Need help? Ask the community or hire an expert.
Go to Avira Answers
Date discovered:01/10/2010
In the wild:No
Reported Infections:Low
Distribution Potential:Low
Damage Potential:Medium
Static file:Yes
File size:167.936 Bytes
MD5 checksum:104DE28DD07BD41A163A922C7EC23E8E
VDF version:
IVDF version: - Friday, October 1, 2010

 General Aliases:
   •  Kaspersky: Trojan.Win32.Llac.zxd
     Microsoft: Trojan:Win32/Ircbrute
     DrWeb: Trojan.MulDrop2.29151

Platforms / OS:
   • Windows 2000
   • Windows XP
   • Windows 2003
    Windows Vista
    Windows 7

Side effects:
   • Third party control
   • Drops files
   • Lowers security settings
   • Registry modification

 Files It copies itself to the following location:
   • %APPDATA%\winlogon.exe

 Registry To each registry key one of the values is added in order to run the processes after reboot:

   • "Kernel Drv"="%APPDATA%\winlogon.exe"

   • x"Kernel Drv"="%APPDATA%\winlogon.exe"

 IRC To deliver system information and to provide remote control it connects to the following IRC Server:

Server: **********
Port: 4443
Nickname: %random character string%

 This malware has the ability to collect and send information such as:
    • Username
    • Information about the Windows operating system

 Furthermore it has the ability to perform actions such as:
     connect to IRC server
     disconnect from IRC server
    • Join IRC channel
    • Leave IRC channel

 Miscellaneous Checks for debugger or virtual machine using time related techniques.

 File details Programming language:
The malware program was written in MS Visual C++.

Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.

Description inserted by Andrei Ilie on Monday, October 10, 2011
Description updated by Andrei Ilie on Tuesday, October 11, 2011

Back . . . .