Need help? Ask the community or hire an expert.
Go to Avira Answers
Date discovered:26/09/2011
In the wild:No
Reported Infections:Low
Distribution Potential:Low
Damage Potential:Low
File size:159744 Bytes
MD5 checksum:af95040f93cdf3e8ae07e00791736875
VDF version:
IVDF version:

 General Method of propagation:
   • No own spreading routine

   •  Mcafee:
   •  Kaspersky: Trojan.Win32.Llac.bttq
   •  Sophos: Mal/SillyFDC-T
   •  Bitdefender: Gen:Heur.Conjar.1
   •  Grisoft: Worm/Generic2.AZTD
   •  Eset: Win32/AutoRun.VB.ALW worm
   •  GData: Gen:Heur.Conjar.1
   •  DrWeb: Trojan.VbCrypt.60
   •  Norman: Trojan W32/VBInject.AGJ

Platforms / OS:
   • Windows 2000
   • Windows XP
   • Windows 2003
   • Windows Vista
   • Windows Server 2008
   • Windows 7

Side effects:
   • Registry modification

 Files It copies itself to the following location:
   • %HOME%\%random character string% .exe

The following file is created:

– %HOME%\%random character string% .com Furthermore it gets executed after it was fully created.

 Registry One of the following values is added in order to run the process after reboot:

–  [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   • "%random character string% "="C:\Documents and Settings\\Users\\%random character string% .exe /g"

The following registry keys are added in order to load the service after reboot:

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
   • "ShowSuperHidden"=dword:00000000

 Miscellaneous  Checks for an internet connection by contacting the following web site:
   • http://**********xcheck.********************.php

 File details Programming language:
The malware program was written in Visual Basic.

Description inserted by Wensin Lee on Friday, June 22, 2012
Description updated by Wensin Lee on Friday, June 22, 2012

Back . . . .