FF1CE}-c\drivers\smss.exe
   • C:\ebd0d60b76dde7ef6728686c-6c4a2f-c7de\All Users\{90120000-0115-0409-0000-0000000FF1CE}-c\temp\tag\HIVE%current date%.exe
   • %drive%\SpoolBin.exe



It deletes the initially executed copy of itself.



It deletes the following file:
   • %drive%\Sm9ssE2039.dat



The following files are created:

%HOME%\Start Menu\Programs\Startup\Windows update.lnk This is a non malicious text file with the following content:
   • %code that runs malware%

%drive%\autorun.inf This is a non malicious text file with the following content:
   • %code that runs malware%

C:\ebd0d60b76dde7ef6728686c-6c4a2f-c7de\Default\Misc\Utilities\Settings\%current date%.ini
%ALLUSERSPROFILE%\Start Menu\Programs\Startup\Windows update.lnk This is a non malicious text file with the following content:
   • %code that runs malware%

%drive%\ebd0d60b76dde7ef6728686c-6c4a2f-c7de.lnk This is a non malicious text file with the following content:
   • %code that runs malware%

%drive%\Sm9ssE2039.dat



It tries to execute the following files:

Filename:
   • C:\ebd0d60b76dde7ef6728686c-6c4a2f-c7de\All Users\{90120000-0115-0409-0000-0000000FF1CE}-c\temp\tag\HIVE11161060454PM.exe


Filename:
   • C:\ebd0d60b76dde7ef6728686c-6c4a2f-c7de\All Users\{90120000-0030-0000-0000-0000000FF1CE}-c\drivers\smss.exe


Filename:
   • C:\ebd0d60b76dde7ef6728686c-6c4a2f-c7de\All Users\{90120000-0030-0000-0000-0000000FF1CE}-c\drivers\csrss.exe

 Registry The following registry key is added in order to run the process after reboot:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • "Client Server Runtime Subsystem Server 7.20"="C:\ebd0d60b76dde7ef6728686c-6c4a2f-c7de\All Users\{90120000-0030-0000-0000-0000000FF1CE}-c\drivers\csrss.exe"
   • "Session Manager Subsystem Server 3.91"="C:\ebd0d60b76dde7ef6728686c-6c4a2f-c7de\All Users\{90120000-0030-0000-0000-0000000FF1CE}-c\drivers\smss.exe"



The following registry key is changed:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
   New value:
   • "ShowSuperHidden"="00000000"

 File details Programming language:
The malware program was written in Visual Basic.


Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.

Description inserted by Petre Galan on Tuesday, November 16, 2010
Description updated by Petre Galan on Tuesday, November 16, 2010

Back . . . .