Need help? Ask the community or hire an expert.
Go to Avira Answers
Date discovered:20/01/2010
In the wild:Yes
Reported Infections:Low
Distribution Potential:Low
Damage Potential:Low to medium
Static file:Yes
File size:196.096 Bytes
MD5 checksum:e6491116dd485687b7a58dcc7642b13b
VDF version:
IVDF version:

 General Method of propagation:
   • No own spreading routine

   •  Symantec: W32.Gammima.AG
   •  Kaspersky: Trojan-GameThief.Win32.Magania.eagi
   •  TrendMicro: TROJ_GAMETHI.GYL
   •  Sophos: Troj/Agent-POC
   •  Microsoft: Worm:Win32/Taterf.B

Platforms / OS:
   • Windows 2000
   • Windows XP
   • Windows 2003
   • Windows Vista
   • Windows 7

Side effects:
   • Drops files
   • Registry modification
   • Makes use of software vulnerability

 Files It copies itself to the following location:
   • %SYSDIR%\anhzxc.exe

It deletes the initially executed copy of itself.

The following files are created:

%SYSDIR%\anszxc10.dll Further investigation pointed out that this file is malware, too.
%SYSDIR%\anszxc20.dll Further investigation pointed out that this file is malware, too.

 Registry One of the following values is added in order to run the process after reboot:

–  [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   • "anhxox"="%SYSDIR%\anhzxc.exe"

The following registry keys are added:

– [HKLM\SOFTWARE\Classes\CLSID\{C8414FA0-BA90-4600-B7EA-0CEFAF5A0636}\
   • @="IEHlprObj.IEHlprObj"

– [HKLM\SOFTWARE\Classes\CLSID\{C8414FA0-BA90-4600-B7EA-0CEFAF5A0636}\
   • @="%SYSDIR%\anszxc20.dll"

– [HKLM\SOFTWARE\Classes\Interface\
   • @="{C8414F92-BA90-4600-B7EA-0CEFAF5A0636}"

– [HKLM\SOFTWARE\Classes\TypeLib\
   • @="%SYSDIR%\anszxc20.dll"

 Process termination List of processes that are terminated:
   • ASHDISP.EXE; avast.setup; setup.ovr; EKRN.EXE; updater.dll;
      eguiEpfw.dll; eguiEmon.dll; ekrnEpfw.dll; ekrnEmon.dll; AVP.EXE;
      prupdate.ppl; AYAGENT.AYE; AYUpdate.aye; UFSEAGNT.EXE; SfFnUp.exe;
      UfUpdUi.exe; AVGNT.EXE; preupd.exe; update.exe; VSTSKMGR.EXE;
      vsupdate.dll; mcupdate.exe; AVGRSX.EXE; avgupd.exe; avgupd.exe

 Injection – It injects itself into a process.

    Process name:
   • explorer.exe

 Miscellaneous Anti debugging
Checks for debugger or virtual machine using time related techniques.

 File details Programming language:
The malware program was written in MS Visual C++.

Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with the following runtime packer:
   • ASPack

Description inserted by Andrei Ilie on Friday, April 8, 2011
Description updated by Andrei Ilie on Thursday, April 14, 2011

Back . . . .