Need help? Ask the community or hire an expert.
Go to Avira Answers
Virus:TR/Extats.A.39
Date discovered:23/03/2011
Type:Trojan
In the wild:No
Reported Infections:Low
Distribution Potential:Low
Damage Potential:Low
Static file:Yes
File size:185.856 Bytes
MD5 checksum:2eab29682efa6513c87f3a8ae2df7854
VDF version:7.10.09.251
IVDF version:7.11.05.33 - Wednesday, March 23, 2011

 General Method of propagation:
   • No own spreading routine


Aliases:
   •  Kaspersky: Trojan-Dropper.Win32.Pakes.dp
   •  F-Secure: Trojan-Dropper.Win32.Pakes.dp
   •  Bitdefender: Trojan.Generic.5853665
     AVG: Dropper.Generic3.AKXF
   •  Grisoft: Dropper.Generic3.AKXF
   •  Eset: Win32/Extats.A
     DrWeb: Trojan.DownLoader2.22793


Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003
    Windows Vista
    Windows Server 2008
    Windows 7


Side effects:
   • Registry modification

 Files It copies itself to the following location:
   • %HOME%\application data\%random%\svcnost.exe

 Registry To each registry key one of the values is added in order to run the processes after reboot:

  [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   • "mssend"=""%HOME%\Application Data\%random%\svcnost.exe""

  [HKEY_USERS\S-1-5-21-602162358-2077806209-839522115-1005\Software\
   Microsoft\Windows\CurrentVersion\Run]
   • "mssend"=""%HOME%\Application Data\%random%\svcnost.exe""



It creates the following entries in order to bypass the Windows XP firewall:

[HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\
   FirewallPolicy\StandardProfile\AuthorizedApplications\List]
   • "svcnost.exe"="%HOME%\Application
      Data\%random%\svcnost.exe:*:Enabled:ldrsoft"

[HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\
   FirewallPolicy\StandardProfile\AuthorizedApplications\List]
   • "svcnost.exe"="%HOME%\Application
      Data\%random%\svcnost.exe:*:Enabled:ldrsoft"

 File details Programming language:
The malware program was written in MS Visual C++.

Description inserted by Chiaho Heng on Monday, May 16, 2011
Description updated by Chiaho Heng on Monday, May 16, 2011

Back . . . .