Need help? Ask the community or hire an expert.
Go to Avira Answers
Date discovered:26/02/2013
In the wild:No
Reported Infections:Low
Distribution Potential:Low
Damage Potential:Low
VDF version: - Tuesday, February 26, 2013
IVDF version: - Tuesday, February 26, 2013

 General Method of propagation:
   • No own spreading routine

   •  Sophos: Troj/Agent-AAKB
   •  Bitdefender: Trojan.Generic.KDV.874084
   •  Eset: Win32/Adware.SystemSecurity.AL application
     DrWeb: Trojan.Fakealert.36624
     Norman: W32/Suspicious_Gen4.CLGZG

Platforms / OS:
   • Windows 2000
   • Windows XP
   • Windows 2003
    Windows Vista
    Windows Server 2008
    Windows 7

Side effects:
   • Registry modification

Right after execution the following information is displayed:

 Files It copies itself to the following location:
   • %ALLUSERSPROFILE%\Application Data\%random character string%\%random character string%.exe

 Registry One of the following values is added in order to run the process after reboot:

   • "%random character string%"="%ALLUSERSPROFILE%\Application Data\%random character string%\%random character string%.exe"

The following registry keys are added in order to load the services after reboot:

   • "Disable Performance Counters"="dword:0x00000001"
   • "Error Count"="dword:0x000003e8"

   • "Disable Performance Counters"="dword:0x00000001"
   • "Error Count"="dword:0x000003e8"

 Miscellaneous Internet connection:
In order to check for its internet connection the following DNS server is contacted:
   • 103.4.**********.**********/api/urls?/ts=0821f2ba42e**********eca&affid70800

Description inserted by Wensin Lee on Thursday, March 14, 2013
Description updated by Wensin Lee on Thursday, March 14, 2013

Back . . . .