Need help? Ask the community or hire an expert.
Go to Avira Answers
Date discovered:20/06/2011
In the wild:No
Reported Infections:Low
Distribution Potential:Medium to high
Damage Potential:Low to medium
Static file:Yes
File size:90.112 Bytes
MD5 checksum:25BD5DE9ED14FF13E2A5F8D98C3B7585
VDF version:
IVDF version:

 General Methods of propagation:
   • Autorun feature
   • Messenger

   •  Panda: W32/PoisonIvy.DQ
   •  AhnLab: Win-Trojan/Menti.90112.G

Platforms / OS:
   • Windows 2000
   • Windows XP
   • Windows 2003
   • Windows Vista
   • Windows 7

Side effects:
   • Drops files
   • Registry modification

 Files It copies itself to the following location:
   • %TEMPDIR%\%random character string%.exe

It deletes the initially executed copy of itself.

 Registry The following registry key is added:

– [HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\
   • "StubPath"="%TEMPDIR%\%random character string%.exe"

 Messenger It is spreading via Messenger. The characteristics are described below:

– Windows Live Messenger

 Injection – It injects itself as a remote thread into a process.

    Process name:
   • %WINDIR%\explorer.exe

 Miscellaneous Accesses internet resources:
   • **********
   • **********
   • **********

Description inserted by Andrei Ilie on Friday, September 30, 2011
Description updated by Andrei Ilie on Friday, September 30, 2011

Back . . . .