Need help? Ask the community or hire an expert.
Go to Avira Answers
Date discovered:13/08/2012
In the wild:No
Reported Infections:Low
Distribution Potential:Low
Damage Potential:Medium
File size:143872 Bytes
MD5 checksum:df9e701e44f7bb5a2b284ffd0eafa30c
VDF version:
IVDF version:

 General Method of propagation:
   • No own spreading routine

   •  Kaspersky: Trojan.Win32.Bublik.eme
   •  Bitdefender: Trojan.Generic.KDV.695783
   •  Eset: Win32/Spy.Bebloh.H trojan
   •  GData: Trojan.Generic.KDV.695783

Platforms / OS:
   • Windows 2000
   • Windows XP
   • Windows 2003
   • Windows Vista
   • Windows Server 2008
   • Windows 7

Side effects:
   • Registry modification

 Files It copies itself to the following location:
   • %SYSDIR%\%five-digit random character string%.exe

 Registry The following registry keys are added:

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\userinit.exe]
   • "Debugger"="%five-digit random character string%.exe"

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\

 Injection – It injects itself into processes.

    All of the following processes:
   • %WINDIR%\Explorer.EXE
   • %SYSDIR%\svchost.exe
   • %SYSDIR%\csrss.exe
   • %SYSDIR%\winlogon.exe

 Miscellaneous  Checks for an internet connection by contacting the following web site:
   • ********************.php

Event handler:
It creates the following Event handler:
   • EnumWindows

Description inserted by Wensin Lee on Tuesday, August 14, 2012
Description updated by Wensin Lee on Tuesday, August 14, 2012

Back . . . .