Need help? Ask the community or hire an expert.
Go to Avira Answers
Date discovered:26/02/2013
In the wild:No
Reported Infections:Low
Distribution Potential:Low
Damage Potential:Low
VDF version:
IVDF version:

 General Method of propagation:
   • No own spreading routine

   •  Sophos: Troj/Agent-AAKB
   •  Bitdefender: Trojan.Generic.KDV.874084
   •  Eset: Win32/Adware.SystemSecurity.AL application
   •  DrWeb: Trojan.Fakealert.36624
   •  Norman: W32/Suspicious_Gen4.CLGZG

Platforms / OS:
   • Windows 2000
   • Windows XP
   • Windows 2003
   • Windows Vista
   • Windows Server 2008
   • Windows 7

Side effects:
   • Registry modification

Right after execution the following information is displayed:

 Files It copies itself to the following location:
   • %ALLUSERSPROFILE%\Application Data\%random character string%\%random character string%.exe

 Registry One of the following values is added in order to run the process after reboot:

–  [HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce]
   • "%random character string%"="%ALLUSERSPROFILE%\Application Data\%random character string%\%random character string%.exe"

The following registry keys are added in order to load the services after reboot:

– [HKLM\SYSTEM\ControlSet001\Services\RemoteAccess\Performance]
   • "Disable Performance Counters"="dword:0x00000001"
   • "Error Count"="dword:0x000003e8"

– [HKLM\SYSTEM\CurrentControlSet\Services\RemoteAccess\Performance]
   • "Disable Performance Counters"="dword:0x00000001"
   • "Error Count"="dword:0x000003e8"

 Miscellaneous Internet connection:
In order to check for its internet connection the following DNS server is contacted:
   • 103.4.**********.**********/api/urls?/ts=0821f2ba42e**********eca&affid70800

Description inserted by Wensin Lee on Thursday, March 14, 2013
Description updated by Wensin Lee on Thursday, March 14, 2013

Back . . . .