Need help? Ask the community or hire an expert.
Go to Avira Answers
Date discovered:28/02/2011
In the wild:Yes
Reported Infections:Low
Distribution Potential:Low to medium
Damage Potential:Medium
Static file:Yes
File size:104.960 Bytes
MD5 checksum:03A024EF5CF397060981B18BAC6C5941
VDF version:
IVDF version: - Monday, February 28, 2011

 General Method of propagation:
    Autorun feature

   •  TrendMicro: TROJ_SPNR.08FE11
   •  Sophos: Mal/FakeAV-FS
     Microsoft: Worm:Win32/Autorun.ZH

Platforms / OS:
   • Windows 2000
   • Windows XP
   • Windows 2003
    Windows Vista
    Windows 7

Side effects:
   • Drops files
   • Registry modification

 Files It copies itself to the following location:
   • %APPDATA%\Microsoft\svchost.exe

 Registry One of the following values is added in order to run the process after reboot:

   • "Startup"="%APPDATA%\Microsoft\svchost.exe"

The following registry key is added:

   • "FileNameActual"="%executed file%"

 Backdoor Contact server:
The following:
   • **********

As a result it may send information and remote control could be provided.

 Miscellaneous Mutex:
It creates the following Mutex:
   • LS3JTPV37R

Anti debugging
Checks for debugger or virtual machine using time related techniques.

 File details Programming language:
The malware program was written in MS Visual C++.

Description inserted by Andrei Ilie on Monday, September 5, 2011
Description updated by Andrei Ilie on Monday, September 5, 2011

Back . . . .