Need help? Ask the community or hire an expert.
Go to Avira Answers
Virus:TR/Spy.MiniFlame.A.1
Date discovered:16/10/2012
Type:Trojan
Subtype:Spy
In the wild:No
Reported Infections:Low
Distribution Potential:Low
Damage Potential:Medium
Static file:No
VDF version:7.11.46.90 - Tuesday, October 16, 2012
IVDF version:7.11.46.90 - Tuesday, October 16, 2012

 General Method of propagation:
   • No own spreading routine


Aliases:
   •  Kaspersky: Backdoor.Win32.MiniFlame.a
   •  Eset: Win32/MiniFlame.A


Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003
   • Windows Vista
   • Windows Server 2008
   • Windows 7


Side effects:
   • Can be used to execute malicious code
   • Drops a file
   • Steals information

 Files The following file is created:

– Non malicious file:
   • %ALLUSERSPROFILE%\mstlis.log

 Registry The following registry key is added:

– [HKLM\SYSTEM\ControlSet001\Control\TimeZoneInformation]
   • "StandardDateBias"=hex:4e,52,d1,d4

 Miscellaneous String:
Furthermore it contains the following strings:
   • 'CreateProcessAsUserA'
   • 'GetNamedSecurityInfoA'
   • 'CxxFrameHandler'
   • 'WriteProcessMemory'
   • 'VirtualProtectEx'
   • 'Counter 009'
   • 'Bantivirus.exe'
   • 'Bbdagent.exe'
   • 'Boutpost.exe'
   • 'allusersprofile%\mstlis.log'
   • 'BIphlpapi.dll'
   • 'BWs2_32.dll'
   • 'BContLo.txt'
   • 'BCont.txt'
   • 'BChannelD.txt'
   • 'BChannelC.txt'
   • 'BChannelB.txt'
   • 'BChannelA.txt'
   • 'Bca**********.dyndns.info'
   • 'Bw**********.dyndns.info'
   • 'Bw**********.velocitycache.com'
   • 'Bw**********.autoflash.info'
   • 'Bw**********.serveftp.com'
   • 'Bw**********.hopto.org'
   • 'Bpetsec.sys'
   • 'Backup0M'
   • 'Backup0L'
   • 'Backup0K'
   • 'Backup0J'
   • 'Backup0I'
   • 'Backup0H'
   • 'Backup0G'
   • 'Backup0F'
   • 'Backup0E'
   • 'Backup0D'
   • 'thumbs.db'
   • 'BGetThreadDesktop'
   • 'BSetThreadDesktop'
   • 'BCloseDesktop'
   • 'BCreateDesktopA'
   • 'BOpenDesktopA'
   • 'BRegNotifyChangeKeyValue'
   • 'windir%\System32\stobject.dll'
   • 'allusersprofile%\icsvntu32.ocx'
   • 'BDllUnregisterServer'
   • 'BDllRegisterServer'
   • 'BDllGetClassObject'
   • 'BDllCanUnloadNow'
   • 'NotifyLogoffUser'
   • 'NotifyLogonUser'
   • 'RegisterTheEventServiceDuringSetup'
   • 'RegisterTheEventServiceAfterSetup'
   • 'RegisterTheFrigginEventServiceDuringSetup'
   • 'RegisterTheFrigginEventServiceAfterSetup'
   • 'PerUserInit'
   • 'RestoreMyDocsFolder'
   • 'SvchostPushServiceGlobals'
   • 'Bavastui.exe'
   • 'Bavastsvc.exe'
   • 'Bsymcorpui.exe'
   • 'Bsmcgui.exe'
   • 'Bsmc.exe'
   • 'Bccsvchst.exe'
   • 'Btmbmsrv.exe'
   • 'Bprotoolbarcomm.exe'
   • 'Btscfcommander.exe'
   • 'Btmas_oemon.exe'
   • 'Bufseagent.exe'
   • 'Btmproxy.exe'
   • 'Btmpfw.exe'
   • 'Bprotoolbarupdate.exe'
   • 'Bsfctlcom.exe'
   • 'Btmarsvc.exe'
   • 'Btscfpplatformcomsvr.exe'
   • 'Bekrn.exe'
   • 'Begui.exe'
   • 'PhysicalDrive'
   • 'BUSBSTOR'
   • 'desktop.ini'
   • 'target.lnk'
   • 'allusersprofile%\petsec.sys'
   • 'BUSB_RESULT '
   • 'BClassName'
   • 'BDefaultUserName'
   • 'Bkernel32.dll'
   • 'SeTakeOwnershipPrivilege'
   • 'SeRestorePrivilege'
   • 'BGetIfTable'
   • 'Biphlpapi.dll'
   • 'Bshlwapi.dll'
   • 'BPathStripPathA'
   • 'BLoadLibraryA'
   • 'BVirtualAlloc'
   • 'BVirtualFree'
   • 'BVirtualProtect'
   • 'BGetProcAddress'
   • 'KERNEL32.DLL'
   • 'WINDOWS\System32\stobject.dll'
   • 'Documents and Settings\All Users\icsvntu32.ocx'
   • 'explorer.exe'

 File details Programming language:
The malware program was written in MS Visual C++.

Description inserted by Jason Soo on Tuesday, October 16, 2012
Description updated by Lutz Koch on Tuesday, October 16, 2012

Back . . . .