Need help? Ask the community or hire an expert.
Go to Avira Answers
Virus:TR/Gendal.192512
Date discovered:14/11/2007
Type:Trojan
In the wild:Yes
Reported Infections:Low
Distribution Potential:Low to medium
Damage Potential:Low to medium
Static file:Yes
File size:192512 Bytes
MD5 checksum:83C749732492B43F6EFC1687BE2C8336
VDF version:7.00.00.205
IVDF version:7.00.00.213 - Wednesday, November 14, 2007

 General Methods of propagation:
   • Autorun feature
   • Mapped network drives


Aliases:
   •  Kaspersky: Trojan.Win32.VB.akzc
   •  Avast: Win32:AutoRun-BTD
   •  Microsoft: Worm:Win32/Esfury.A
   •  Panda: W32/Esfury.Q
   •  VirusBuster: Trojan.VB!QBq8bINiSPk
   •  Eset: Win32/AutoRun.VB.QW
   •  AhnLab: Win-Trojan/Malware.192512.AG


Platforms / OS:
   • Windows 2000
   • Windows XP
   • Windows 2003
   • Windows Vista
   • Windows Server 2008
   • Windows 7


Side effects:
   • Downloads malicious files
   • Lowers security settings
   • Registry modification


Right after execution the following information is displayed:


 Files It copies itself to the following locations:
   • %HOME%\%current username%1\winlogon.exe
   • %drive%\drivesguideinfo\svchost.exe




It tries to download some files:

– The location is the following:
   • http://3-x-5-3-7-h-p-g-r-y-7-**********eaps1.info
It uses this content to modify the hosts file.

– The location is the following:
   • http://3-x-5-3-7-h-p-g-r-y-7-**********eaps1.info


– The location is the following:
   • http://3-x-5-3-7-h-p-g-r-y-7-**********eaps1.info

 Registry The following registry keys are added in order to run the processes after reboot:

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   • "NVIDIA Media Center Library"="%HOME%\%current username%1\winlogon.exe"

– [HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
   • "NVIDIA Media Center Library"="%HOME%\%current username%1\winlogon.exe"



The following registry keys are changed:

– [HKLM\SOFTWARE\Microsoft\Security Center]
   Old value:
   • "UpdatesDisableNotify"=dword:00000000
   New value:
   • "UpdatesDisableNotify"=dword:00000001

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
   New value:
   • "EnableLUA"=dword:00000000

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
   Old value:
   • "DisableSR"=dword:00000000
   New value:
   • "DisableSR"=dword:00000001

Deactivate Windows Firewall:

– [HKLM\SYSTEM\CurrentControlSet\Services\sr]
   Old value:
   • "Start"=dword:00000000
   New value:
   • "Start"=dword:00000004

Various Explorer settings:

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
   Old value:
   • "SuperHidden"=dword:00000000
   • "Hidden"=dword:00000002
   • "HideFileExt"=dword:00000001
   New value:
   • "ShowSuperHidden"=dword:00000000
   • "SuperHidden"=dword:00000001
   • "Hidden"=dword:00000002
   • "HideFileExt"=dword:00000003

Internet Explorer's start page:

– [HKCU\Software\Microsoft\Internet Explorer\Main]
   New value:
   • "Default_Search_URL"="http://www.nuevaq.fm"
   • "Default_Page_URL"="http://www.nuevaq.fm"
   • "Local Page"="http://www.nuevaq.fm"
   • "Start Page"="http://www.nuevaq.fm"
   • "Search Page"="http://www.nuevaq.fm"

Internet Explorer's start page:

– [HKLM\SOFTWARE\Microsoft\Internet Explorer\Main]
   New value:
   • "Default_Page_URL"="http://www.nuevaq.fm"
   • "Default_Search_URL"="http://www.nuevaq.fm"
   • "Local Page"="http://www.nuevaq.fm"
   • "Search Page"="http://www.nuevaq.fm"
   • "Start Page"="http://www.nuevaq.fm"

Lower security settings from Internet Explorer:

– [HKLM\SOFTWARE\Microsoft\Internet Explorer\Main]
   New value:
   • "UACDisableNotify"=dword:00000001

 Hosts The host file is modified as explained:

– In this case already existing entries may become overwritten.

 Injection – It injects itself into a process.

    Process name:
   • svchost.exe


 Miscellaneous Accesses internet resources:
   • http://whos.amung.us/widget/l96f428it5mt/

 File details Programming language:
The malware program was written in Visual Basic.

Description inserted by Alexandru Dinu on Thursday, February 24, 2011
Description updated by Alexandru Dinu on Thursday, February 24, 2011

Back . . . .