Need help? Ask the community or hire an expert.
Go to Avira Answers
Date discovered:25/03/2013
In the wild:No
Reported Infections:Low to medium
Distribution Potential:Low
Damage Potential:Low
File size:137.728 Bytes
MD5 checksum:a6bbd5b917391f42ed804efe85e03a02
VDF version:
IVDF version:

 General Method of propagation:
   • No own spreading routine

   •  Bitdefender: Trojan.Generic.KD.912250
   •  AVG: PSW.Generic10.CJIM
   •  Eset: Win32/Trustezeb.C trojan
   •  Norman: W32/Suspicious_Gen4.DEGIN

Platforms / OS:
   • Windows 2000
   • Windows XP
   • Windows 2003
   • Windows Vista
   • Windows Server 2008
   • Windows 7

Side effects:
   • Registry modification

 Files It copies itself to the following locations:
   • %Temp%\%10 digit random character string% .pre
   • C:\run\SAMPLE.EXE
   • %AppData%\%random character string%\%random character string%.exe

It deletes the initially executed copy of itself.

 Registry One of the following values is added in order to run the process after reboot:

–  [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   • "%random character string%"="C:\Documents and Settings\\Biluta\\Application Data\\%random character string%\\%random character string%.exe"

The following registry keys are added in order to load the service after reboot:

– [HKLM\SYSTEM\ControlSet001\Control\Session Manager]
   • "PendingFileRenameOperations"="\??\%Temp%\%10 digit random character string% .pre;"

The following registry key is changed:

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\
   Old value:
   • "1609"=dword:00000001
   New value:
   • "1609"=dword:00000000

 Injection     All of the following processes:
   • %WINDIR%\explorer.exe
   • %SYSDIR%\svchost.exe

Description inserted by Wensin Lee on Wednesday, March 27, 2013
Description updated by Wensin Lee on Wednesday, March 27, 2013

Back . . . .