Need help? Ask the community or hire an expert.
Go to Avira Answers
Date discovered:20/06/2011
In the wild:Yes
Reported Infections:Low
Distribution Potential:Low to medium
Damage Potential:Medium
Static file:Yes
File size:186.368 Bytes
MD5 checksum:74CAB58E7647BACC4E6C59B03C14C9A4
VDF version:
IVDF version:

 General Method of propagation:
   • Messenger

   •  TrendMicro: BKDR_ICRBOT.DL
   •  Sophos: Troj/DorkBot-I
   •  Microsoft: Trojan:Win32/Rimod

Platforms / OS:
   • Windows 2000
   • Windows XP
   • Windows 2003
   • Windows Vista
   • Windows 7

Side effects:
   • Third party control
   • Drops malicious files
   • Registry modification

 Files It copies itself to the following location:
   • %APPDATA%\J-93219-1923-12901\msnmsg32.exe

 Registry One of the following values is added in order to run the process after reboot:

–  [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   • "Mobile Device Service"="%APPDATA%\J-93219-1923-12901\msnmsg32.exe"

The following registry key is added:

– [HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\
   • "%APPDATA%\J-93219-1923-12901\msnmsg32.exe"="%APPDATA%\J-93219-1923-12901\msnmsg32.exe:*:Enabled:Mobile Device Service"

 Messenger It is spreading via Messenger. The characteristics are described below:

– Yahoo Messenger

The sent message looks like one of the following:

   • !! haha wow %link%
     du ser fint her! woww %link%
     kijken naar wow hah %link%
     wer hat dieses Bild? wow %link%
     you look so weird in this pic!!! %link%
     te ves hermosa aqus belle photo! heheh %link%
     sei bella in questa foto!! %link%
     hahahahahahahahaahahahahhaha %link%
     hahahah nice billede :) %link%
     hahahahahaha!!!woww %link%
     ten pic jest zabawne! hah %link%
     Burada komik bak!! %link%
      hauska kuva!!! %link%
     ceea ce o imagine nebun wow haha %link%
     pozrite sa na tto fotografi wow %link%
     r en rolig bild %link%
     poglej to fotografijo!!! %link%
     pogledaj ove slike!! %link%
     haha omg crazy %link%

 IRC To deliver system information and to provide remote control it connects to the following IRC Server:

Server: **********
Port: 4042
Channel: #biznew#
Nickname: %random character string%

 Injection – It injects itself as a remote thread into a process.

    Process name:
   • explorer.exe

 Miscellaneous Mutex:
It creates the following Mutex:
   • sejjj890hh4

 File details Programming language:
The malware program was written in MS Visual C++.

Description inserted by Andrei Ilie on Tuesday, August 30, 2011
Description updated by Andrei Ilie on Tuesday, August 30, 2011

Back . . . .