Need help? Ask the community or hire an expert.
Go to Avira Answers
Date discovered:23/10/2013
In the wild:No
Reported Infections:Low
Distribution Potential:Low
Damage Potential:Low
Static file:No
VDF version:
IVDF version:

 General Method of propagation:
   • No own spreading routine

   •  Mcafee: VBS/Autorun.worm.aapf
   •  Avast: VBS:Decode-BL
   •  Microsoft: Worm:VBS/Jenxcus.K
   •  AVG: Exploit_c.YUV
   •  GData: Script.Packed.Cafas.A
   •  DrWeb: Trojan.Siggen5.60166

Platforms / OS:
   • Windows 2000
   • Windows XP
   • Windows 2003
   • Windows Vista
   • Windows Server 2008
   • Windows 7

 Files It copies itself to the following locations:
   • %userprofile%\Start Menu\Programs\Startup\%sample_name%.vbs
   • %temp%\%sample_name%.vbs

 Registry One of the following values is added in order to run the process after reboot:

–  [HKCU\software\microsoft\windows\currentversion\run]
   • "%sample_name%"="wscript.exe //B \"%temp%\%sample_name%.vbs\""

–  [HKLM\software\microsoft\windows\currentversion\run]
   • "%sample_name%"="wscript.exe //B \"%temp%\%sample_name%.vbs\""

 Miscellaneous Internet connection:
In order to check for its internet connection the following DNS server is contacted:
   • tdi**********

 File details Programming language:
The malware program was written in Visual Basic.

Description inserted by Soe-liang Tan on Friday, October 25, 2013
Description updated by Soe-liang Tan on Friday, October 25, 2013

Back . . . .