Need help? Ask the community or hire an expert.
Go to Avira Answers
Virus:TR/Injector.tcr
Date discovered:13/08/2012
Type:Trojan
In the wild:No
Reported Infections:Low
Distribution Potential:Low
Damage Potential:Medium
File size:143872 Bytes
MD5 checksum:df9e701e44f7bb5a2b284ffd0eafa30c
VDF version:7.11.39.178 - Monday, August 13, 2012
IVDF version:7.11.39.178 - Monday, August 13, 2012

 General Method of propagation:
   • No own spreading routine


Aliases:
   •  Kaspersky: Trojan.Win32.Bublik.eme
   •  Bitdefender: Trojan.Generic.KDV.695783
   •  Eset: Win32/Spy.Bebloh.H trojan
     GData: Trojan.Generic.KDV.695783


Platforms / OS:
   • Windows 2000
   • Windows XP
   • Windows 2003
    Windows Vista
    Windows Server 2008
    Windows 7


Side effects:
   • Registry modification

 Files It copies itself to the following location:
   • %SYSDIR%\%five-digit random character string%.exe

 Registry The following registry keys are added:

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\userinit.exe]
   • "Debugger"="%five-digit random character string%.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\
   5.0\72C64769]

 Injection  It injects itself into processes.

    All of the following processes:
   • %WINDIR%\Explorer.EXE
   • %SYSDIR%\svchost.exe
   • %SYSDIR%\csrss.exe
   • %SYSDIR%\winlogon.exe


 Miscellaneous  Checks for an internet connection by contacting the following web site:
   • **********rera.com/was/**********.php


Event handler:
It creates the following Event handler:
   • EnumWindows

Description inserted by Wensin Lee on Tuesday, August 14, 2012
Description updated by Wensin Lee on Tuesday, August 14, 2012

Back . . . .