Need help? Ask the community or hire an expert.
Go to Avira Answers
Virus:Adware/ELEX.W
Date discovered:06/11/2013
Type:Adware
In the wild:No
Reported Infections:Medium to high
Distribution Potential:Low
Damage Potential:Low
Static file:No
File size:~1.706.100 Bytes
VDF version:7.11.111.4
IVDF version:7.11.111.4

 General Method of propagation:
   • No own spreading routine


Aliases:
   •  Mcafee: Trojan-FDFA!97A1B2C9F75A
   •  TrendMicro: TROJ_STASER.AB
   •  Sophos: Mal/Behav-363
   •  Microsoft: Trojan:Win32/Wysotot.A
   •  Eset: Win32/ELEX.S application
   •  Fortinet: W32/VMProtBad.A!tr
   •  Ikarus: Trojan.Win32.Wysotot
   •  Norman: Troj_Generic.QOKNX


Platforms / OS:
   • Windows 2000
   • Windows XP
   • Windows 2003
   • Windows Vista
   • Windows Server 2008
   • Windows 7

 Files It copies itself to the following location:
   • %ALLUSERSPROFILE%\Application Data\eSafe\eGdpSvc.exe

 Registry The following registry keys are added:

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\
   WsysControl]
   • "DisplayName"="Wsys Control 10.2.1.2652"
   • "DisplayVersion"="10.2.1.2652"
   • "publisher"="Wsys Co., Ltd."
   • "UninstallString"="C:\Documents and Settings\\All Users\\Application Data\\eSafe\\eGdpSvc.exe -unsvc"
   • "DisplayIcon"="C:\Documents and Settings\\All Users\\Application Data\\eSafe\\eGdpSvc.exe"

– [HKLM\SOFTWARE\eSafeSecControl]
   • "sid"="eGdp"
   • "channel"="eGdp"
   • "pid"="eSafe"
   • "ver"="10.2.1.2652"

– [HKLM\SYSTEM\ControlSet001\Services\WsysSvc]
   • "Type"=dword:00000010
   • "Start"=dword:00000002
   • "ErrorControl"=dword:00000001
   • "ImagePath"="C:\Documents and Settings\\All Users\\Application Data\\eSafe\\eGdpSvc.exe"
   • "DisplayName"="Wsys Service"
   • "Group"="SchedulerGroup"
   • "ObjectName"="LocalSystem"
   • "Description"="Wsys update service"

– [HKLM\SYSTEM\ControlSet001\Services\WsysSvc\Security]
   • "Security"=hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,00,00,02,00,60,00,04,00,00,00,00,00,14,00,fd,01,02,00,01,01,00,00,00,00,00,....[168 bytes]

– [HKLM\SYSTEM\CurrentControlSet\Services\EventLog\Application\
   WsysSvc]
– [HKLM\SYSTEM\ControlSet001\Services\Eventlog\Application\WsysSvc]
   • "EventMessageFile"="C:\Documents and Settings\\All Users"
   • "TypesSupported"=dword:00000007

– [HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_WSYSSVC]
   • "NextInstance"=dword:00000001

– [HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_WSYSSVC\0000]
   • "Service"="WsysSvc"
   • "Legacy"=dword:00000001
   • "ConfigFlags"=dword:00000000
   • "Class"="LegacyDriver"
   • "ClassGUID"="{8ECC055D-047F-11D1-A537-0000F8753ED1}"
   • "DeviceDesc"="Wsys Service"

– [HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_WSYSSVC\0000\Control]
   • "*NewlyCreated*"=dword:00000000
   • "ActiveService"="WsysSvc"

– [HKLM\SYSTEM\ControlSet001\Services\Eventlog\Application]
   • "Sources"="WsysSvc;WSH;WMIAdapter;WMI.NET Provider Extension;WmdmPmSN;WinMgmt;Winlogon;Windows Product Activation;Windows 3.1 Migration;WebClient;VSSetup;VSS;VBRuntime;Userinit;Userenv;UploadM;Tlntsvr;System.ServiceModel.Install 3.0.0.0;System.ServiceModel 4.0.0.0;System.ServiceModel 3.0.0.0;System.Runtime.Serialization 4.0.0.0;System.Runtime.Serialization 3.0.0.0;System.IO.Log 4.0.0.0;System.IO.Log 3.0.0.0;System.IdentityModel 4.0.0.0;System.IdentityModel 3.0.0.0;SysmonLog;SpoolerCtrs;Software Restriction Policies;Software Installation;ServiceModel Audit 4.0.0.0;ServiceModel Audit 3.0.0.0;SecurityCenter;SclgNtfy;SceSrv;SceCli;safrslv;SAFrdms;Remote Assistance;PerfProc;PerfOS;PerfNet;Perfmon;Perflib;PerfDisk;Perfctrs;Offline Files;Oakley;ntbackup;MSSQLSERVER/MSDE;MsiInstaller;MSDTC Client;MSDTC;mnmsrvc;Microsoft.Transactions.Bridge 4.0.0.0;Microsoft.Transactions.Bridge 3.0.0.0;Microsoft H.323 Telephony Service Provider;Microsoft (R) Visual C
   • 2005 Compiler;LoadPerf;HelpSvc;Folder Redirection;File Deployment;EventSystem;ESENT;EAPOL;DrWatson;DiskQuota;crypt32;COM+;COM;Ci;Chkdsk;CardSpace 4.0.0.0;CardSpace 3.0.0.0;AutoEnrollment;Autochk;ASP.NET 4.0.30319.0;ASP.NET 2.0.50727.0;ASP.NET 1.1.4322.0;Application Management;Application Hang;Application Error;apphelp;.NET Runtime Optimization Service;.NET Runtime 4.0 Error Reporting;.NET Runtime 2.0 Error Reporting;.NET Runtime;Application;"

– [HKLM\SYSTEM\ControlSet001\Services\WsysSvc\Enum]
   • "0"="Root\\LEGACY_WSYSSVC\\0000"
   • "Count"=dword:00000001
   • "NextInstance"=dword:00000001

– [HKLM\SYSTEM\ControlSet001\Control\ServiceCurrent]
   • @=dword:0000000a

– [HKLM\SOFTWARE\eSafeSecControl]
   • "sid"="eGdp"
   • "ver"="10.2.1.2652"

– [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\
   Explorer\User Shell Folders]


The following registry key is changed:

– [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\
   Winlogon]
   New value:
   • "ParseAutoexec"="1"

 Miscellaneous  Checks for an internet connection by contacting the following web sites:
   • xa.x**********oud.com/v**********n,en&update2=langu**********ref1,eGdp
   • xa.x**********oud.com/v**********n&update2=language**********1,eGdp
   • up.s**********5.com/gdp**********0000000000001

 File details Programming language:
The malware program was written in MS Visual C++.

Description inserted by Soe-liang Tan on Wednesday, November 6, 2013
Description updated by Alexander Neth on Wednesday, November 6, 2013

Back . . . .