Need help? Ask the community or hire an expert.
Go to Avira Answers
Date discovered:04/01/2011
In the wild:Yes
Reported Infections:Low to medium
Distribution Potential:Low to medium
Damage Potential:Medium
Static file:Yes
File size:12.800 Bytes
MD5 checksum:fb7fe0405bb4f98bcbd3b1caee9ca3be
VDF version:
IVDF version:

 General Method of propagation:
   • Messenger

   •  Bitdefender: Backdoor.IrcBot.ADAK
   •  Panda: W32/MSNworm.JF.worm
   •  Eset: Win32/AutoRun.IRCBot.GH

Platforms / OS:
   • Windows 2000
   • Windows XP
   • Windows 2003

Side effects:
   • Third party control
   • Drops malicious files
   • Registry modification

 Files It copies itself to the following location:
   • %HOME%\Application Data\svcDriver.exe

The following file is created:

– %HOME%\Application Data\google_cache13.tmp

It tries to execute the following file:

– Filename:
   • %HOME%\Application Data\svcDriver.exe

 Registry The following registry keys are added in order to run the processes after reboot:

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   • "Google Updater"="%HOME%\Application Data\svcDriver.exe"

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • "Google Updater"="%HOME%\Application Data\svcDriver.exe"

 Messenger It is spreading via Messenger. The characteristics are described below:

– Windows Messenger

The sent message looks like one of the following:

   • regardez cette lol! %link%
     schau mal das lol! %link%
     mira esta lol! %link%
     bekijk deze lol! %link%
     look at this lol! %link%
     guardare quest lol! %link%
     vejte se na mou lol! %link%
      dette lol! %link%
     zd meg a lol! %link%
      dette lol! %link%
     spojrzec na lol! %link%
     olhar para esta lol! %link%
     Have you seen this? lol! %link%

The URL then refers to a copy of the described malware. If the user downloads and executes this file the infection process will start again.

 IRC To deliver system information and to provide remote control it connects to the following IRC Server:

Server: test.nyn**********.info
Port: 8160
Nickname: [USA]%number%

 Miscellaneous Mutex:
It creates the following Mutex:
   • chgvhj452

 File details Programming language:
The malware program was written in MS Visual C++.

Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.

Description inserted by Petre Galan on Wednesday, January 19, 2011
Description updated by Petre Galan on Thursday, January 20, 2011

Back . . . .