Need help? Ask the community or hire an expert.
Go to Avira Answers
Virus:TR/Drop.Daws.bkvc
Date discovered:07/03/2013
Type:Trojan
Subtype:Drop
In the wild:No
Reported Infections:Low
Distribution Potential:Low
Damage Potential:Low
File size:399872 Bytes
MD5 checksum:ab3dd8f76388aefb652cbac449ed19c9
VDF version:7.11.64.00 - Thursday, March 7, 2013
IVDF version:7.11.64.00 - Thursday, March 7, 2013

 General Method of propagation:
   • No own spreading routine


Platforms / OS:
   • Windows XP
   • Windows 2003
    Windows Vista
    Windows Server 2008
    Windows 7


Side effects:
   • Registry modification

 Files It copies itself to the following location:
   • %SYSDIR%\Ssan.exe



The following file is created:

%SYSDIR%\Ssam.exe Furthermore it gets executed after it was fully created. Further investigation pointed out that this file is malware, too.

 Registry The following registry keys are added in order to load the service after reboot:

[HKLM\SYSTEM\ControlSet001\Control\ServiceCurrent]
   • @=dword:0000001f



The following registry keys are added:

[HKLM\SYSTEM\ControlSet001\Services\SampleService]
   • "Type"=dword:00000010
   • "Start"=dword:00000002
   • "ErrorControl"=dword:00000001
   • "ImagePath"="c:\windows\\system32\\Ssan.exe"
   • "DisplayName"="Sample Service"
   • "ObjectName"="LocalSystem"
   • "Description"="Service program written Software."

[HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_SAMPLESERVICE]
   • "NextInstance"=dword:00000001

[HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_SAMPLESERVICE\0000]
   • "Service"="SampleService"
   • "Legacy"=dword:00000001
   • "ConfigFlags"=dword:00000000
   • "Class"="LegacyDriver"
   • "ClassGUID"="{8ECC055D-047F-11D1-A537-0000F8753ED1}"
   • "DeviceDesc"="Sample Service"

[HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_SAMPLESERVICE\0000\
   Control]
   • "*NewlyCreated*"=dword:00000000
   • "ActiveService"="SampleService"

[HKLM\SYSTEM\ControlSet001\Services\SampleService\Enum]
   • "0"="Root\\LEGACY_SAMPLESERVICE\\0000"
   • "Count"=dword:00000001
   • "NextInstance"=dword:00000001

 Miscellaneous Event handler:
It creates the following Event handlers:
   • CreateService
   • CloseServiceHandle
   • StartService
   • OpenSCManager
   • URLDownloadToFile


String:
Furthermore it contains the following strings:
   • Open author's Web Home Page
   • VB6 Service Sample started

Description inserted by Wensin Lee on Friday, March 8, 2013
Description updated by Wensin Lee on Friday, March 8, 2013

Back . . . .