Need help? Ask the community or hire an expert.
Go to Avira Answers
Date discovered:20/03/2013
Type:Worm
In the wild:No
Reported Infections:Low
Distribution Potential:Low
Damage Potential:Low
Static file:No
VDF version:7.11.65.154 - Wednesday, March 20, 2013
IVDF version:7.11.65.154 - Wednesday, March 20, 2013

 General Method of propagation:
   • No own spreading routine


Aliases:
   •  Symantec: WS.Reputation.1
   •  Kaspersky: Trojan-Dropper.Win32.NSIS.ann
   •  Sophos: W32/Gamarue-AO
     Avast: Win32:Download-STI
     Microsoft: Worm:Win32/Gamarue.I
     DrWeb: BackDoor.Andromeda.22
     Fortinet: W32/NSIS.ANN!tr
     Ikarus: Trojan-Dropper.Win32.NSIS


Platforms / OS:
   • Windows 2000
   • Windows XP
   • Windows 2003
    Windows Vista
    Windows Server 2008
    Windows 7

 Files It copies itself to the following location:
   • %temp%\0B.tmp



The following files are created:

– Temporary files that might be deleted afterwards:
   • %temp%\Yumicebivud.rih
   • %temp%\Gozekeneka.dll
   • %temp%\Zojemilocan.dll
   • %temp%\xuxokuxoka.dll
   • %temp%\nspA.tmp
   • %temp%\Sahofivizu.exe
   • %temp%\\MSI\msiexec.exe




It tries to execute the following file:

Filenames:
   • %temp%\Sahofivizu.exe
   • %temp%\MSI\msiexec.exe

 File details Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.

Description inserted by Soe-liang Tan on Friday, March 22, 2013
Description updated by Soe-liang Tan on Friday, March 22, 2013

Back . . . .