Need help? Ask the community or hire an expert.
Go to Avira Answers
Virus:TR/Dldr.Nirava.127.41
Date discovered:25/07/2011
Type:Trojan
Subtype:Dldr
In the wild:No
Reported Infections:Low to medium
Distribution Potential:Low
Damage Potential:Low to medium
Static file:Yes
File size:530.432 Bytes
MD5 checksum:dd300cd046dbb642dd00c4a802769fb9
VDF version:7.11.12.87 - Monday, July 25, 2011
IVDF version:7.11.12.87 - Monday, July 25, 2011

 General Method of propagation:
   • No own spreading routine


Aliases:
   •  Sophos: Mal/Sinowal-N
   •  Bitdefender: Gen:Variant.Downloader.127


Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003
   • Windows Vista
   • Windows Server 2008
   • Windows 7


Side effects:
   • Can be used to execute malicious code
   • Registry modification

 Files It copies itself to the following locations:
   • %SYSDIR%\pload99.dll
   • %HOME%\pload99.dll
   • %HOME%\Start Menu\Programs\Startup\scanxdiskzk86.dll



The following file is created:

– %HOME%\scandisk.lnk

 Registry The following registry keys are added in order to run the processes after reboot:

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • "NvCplDaemonTool"="rundll32.exe c:\windows\\system32\\pload99.dll,_IWMPEvents"

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   • "NvCplDaemonTool"="rundll32.exe C:\DOCUME~1\\KARZEM~1\\pload99.dll,_IWMPEvents"



The following registry key is changed:

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\
   Zones\3]
   New value:
   • "1400"=dword:00000000

Description inserted by Jason Soo on Wednesday, July 27, 2011
Description updated by Jason Soo on Wednesday, July 27, 2011

Back . . . .