Need help? Ask the community or hire an expert.
Go to Avira Answers
Date discovered:18/08/2010
In the wild:Yes
Reported Infections:Low to medium
Distribution Potential:Low
Damage Potential:Low to medium
Static file:Yes
File size:67.072 Bytes
MD5 checksum:437f401b6a9e14a629f9774c73a1e3b1
IVDF version:

 General Aliases:
   •  Bitdefender: Trojan.Generic.KD.27303
   •  Panda: Trj/Downloader.XWE
   •  Eset: Win32/TrojanDownloader.Carberp.A

Platforms / OS:
   • Windows 2000
   • Windows XP
   • Windows 2003

Side effects:
   • Downloads malicious files
   • Drops malicious files

 Files It copies itself to the following location:
   • %HOME%\Start Menu\Programs\Startup\syscron.exe

It deletes the initially executed copy of itself.

It tries to download some files:

– The location is the following:
   •**********?id=%character string%&task=%number%

– The location is the following:

– The location is the following:

– The location is the following:

It tries to execute the following files:

– Filename:
   • %WINDIR%\explorer.exe

– Filename:
   • %SYSDIR%\svchost.exe -k netsvcs

 Injection – It injects itself as a remote thread into a process.

    Process name:
   • explorer.exe

– It injects a backdoor routine into a process.

    Process name:
   • svchost.exe

 File details Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.

Description inserted by Petre Galan on Monday, December 13, 2010
Description updated by Petre Galan on Tuesday, December 14, 2010

Back . . . .