Need help? Ask the community or hire an expert.
Go to Avira Answers
In the wild:No
Reported Infections:Low
Distribution Potential:Low
Damage Potential:Medium
File size:102400 Bytes
MD5 checksum:34532a17a64d595a8d139ef5fcb753cf

 General Method of propagation:
   • No own spreading routine

   •  Bitdefender: Trojan.Generic.KDV.647838
   •  Eset: Win32/Trustezeb.C trojan
     GData: Trojan.Generic.KDV.647838
     DrWeb: Trojan.DownLoader6.17383

Platforms / OS:
   • Windows 2000
   • Windows XP
   • Windows 2003
    Windows Vista
    Windows Server 2008
    Windows 7

Side effects:
   • Registry modification

Right after execution the following information is displayed:

 Files It copies itself to the following locations:
   • %temp%\%10 digit random character string% .pre
   • %appdata%\%five-digit random character string% \%10 digit random character string% .exe

It deletes the initially executed copy of itself.

 Registry One of the following values is added in order to run the process after reboot:

   • "D8812EB1"="%temp%\%five-digit random character string% \%eight-digit random character string% .exe"

The following registry keys are added in order to load the services after reboot:

   • "DisableRegedit"="dword:0x00000001"
   • "DisableTaskMgr"="dword:0x00000001"

[HKLM\SYSTEM\ControlSet001\Control\Session Manager]
   • "PendingFileRenameOperations"="\??\%temp%\%10 digit random character string% .pre"

The value of the following registry key is removed:

–  [HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot]
   • "AlternateShell"="cmd.exe"

The following registry keys are added:

   • "DisableRegedit"="dword:0x00000001"
   • "DisableRegistryTools"="dword:0x00000001"
   • "DisableTaskMgr"="dword:0x00000001"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\msconfig.exe]
   • "Debugger"="P9KDMF.EXE"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\regedit.exe]
   • "Debugger"="P9KDMF.EXE"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\taskmgr.exe]
   • "Debugger"="P9KDMF.EXE"

   • "DisableRegedit"="dword:0x00000001"
   • "DisableRegistryTools"="dword:0x00000001"
   • "DisableTaskMgr"="dword:0x00000001"

 Injection – It injects itself into a process.

 Miscellaneous Accesses internet resources:
   • http://********************.php?id=**********E45544E45&cmd=pcc&win=Windows_XP&loc=0x0809&ver=2.000.11
   • http://********************.php?id=**********45544E45&cmd=lfk&ldn=31&stat=CRA&ver=2.000.11&data=**********L86tkrTFDMEt9Cgt8DREw==

 File details Programming language:
The malware program was written in Visual Basic.

Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.

Description inserted by Wensin Lee on Wednesday, June 13, 2012
Description updated by Wensin Lee on Wednesday, June 13, 2012

Back . . . .