Need help? Ask the community or hire an expert.
Go to Avira Answers
Date discovered:02/05/2011
In the wild:No
Reported Infections:Low to medium
Distribution Potential:Low
Damage Potential:Low to medium
Static file:Yes
File size:170.496 Bytes
MD5 checksum:019d0480f15b53565559ae265642fc13
VDF version:
IVDF version:

 General Aliases:
   •  Kaspersky: Trojan-Downloader.Win32.CodecPack.asrt
   •  F-Secure: Trojan-Downloader.Win32.CodecPack.asrt
   •  Bitdefender: Trojan.Generic.5882326
   •  Eset: Win32/Kryptik.NKT
   •  GData: Trojan.Generic.5882326
   •  DrWeb: Trojan.DownLoader2.51506

Platforms / OS:
   • Windows 2000
   • Windows XP
   • Windows 2003

Side effects:
   • Drops a malicious file
   • Registry modification

 Files The following file is created:


It tries to execute the following file:

– Filename:
   • ctfmon.exe

 Registry The following registry key is added in order to run the process after reboot:

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   • "R8388QA8U8"="%executed file%"

The value of the following registry key is removed:

–  [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   • internat.exe

The following registry key is added:

– [HKCU\Software\R8388QA8U8]
   • "Vqo0"=dword:0x00000001
   • "VqoB"=dword:0x0a7404e0
   • "VqoH"=dword:0x01cc113b
   • "VtaH"="%character string%"
   • "VtaS"="%character string%"

The following registry keys are changed:

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   New value:
   • "ctfmon.exe"="%SYSDIR%\ctfmon.exe"

– [HKCU\Software\Microsoft\Internet Explorer\Main]
   New value:
   • "Disable Script Debugger"="yes"

 Injection – It injects a backdoor routine into a process.

    Process name:
   • ctfmon.exe

 Miscellaneous Accesses internet resources:

 File details Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.

Description inserted by Petre Galan on Thursday, May 12, 2011
Description updated by Petre Galan on Thursday, May 12, 2011

Back . . . .