Need help? Ask the community or hire an expert.
Go to Avira Answers
Date discovered:17/07/2008
In the wild:No
Reported Infections:Medium
Distribution Potential:Low
Damage Potential:Low
Static file:Yes
File size:131072 Bytes
MD5 checksum:62A9D50283697D8AE63FAD926F37CDC3
VDF version:
IVDF version: - Thursday, July 17, 2008

 General Method of propagation:
   • No own spreading routine

   •  Sophos: Troj/Ransom-UA
   •  Eset: Win32/Trustezeb.C

Platforms / OS:
   • Windows 2000
   • Windows XP
   • Windows 2003
   • Windows Vista
   • Windows Server 2008
   • Windows 7

 Files It copies itself to the following locations:
   • %temp%\%random%.pre
   • %appdata%\%random%\%random%.exe

It deletes the initially executed copy of itself.

 Registry One of the following values is added in order to run the process after reboot:

–  HKCU\Software\Microsoft\Windows\CurrentVersion\Run
   • "%random%"="%appdata%\%random%\%random%.exe"

 Miscellaneous  Checks for an internet connection by contacting the following web site:
   • http://nvu**********.com/inbox.php?ltype=ld&ccr=1&id=%system_hash%&stat=0&ver=2000803&loc=0x0809&os=%osname%

Description inserted by Soe-liang Tan on Wednesday, May 15, 2013
Description updated by Soe-liang Tan on Wednesday, May 15, 2013

Back . . . .