Need help? Ask the community or hire an expert.
Go to Avira Answers
Virus:WORM/Taterf.B.15
Date discovered:29/03/2009
Type:Trojan
In the wild:Yes
Reported Infections:Low
Distribution Potential:Low
Damage Potential:Low to medium
Static file:Yes
File size:196.096 Bytes
MD5 checksum:3FD41B9EC13F2AF472E40359D3545F03
VDF version:7.01.02.221
IVDF version:7.01.02.229 - Sunday, March 29, 2009

 General Method of propagation:
   • No own spreading routine


Aliases:
   •  Symantec: W32.Gammima.AG
   •  Kaspersky: Trojan-GameThief.Win32.Magania.eajm
   •  TrendMicro: TROJ_GAMETHI.FGY
   •  Sophos: Mal/Agent-MP
   •  Microsoft: Worm:Win32/Taterf.B
   •  AVG: Win32/NSAnti.J


Platforms / OS:
   • Windows 2000
   • Windows XP
   • Windows 2003
   • Windows Vista
   • Windows 7


Side effects:
   • Drops files
   • Registry modification

 Files It copies itself to the following location:
   • %SYSDIR%\anhzxc.exe



It deletes the initially executed copy of itself.

%SYSDIR%\anszxc10.dll Further investigation pointed out that this file is malware, too.
%SYSDIR%\anszxc20.dll Further investigation pointed out that this file is malware, too.

 Registry One of the following values is added in order to run the process after reboot:

–  [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   • "anhxox"="%SYSDIR%\anhzxc.exe"



The following registry keys are added:

– [HKLM\SOFTWARE\Classes\CLSID\{C8414FA0-BA90-4600-B7EA-0CEFAF5A0636}\
   InprocServer32]
   • @="%SYSDIR%\anszxc20.dll"

– [HKLM\SOFTWARE\Classes\TypeLib\
   {C8414F92-BA90-4600-B7EA-0CEFAF5A0636}\1.0\0\win32]
   • @="%SYSDIR%\anszxc20.dll"

– [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\
   Winlogon]
   • "ParseAutoexec"="1"

 Injection – It injects itself into a process.

    Process name:
   • explorer.exe


 Miscellaneous Anti debugging
Checks for debugger or virtual machine using time related techniques.

 File details Programming language:
The malware program was written in MS Visual C++.


Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with the following runtime packer:
   • ASPack

Description inserted by Andrei Ilie on Friday, April 15, 2011
Description updated by Andrei Ilie on Tuesday, April 19, 2011

Back . . . .