Need help? Ask the community or hire an expert.
Go to Avira Answers
Date discovered:27/08/2012
Type:Backdoor Server
In the wild:No
Reported Infections:High
Distribution Potential:Low
Damage Potential:Medium
Static file:Yes
File size:88.064 Bytes
MD5 checksum:34F2EF9D9E779A7D71D1999107FC845C
VDF version:
IVDF version:

 General Method of propagation:
   • No own spreading routine

   •  Kaspersky:
   •  Eset: Win32/Kryptik.AKXZ
   •  DrWeb: BackDoor.Andromeda.22

Platforms / OS:
   • Windows 2000
   • Windows XP
   • Windows 2003
   • Windows Vista
   • Windows Server 2008
   • Windows 7

 Files It drops a copy of itself using a filename from a list:
– To: C:\Documents and Settings\All Users Using one of the following names:
   • svchost.exe

– To: %ALLUSERSPROFILE%\Local Settings\Temp Using one of the following names:
   • %random character string%.bat
   • %random character string%.pif
   • %random character string%.scr
   • %random character

 Registry One of the following values is added in order to run the process after reboot:

–  [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • "SunJavaUpdateSched"="%ALLUSERSPROFILE%\svchost.exe"

–  [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\
   • "%number%"="%ALLUSERSPROFILE%\Local Settings\Temp\%random character string%.pif"

–  [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\
   • "%number%"="%ALLUSERSPROFILE%\Local Settings\Temp\%random character string%.bat"

–  [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\
   • "%number%"="%ALLUSERSPROFILE%\Local Settings\Temp\%random character string%.scr"

–  [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\
   • "%number%"="%ALLUSERSPROFILE%\Local Settings\Temp\%random character"

 Email It doesn't have its own spreading routine but it was spammed out via email. The characteristics are described in the following:

The sender address is spoofed.

Email design:

Subject: Your Order with
   • Want to manage your order online?
     If you need to check the status of your order or make changes, please visit our home page at and click on Your Account at the top of any page.
     Order Grand Total: $86.76
     Get the Rewards Visa Card and earn 3% rewards on your orders. Click for more information.
     Need to give a gift? Not sure what to buy? gift certificates/cards are available in any dollar amount from $5 to $5,000.
     We'll deliver it via e-mail--it's the perfect last-minute gift.
     Learn more at
     Need to print an invoice?
     Visit and click to view your orders. Click "View order" next to the appropriate order. You'll find a button to print an invoice on the next page
     Got questions? We've got answers. Visit our online Help department, available 24 hours a day:
     Please note: This e-mail message was sent from a notification-only address that cannot accept incoming e-mail. Please do not reply to this message.
     If you ever need to return an order, visit our Online Returns Center:
     Thanks again for shopping with us.
     Earth's Biggest Selection

The attachment is an archive containing a copy of the malware itself.

 Backdoor The following port is opened:

– %ALLUSERSPROFILE%\svchost.exe on TCP port 8000 in order to provide a remote Shell.

Contact server:
The following:
   • http://stripe**********image.php

Once connected it will retrieve an additional list of servers.
As a result it may send information and remote control could be provided.

 Injection – It injects itself into a process.

    Process name:
   • %SYSDIR%\wuauclt.exe

Description inserted by Tudor Ciochina on Tuesday, August 28, 2012
Description updated by Tudor Ciochina on Wednesday, August 29, 2012

Back . . . .