Need help? Ask the community or hire an expert.
Go to Avira Answers
Date discovered:24/09/2012
In the wild:No
Reported Infections:High
Distribution Potential:Low
Damage Potential:Medium
File size:83.968 Bytes
MD5 checksum:85224ebc62f1c9d7a2d235d917d0fe58
VDF version:
IVDF version:

 General    • No own spreading routine

   •  Sophos: Troj/Agent-XWE
   •  Eset: Win32/TrojanDownloader.Zortob.B
   •  DrWeb: Trojan.DownLoader6.58946

Platforms / OS:
   • Windows 2000
   • Windows XP
   • Windows 2003
   • Windows Vista
   • Windows 7

Side effects:
   • Drops a malicious file
   • Registry modification
   • Steals information

Right after execution it runs a windows application which will display the following window:

 Files It copies itself to the following location:
   • %HOME%\%eight-digit random character string%.exe

It deletes the initially executed copy of itself.

The following file is created:

%malware execution directory%\%executed file%.txt It is opened using the default application for this file type.

 Backdoor Contact server:
The following:
   • http://%IP address%/%hex number%

As a result it may send information and remote control could be provided. Besides, it periodically repeats the connection.

 Injection – It injects itself as a remote thread into processes.

    Process name:
   • %SYSDIR%\svchost.exe

Description inserted by Daniel Mocanu on Tuesday, September 25, 2012
Description updated by Daniel Mocanu on Tuesday, September 25, 2012

Back . . . .