Need help? Ask the community or hire an expert.
Go to Avira Answers
Date discovered:10/09/2012
In the wild:No
Reported Infections:Medium to high
Distribution Potential:Low
Damage Potential:Low to medium
Static file:Yes
File size:58.368 Bytes
MD5 checksum:E89C9CAEB47ABC34D35E6601BE3B5341
VDF version:
IVDF version:

 General Method of propagation:
   • No own spreading routine

   •  Kaspersky: Backdoor.Win32.Androm.ib
   •  DrWeb: BackDoor.Andromeda.22

Platforms / OS:
   • Windows 2000
   • Windows XP
   • Windows 2003
   • Windows Vista
   • Windows Server 2008
   • Windows 7

Side effects:
   • Drops a file
   • Registry modification

 Files It copies itself to the following location:
   • %ALLUSERSPROFILE%\Local Settings\Temp\msfxxcx.scr

 Registry The following registry key is added in order to run the process after reboot:

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\
   • "11953"="%ALLUSERSPROFILE%\Local Settings\Temp\msfxxcx.scr"

 Backdoor Contact server:
The following:
   • http://www.str**********age.php

 Injection – It injects itself into a process.

    Process name:
   • %SYSDIR%\wuauclt.exe

Description inserted by Eric Burk on Monday, September 10, 2012
Description updated by Eric Burk on Monday, September 10, 2012

Back . . . .