Need help? Ask the community or hire an expert.
Go to Avira Answers
Date discovered:11/04/2011
Type:Backdoor Server
In the wild:Yes
Reported Infections:Low to medium
Distribution Potential:Low
Damage Potential:Low to medium
Static file:Yes
File size:170.496 Bytes
MD5 checksum:c58cddc6c919035b21d08e75e6fad633
VDF version: - Monday, April 11, 2011
IVDF version: - Monday, April 11, 2011

 General Aliases:
   •  Kaspersky: Trojan.Win32.Jorik.Gbot.aev
   •  Bitdefender: Trojan.Downloader.JOID
     GData: Trojan.Downloader.JOID
     DrWeb: BackDoor.Gbot.30

Platforms / OS:
   • Windows 2000
   • Windows XP
   • Windows 2003

Side effects:
   • Drops malicious files
   • Registry modification

 Files It copies itself to the following location:
   • %HOME%\Application Data\Microsoft\conhost.exe

It overwrites a file.
%HOME%\Application Data\Mozilla\Firefox\Profiles\zaqxlwxs.default\prefs.js

The following file is created:

%HOME%\Application Data\613A.043

 Registry The following registry key is added in order to run the process after reboot:

   • "conhost"="%HOME%\Application Data\Microsoft\conhost.exe"

 Miscellaneous  Checks for an internet connection by contacting the following web site:
Accesses internet resources:
   •**********?v44=%number%&tq=%character string%
   •**********?v36=%number%&tq=%character string%
   •**********?tq=%character string%
   •**********?v86=%number%&tq=%character string%

It creates the following Mutexes:
   • {7791C364-DE4E-4000-9E92-9CCAFDDD90DC}
   • {A5B35993-9674-43cd-8AC7-5BC5013E617B}
   • {B37C48AF-B05C-4520-8B38-2FE181D5DC78}
   • {61B98B86-5F44-42b3-BCA1-33904B067B81}

 File details Programming language:
The malware program was written in MS Visual C++.

Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.

Description inserted by Petre Galan on Monday, July 4, 2011
Description updated by Petre Galan on Monday, July 4, 2011

Back . . . .