Need help? Ask the community or hire an expert.
Go to Avira Answers
Date discovered:09/06/2011
In the wild:Yes
Reported Infections:Low
Distribution Potential:Low to medium
Damage Potential:Medium
File size:3.328.947 Bytes
MD5 checksum:8A6D83F8E169F2508F978C1B7D57D13F
VDF version: - Thursday, June 9, 2011
IVDF version: - Thursday, June 9, 2011

 General Method of propagation:
    Autorun feature

   •  Kaspersky: Worm.Win32.AutoRun.hud
   •  TrendMicro: WORM_OTORUN.HU
     Microsoft: Worm:Win32/Colowned.A

Platforms / OS:
   • Windows 2000
   • Windows XP
   • Windows 2003
    Windows Vista
    Windows 7

Side effects:
   • Third party control
   • Drops files
   • Registry modification

 Files It copies itself to the following locations:
   • %APPDATA%\taskhost.exe
   • %drive%\viewDrive.exe

%drive%\autorun.inf This is a non malicious text file with the following content:
   • %code that runs malware%

It tries to download a file:

The location is the following:
   • http://link.colo.**********.hu:31099/l.txt
This file may contain further download locations and might serve as source for new threats.

 Registry To each registry key one of the values is added in order to run the processes after reboot:

   • "Windows Task Host"="%APPDATA%\taskhost.exe"

   • "Windows Task Host"="%APPDATA%\taskhost.exe"

 Backdoor The following port is opened:

svchost.exe on UDP port 1033

Contact server:
The following:
   • http://link.colo.**********.hu:31099

 Injection  It injects itself as a remote thread into processes.

    Process name:
   • svchost.exe

 File details Programming language:
The malware program was written in MS Visual C++.

Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.

Description inserted by Andrei Ilie on Monday, August 1, 2011
Description updated by Andrei Ilie on Tuesday, August 2, 2011

Back . . . .