Need help? Ask the community or hire an expert.
Go to Avira Answers
Virus:TR/Spy.Agent.156589
Date discovered:26/09/2011
Type:Trojan
In the wild:No
Reported Infections:Low
Distribution Potential:Low
Damage Potential:Low
File size:159744 Bytes
MD5 checksum:af95040f93cdf3e8ae07e00791736875
VDF version:7.11.15.34 - Monday, September 26, 2011
IVDF version:7.11.15.34 - Monday, September 26, 2011

 General Method of propagation:
   • No own spreading routine


Aliases:
   •  Mcafee: VBObfus.bn
   •  Kaspersky: Trojan.Win32.Llac.bttq
   •  Sophos: Mal/SillyFDC-T
   •  Bitdefender: Gen:Heur.Conjar.1
   •  Grisoft: Worm/Generic2.AZTD
   •  Eset: Win32/AutoRun.VB.ALW worm
   •  GData: Gen:Heur.Conjar.1
   •  DrWeb: Trojan.VbCrypt.60
   •  Norman: Trojan W32/VBInject.AGJ


Platforms / OS:
   • Windows 2000
   • Windows XP
   • Windows 2003
   • Windows Vista
   • Windows Server 2008
   • Windows 7


Side effects:
   • Registry modification

 Files It copies itself to the following location:
   • %HOME%\%random character string% .exe



The following file is created:

– %HOME%\%random character string% .com Furthermore it gets executed after it was fully created.

 Registry One of the following values is added in order to run the process after reboot:

–  [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   • "%random character string% "="C:\Documents and Settings\\Users\\%random character string% .exe /g"



The following registry keys are added in order to load the service after reboot:

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
   • "ShowSuperHidden"=dword:00000000

 Miscellaneous  Checks for an internet connection by contacting the following web site:
   • http://**********xcheck.**********-game.com:60777/**********.php

 File details Programming language:
The malware program was written in Visual Basic.

Description inserted by Wensin Lee on Friday, June 22, 2012
Description updated by Wensin Lee on Friday, June 22, 2012

Back . . . .