Need help? Ask the community or hire an expert.
Go to Avira Answers
Virus:TR/Injector.aqa
Date discovered:25/05/2012
Type:Trojan
In the wild:No
Reported Infections:Low
Distribution Potential:Low
Damage Potential:Low
File size:96768 Bytes
MD5 checksum:cbd0278ebe4f2e28c1b242d8ead116c8
VDF version:7.11.31.00 - Friday, May 25, 2012
IVDF version:7.11.31.00 - Friday, May 25, 2012

 General Method of propagation:
   • No own spreading routine


Aliases:
   •  Bitdefender: Trojan.Generic.KD.888042
   •  Eset: Win32/Trustezeb.C trojan
     DrWeb: Trojan.DownLoader8.15433
     Norman: W32/Suspicious_Gen4.CRHPT


Platforms / OS:
   • Windows XP
   • Windows 2003
    Windows Vista
    Windows Server 2008
    Windows 7


Side effects:
   • Registry modification

 Files It copies itself to the following location:
   • %Temp%\%10 digit random character string% .pre



It deletes the initially executed copy of itself.

 Registry One of the following values is added in order to run the process after reboot:

  [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   • "%random character string% "="%HOME%\%10 digit random character string% \%10 digit random character string% .exe"



The following registry keys are added in order to load the services after reboot:

[HKLM\SYSTEM\ControlSet001\Services\RemoteAccess\Performance]
   • "Disable Performance Counters"="dword:0x00000001"

[HKLM\SYSTEM\ControlSet001\Services\RemoteAccess\Performance]
   • "Disable Performance Counters"="dword:0x00000001"

[HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\
   FirewallPolicy\StandardProfile]
   • "EnableFirewall"=dword:00000000
   • "DoNotAllowExceptions"=dword:00000000



The following registry keys are changed:

[HKLM\SYSTEM\ControlSet001\Services\RemoteAccess\Performance]
   Old value:
   • "Error Count"=dword:00000012
   New value:
   • "Error Count"="dword:0x000003e8"

[HKLM\SYSTEM\CurrentControlSet\Services\RemoteAccess\Performance]
   Old value:
   • "Error Count"=dword:00000012
   New value:
   • "Error Count"="dword:0x000003e8"

 Injection –  It injects the following file into a process: svchost.exe

 Miscellaneous Internet connection:
In order to check for its internet connection the following DNS servers are contacted:
   • zeo**********-gt.com
   • frankow-plo**********.com

Description inserted by Wensin Lee on Friday, March 8, 2013
Description updated by Wensin Lee on Friday, March 8, 2013

Back . . . .