Need help? Ask the community or hire an expert.
Go to Avira Answers
Virus:TR/MSIL.Crypt.fn
Date discovered:06/06/2011
Type:Trojan
In the wild:Yes
Reported Infections:Low
Distribution Potential:Low to medium
Damage Potential:Medium
Static file:Yes
File size:72.704 Bytes
MD5 checksum:A65D9C0CCADB91983EF545D00334B5A2
VDF version:7.11.09.62 - Monday, June 6, 2011
IVDF version:7.11.09.62 - Monday, June 6, 2011

 General Method of propagation:
   • Messenger


Aliases:
   •  TrendMicro: TROJ_GEN.F35EZFL
   •  Sophos: Mal/MSIL-AW
   •  Microsoft: Worm:Win32/Pushbot


Platforms / OS:
   • Windows 2000
   • Windows XP
   • Windows 2003
   • Windows Vista
   • Windows 7


Side effects:
   • Third party control
   • Drops files
   • Registry modification
   • Steals information

 Files It copies itself to the following location:
   • %WINDIR%\jodrive32.exe

 Registry To each registry key one of the values is added in order to run the processes after reboot:

–  [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • "Microsoft Config Setup"="%WINDIR%\jodrive32.exe"

–  [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\
   Run]
   • "Microsoft Config Setup"="%WINDIR%\jodrive32.exe"



The following registry key is added:

– [HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\
   FirewallPolicy\StandardProfile\AuthorizedApplications\List]
   • "%executed file%"="%executed file%:*:%WINDIR%\jodrive32.exe"

 Messenger It is spreading via Messenger. The characteristics are described below:

– Windows Live Messenger

 Process termination List of processes that are terminated:
   • 360HOTFIX.EXE; 360RPT.EXE; 360SAFE.EXE; 360TRAY.EXE; A2GUARD.EXE;
      A2HIJACKFREE.EXE; A2HIJACKFREESETUP.EXE; A2SCAN.EXE; A2SERVICE.EXE;
      A2START.EXE; ABREGMON.EXE.EXE; ACAEGMGR.EXE; AFMAIN.EXE; AHNSDSV.EXE;
      ALERTMAN.EXE; APORTS.EXE; APVXDWIN.EXE;
      ARCABIT.CORE.CONFIGURATOR2.EXE; ARCABIT.CORE.LOGGINGSERVICE.EXE;
      ARCACHECK.EXE; ARCAVIR.EXE; ASHDISP.EXE; ASHMAISV.EXE; ASHSERV.EXE;
      ASHWEBSV.EXE; ASVIEWER.EXE; ASWCLNR.EXE; ASWUPDSV.EXE;
      ATF-CLEANER.EXE; AUTORUNS.EXE; AVCENTER.EXE; AVENGER.EXE;
      AVENGINE.EXE; AVGAMSVR.EXE; AVGARKT.EXE; AVGEMC.EXE; AVGSCANX.EXE;
      AVGUARD.EXE; AVGUPD.EXE; AVGUPSVC.EXE; AVGWDSVC.EXE; AVINSTALL.EXE;
      AVIRARKD.EXE; AVKPROXY.EXE; AVKSERVICE.EXE; AVKTRAY.EXE;
      AVKTUNERSERVICE.EXE; AVKWCTL.EXE; AVMENU.EXE; AYAGENT.AYE;
      AYSERVICENT.AYE; BC5CA6A.EXE; BDAGENT.EXE; BOOTSAFE.EXE; BOXMOD.EXE;
      BUSCAREG.EXE; CAGLOBALLIGHT.EXE; CAPFASEM.EXE; CAPFUPGRADE.EXE;
      CATCHME.EXE; CATEYE.EXE; CAVASM.EXE; CCENTER.EXE; CCLEANER.EXE;
      CCPROVSP.EXE; CCSETUP210.EXE; CCTRAY.EXE; CF9409.EXE; CFGMNG32.EXE;
      CLAMTRAY.EXE; CLAMWIN.EXE; CMDAGENT.EXE; COMBOFIX.BAT; COMBOFIX.COM;
      COMBOFIX.EXE; COMBOFIX.SCR; COMMAND.COM; COMPAQ_PROPIETARIO.EXE;
      CPORTS.EXE; CPROCESS.EXE; CUREIT.EXE; DARKSPY105.EXE; DEFWATCH.EXE;
      DELAYDELFILE.EXE; DLLCOMPARE.EXE; DRWEB32W.EXE; DRWEBSCD.EXE;
      DUBATOOL_AV_KILLER.EXE; ELISTA.EXE; EMLPROUI.EXE; EMLPROXY.EXE;
      EULALYZERSETUP.EXE; F-PROT.EXE; F-PROT95.EXE; F-STOPW.EXE;
      FAMEH32.EXE; FILEALYZ.EXE; FILEFIND.EXE; FILELOCKSETUP.EXE;
      FILEMONSV.EXE; FIXBAGLE.EXE; FIXPATH.EXE; FNRB32.EXE; FOLDERCURE.EXE;
      FP-WIN.EXE; FPAVSERVER.EXE; FPROTTRAY.EXE; FSAV32.EXE;
      FSAV530STBYB.EXE; FSAV530WTBYB.EXE; FSAV95.EXE; FSDFWD.EXE;
      FSGK32.EXE; FSGK32ST.EXE; FSMA32.EXE; FSMB32.EXE; GDFIREWALLTRAY.EXE;
      GDFIRE~1.EXE; GDFWSVC.EXE; GUARDXKICKOFF.EXE; GUARDXSERVICE.EXE;
      HACKMON.EXE; HELIOS.EXE; HFACSVC.EXE; HIJACK-THIS.EXE; HIJACKTHIS.EXE;
      HIJACKTHIS_SFX.EXE; HIJACKTHIS_V2.EXE; HJTINSTALL.EXE; HJTSETUP.EXE;
      HOOKANLZ.EXE; HOSTSFILEREADER.EXE; HPCSVC.EXE; HSVCMOD.EXE;
      ICESWORD.EXE; INICIO.EXE; INSTALLWATCHPRO25.EXE; ISSDM_EN_32.EXE;
      ITMRTSVC.EXE; K7EMLPXY.EXE; K7FWSRVC.EXE; K7PSSRVC.EXE; K7RTSCAN.EXE;
      K7SPMSRC.EXE; K7SYSTRY.EXE; K7TSECURITY.EXE; K7TSMNGR.EXE;
      K7TS_SETUP.EXE; KAKASETUPV6.EXE; KASMAIN.EXE; KAVPFW.EXE;
      KAVSTART.EXE; KAVSVC.EXE; KILLAUTOPLUS.EXE; KILLBOX.EXE; KISSVC.EXE;
      KPFW32.EXE; KPFWSVC.EXE; KVMONXP.KXP; KVSRVXP.EXE; KWATCH.EXE;
      LIVESRV.EXE; LORDPE.EXE; MAKEREPORT.EXE; MBAM-SETUP.EXE; MCAGENT.EXE;
      MCSHIELD.EXE; MCUPDATE.EXE; MCVSRTE.EXE; MCVSSHLD.EXE; MDMCLS32.EXE;
      MKSADMINCONSOLE.EXE; MKSFWALL.EXE; MKSREGMON.EXE; MKSTRAY.EXE;
      MKSUPDATE.EXE; MKSVIRMONSVC.EXE; MKS_MAIL.EXE; MKS_SCAN.EXE;
      MRTSTUB.EXE; MSASCUI.EXE; MSMPENG.EXE; MSNCLEANER.EXE; MSNFIX.EXE;
      MYPHOTOKILLER.EXE; NAVQSCAN.EXE; NETALYZ.EXE; NETMONSV.EXE;
      NETSTAT.EXE; NOD32CC.EXE; NOD32KRN.EXE; NOD32KUI.EXE; NOD32M2.EXE;
      NPCGREENAGENT.NPC; NSAVSVC.NPC; NSPMAIN.EXE; NSPSVC.EXE; NSPUPDT.EXE;
      NSPUPSVC.EXE; NSUTILITY.EXE; NSVMON.NPC; OBJMONSETUP.EXE; OLLYDBG.EXE;
      ONLINENT.EXE; ONLNSVC.EXE; OP_MON.EXE; OTMOVEIT.EXEMBAM-SETUP.EXE;
      P08PROMO.EXE; PAVARK.EXE; PAVBCKPT.EXE; PAVFNSVR.EXE; PAVPRSRV.EXE;
      PAVSRV51.EXESRVLOAD.EXE;
      PCTAV.EXEPCTAVSVC.EXEPXCONSOLE.EXEPXAGENT.EXERAV.EXE; PCTSAUXS.EXE;
      PCTSGUI.EXE; PCTSSVC.EXE; PCTSTRAY.EXE; PENCLEAN.EXE; PGSETUP.EXE;
      PORTDETECTIVE.EXE; PORTMONITOR.EXE; PPCLTPRIV.EXE; PROCDUMP.EXE;
      PROCESSMONITOR.EXE; PROCEXP.EXE; PROCMON.EXE;
      PROJECTWHOISINSTALLER.EXE; PSCTRLS.EXE; PSHOST.EXE; PSIMSVC.EXE;
      PSKILL.EXE; PSKMSSVC.EXE; PUSCAN.EXE; QHFW332.EXE; QOELOADER.EXE;
      QUHLPSVC.EXE; RAVLITE.EXE; RAVMOND.EXE; RAVP.EXEMBAM.EXE123.COM;
      RAVTASK.EXE; REANIMATOR.EXE; REGALYZ.EXE; REGCOOL.EXE; REGEDIT.COM;
      REGEDIT.EXE; REGEDIT.SCR; REGISTRAR_LITE.EXE; REGMON.EXE;
      REGSCANNER.EXE; REGSHOT.EXE;
      REGUNLOCKER.EXETSNTEVAL.EXEXP_TASKMGRENAB.EXE; ROOTALYZER.EXE;
      ROOTKITBUSTER.EXE; ROOTKITNO.EXE; ROOTKITREVEALER.EXE;
      ROOTKIT_DETECTIVE.EXE; RTVSCAN.EXE;
      SAFEBOOTKEYREPAIR.EXEOTMOVEIT3.EXEHOSTSXPERT.EXEDAFT.EXE;
      SAVADMINSERVICE.EXE; SAVSERVICE.EXE; SBAMSVC.EXE; SBAMTRAY.EXE;
      SBAMUI.EXE; SCANMSG.EXE; SCANWSCS.EXE; SCFMANAGER.EXE; SCFSERVICE.EXE;
      SENSOR.EXE; SFCTLCOM.EXE; SPIDERML.EXE; SPIDERNT.EXE; SPIDERUI.EXE;
      SPYBOTSD.EXE; SPYBOTSD160.EXE; SRENGLDR.EXE; SRENGPS.EXE;
      SRESTORE.EXE; STARTDRECK.EXE; STRTSVC.EXE; SUPERANTISPYWARE.EXE;
      SUPERKILLER.EXE; SVCPRS32.EXE; SYSANALYZER_SETUP.EXE; TASKKILL.EXE;
      TASKLIST.EXE; TASKMAN.EXE; TASKMON.EXE; TASKSCHEDULER.EXE;
      TCPVIEW.EXE; TEATIMER.EXE; TISSPWIZ.EXE; TMBMSRV.EXE; TMPROXY.EXE;
      TNBUTIL.EXE; TrendMicro_TISPro_16.1_1063_x32.EXE; TSCFCOMMANDER.EXE;
      UFNAVI.EXE; UFSEAGNT.EXE; UISCAN.EXE; ULIBCFG.EXE; UMXAGENT.EXE;
      UMXCFG.EXE; UMXFWHLP.EXE; UMXPOL.EXE; UNHACKME.EXE; UNIEXTRACT.EXE;
      UNLOCKER1.8.7.EXE; UPDATE.EXE; UPSCHD.EXE;
      VBA32-PERSONAL-LATEST-ENGLISH.EXE; VBA32ADS.EXE; VBA32LDR.EXE;
      VIRUSUTILITIES.EXE; VRFWSVC.EXE; VRMONNT.EXE; VRMONSVC.EXE;
      VSSERV.EXE; WEBPROXY.EXE; WINDOWS-KB890930-V2.2.EXE; WIRESHARK.EXE;
      WITSETUP.EXE; XCOMMSVR.EXE; ZLCLIENT.EXE


 Miscellaneous Accesses internet resources:
   • **********.ahrampress.net;
      http://**********ppppppppppppppppp.r7m.us/cgi-bin/p.cgi;
      http://**********ppppppppppppppppppppppp.r7m.us/cgi-bin/p.cgi;
      http://**********ppppppppp.p.r7m.us/cgi-bin/p.cgi;
      http://**********ppppppppp.r7m.us/cgi-bin/p.cgi;
      http://**********oletegpppp.r7m.us/cgi-bin/p.cgi;
      http://**********16ptok2pcomphomepaqupp.r7m.us/cgi-bin/p.cgi;
      http://**********r7m.us/cgi-bin/p.cgi;
      http://**********pnipponp.r7m.us/cgi-bin/p.cgi

Description inserted by Andrei Ilie on Tuesday, September 6, 2011
Description updated by Andrei Ilie on Tuesday, September 6, 2011

Back . . . .