Need help? Ask the community or hire an expert.
Go to Avira Answers
Virus:BDS/Maxplus.B
Date discovered:02/03/2012
Type:Backdoor Server
In the wild:No
Reported Infections:Low
Distribution Potential:Medium to high
Damage Potential:Low
File size:32256 Bytes
MD5 checksum:10466e54d920019d7a1b3bfeb0d7f143
VDF version:7.11.24.126 - Friday, March 2, 2012
IVDF version:7.11.24.126 - Friday, March 2, 2012

 General Method of propagation:
   • No own spreading routine


Aliases:
   •  Mcafee: Generic
   •  Kaspersky: HEUR:Backdoor.Win64.Generic
   •  Sophos: Mal/Generic-L
   •  Bitdefender: Trojan.Generic.7049498
     Microsoft: Trojan:Win64/Sirefef.K
   •  Grisoft: Generic26.YFQ
   •  Eset: Win64/Sirefef.O trojan
     GData: Trojan.Generic.7049498
     DrWeb: BackDoor.Maxplus.612
     Norman: Trojan ZAccess.BR


Platforms / OS:
    Windows Vista
    Windows Server 2008
    Windows 7


Side effects:
    Can be used to execute malicious code

 Backdoor Contact server:
This is done via the HTTP GET request on a PHP script.

 Miscellaneous Event handler:
It creates the following Event handlers:
   • ZwSetHighWaitLowEventPair
   • ZwWaitForSingleObject
   • ZwSetInformationFile
   • ZwWaitHighEventPair
   • ZwSetLowEventPair
   • ZwCreateEventPair
   • ZwDelayExecution
   • DhcpNameServer
   • ZwCancelTimer
   • ZwCreateTimer
   • OpenDesktopW
   • PostMessageW
   • ZwCreateFile
   • WWW_OpenURL


String:
Furthermore it contains the following strings:
   • GET /p/**********.php?w=%u&i=%S&n=%u
   • HTTP/1.0
   • Host: %s
   • GET %s
   • resident.dll

Description inserted by Wensin Lee on Monday, March 5, 2012
Description updated by Wensin Lee on Monday, March 5, 2012

Back . . . .