Need help? Ask the community or hire an expert.
Go to Avira Answers
In the wild:No
Reported Infections:Low
Distribution Potential:Low
Damage Potential:Medium
File size:102400 Bytes
MD5 checksum:34532a17a64d595a8d139ef5fcb753cf

 General Method of propagation:
   • No own spreading routine

   •  Bitdefender: Trojan.Generic.KDV.647838
   •  Eset: Win32/Trustezeb.C trojan
   •  GData: Trojan.Generic.KDV.647838
   •  DrWeb: Trojan.DownLoader6.17383

Platforms / OS:
   • Windows 2000
   • Windows XP
   • Windows 2003
   • Windows Vista
   • Windows Server 2008
   • Windows 7

Side effects:
   • Registry modification

Right after execution the following information is displayed:

 Files It copies itself to the following locations:
   • %temp%\%10 digit random character string% .pre
   • %appdata%\%five-digit random character string% \%10 digit random character string% .exe

It deletes the initially executed copy of itself.

 Registry One of the following values is added in order to run the process after reboot:

–  [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   • "D8812EB1"="%temp%\%five-digit random character string% \%eight-digit random character string% .exe"

The following registry keys are added in order to load the services after reboot:

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
   • "DisableRegedit"="dword:0x00000001"
   • "DisableTaskMgr"="dword:0x00000001"

– [HKLM\SYSTEM\ControlSet001\Control\Session Manager]
   • "PendingFileRenameOperations"="\??\%temp%\%10 digit random character string% .pre"

The value of the following registry key is removed:

–  [HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot]
   • "AlternateShell"="cmd.exe"

The following registry keys are added:

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System]
   • "DisableRegedit"="dword:0x00000001"
   • "DisableRegistryTools"="dword:0x00000001"
   • "DisableTaskMgr"="dword:0x00000001"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\msconfig.exe]
   • "Debugger"="P9KDMF.EXE"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\regedit.exe]
   • "Debugger"="P9KDMF.EXE"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\taskmgr.exe]
   • "Debugger"="P9KDMF.EXE"

– [HKEY_USERS\S-1-5-21-602162358-2077806209-839522115-1003\Software\
   • "DisableRegedit"="dword:0x00000001"
   • "DisableRegistryTools"="dword:0x00000001"
   • "DisableTaskMgr"="dword:0x00000001"

 Injection – It injects itself into a process.

 Miscellaneous Accesses internet resources:
   • http://********************.php?id=**********E45544E45&cmd=pcc&win=Windows_XP&loc=0x0809&ver=2.000.11
   • http://********************.php?id=**********45544E45&cmd=lfk&ldn=31&stat=CRA&ver=2.000.11&data=**********L86tkrTFDMEt9Cgt8DREw==

 File details Programming language:
The malware program was written in Visual Basic.

Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.

Description inserted by Wensin Lee on Wednesday, June 13, 2012
Description updated by Wensin Lee on Wednesday, June 13, 2012

Back . . . .