Need help? Ask the community or hire an expert.
Go to Avira Answers
Virus:TR/Dldr.Harnig.S.241
Date discovered:30/05/2011
Type:Trojan
Subtype:Dldr
In the wild:No
Reported Infections:Low
Distribution Potential:Low
Damage Potential:Low
Static file:Yes
File size:31.744 Bytes
MD5 checksum:9003ddfd1b2bed163d70b64700bc8e9f
VDF version:7.11.08.165 - Monday, May 30, 2011
IVDF version:7.11.08.165 - Monday, May 30, 2011

 General Method of propagation:
   • No own spreading routine


Aliases:
   •  Sophos: Mal/FakeAV-EA
   •  Bitdefender: Gen:Variant.Zbot.40
     AVG: Generic22.BLDU
   •  Grisoft: Generic22.BLDU
   •  Eset: Win32/Kryptik.ODL
     DrWeb: Trojan.Advload.65


Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003
    Windows Vista
    Windows Server 2008
    Windows 7


Side effects:
   • Downloads malicious files

 Files It deletes the initially executed copy of itself.



The following files are created:

– Temporary files that might be deleted afterwards:
   • %TEMPDIR%\jcxwpv.exe
   • %TEMPDIR%\vlnjwlil.exe
   • %TEMPDIR%\apfnemre.exe
   • %TEMPDIR%\ogqpmmg.exe
   • %TEMPDIR%\trqwcc.exe
   • %TEMPDIR%\dfojmv.exe
   • %TEMPDIR%\huwhjcx.exe
   • %TEMPDIR%\yjeqmxs.exe
   • %TEMPDIR%\bebcklqy.exe
   • %TEMPDIR%\qrls.exe




It tries to download some files:

The location is the following:
   • http://aa**********lic.com/bdqqu/iv**********ei.php?adv=adv414&id=-66**********95
At the time of writing this file was not online for further investigation.

The location is the following:
   • http://aa**********lic.com/bdqqu/vv**********vl.php?adv=adv414&id=-66**********95
At the time of writing this file was not online for further investigation.

The location is the following:
   • http://aa**********lic.com/bdqqu/nn**********eh.php?adv=adv414&id=-66**********95
At the time of writing this file was not online for further investigation.

The location is the following:
   • http://aaa**********lic.com/bdqqu/sc**********bb.php?adv=adv414&id=-66**********95
At the time of writing this file was not online for further investigation.

The location is the following:
   • http://aa**********lic.com/bdqqu/sb**********ao.php?adv=adv414&id=-66**********95
At the time of writing this file was not online for further investigation.

The location is the following:
   • http://aaaholic.com/bdqqu/lm**********dd.php?adv=adv414&id=-662622543&c=-82809195
It is saved on the local hard drive under: %temporary internet files%\lmzdd[1].htm Furthermore this file gets executed after it was fully downloaded. Further investigation pointed out that this file is malware, too. Detected as: TR/Harnig.A.50


The location is the following:
   • http://aa**********lic.com/bdqqu/vv**********ar.php?adv=adv414&id=-66**********95
At the time of writing this file was not online for further investigation.

The locations are the following:
   • http://aa**********lic.com/bdqqu/hh**********tx.php?adv=adv414&id=-66**********95
   •
At the time of writing this file was not online for further investigation.

The location is the following:
   • http://aa**********lic.com/bdqqu/uh**********qu.php?adv=adv414&id=-66**********95
It is saved on the local hard drive under: %temporary internet files%\uhhymdqu[1].htm Furthermore this file gets executed after it was fully downloaded. Further investigation pointed out that this file is malware, too. Detected as: BDS/Floder.hs.C


The location is the following:
   • http://aa**********lic.com/bdqqu/ly**********uh.php?adv=adv414&id=-66**********95
It is saved on the local hard drive under: %temporary internet files%\lyyyzdduh[1].htm Further investigation pointed out that this file is malware, too. Detected as: TR/Dldr.Cutwail.BE.1


The location is the following:
   • http://aa**********lic.com/bdqqu/ly**********cq.php?id=-66**********95&p=1
At the time of writing this file was not online for further investigation.

The location is the following:
   • http://aa**********lic.com/bdqqu/wj**********ae.php?adv=adv414&id=-66**********95
At the time of writing this file was not online for further investigation.

The location is the following:
   • http://aa**********lic.com/bdqqu/bo**********ff.php?adv=adv414&id=-66**********95
At the time of writing this file was not online for further investigation.

The location is the following:
   • http://aa**********lic.com/bdqqu/kx**********yp.php?adv=adv414&code1=JN**********43&id=-66**********95
At the time of writing this file was not online for further investigation.

 Injection     Process name:
   • %WINDIR%\explorer.exe


 File details Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with the following runtime packer:
   • UPX

Description inserted by Jason Soo on Wednesday, June 8, 2011
Description updated by Jason Soo on Wednesday, June 8, 2011

Back . . . .