Need help? Ask the community or hire an expert.
Go to Avira Answers
Virus:TR/Symmi.14078.3
Date discovered:08/11/2013
Type:Trojan
In the wild:No
Reported Infections:Low
Distribution Potential:Low to medium
Damage Potential:Low to medium
Static file:Yes
File size:540.160 Bytes
VDF version:7.11.112.36 - Friday, November 8, 2013
IVDF version:7.11.112.36 - Friday, November 8, 2013

 General Method of propagation:
   • No own spreading routine


Aliases:
   •  Symantec: SecurityRisk.Downldr
   •  TrendMicro: TROJ_DLOADR.MSA
   •  VirusBuster: Trojan.Agent!s4BsIUK8fxU
   •  Eset: Win32/TrojanDownloader.Agent.ACF trojan
   •  DrWeb: Trojan.DownLoad3.29733
   •  Fortinet: W32/Agent.ACF!tr.dldr


Platforms / OS:
   • Windows 2000
   • Windows XP
   • Windows 2003
   • Windows Vista
   • Windows Server 2008
   • Windows 7


Side effects:
   • Drops a malicious file
   • Registry modification

 Files The following file is created:

– %HOME%\Local Settings\Application Data\Temp\%random character string%.tmp Furthermore it gets executed after it was fully created. Further investigation pointed out that this file is malware, too.

 Registry The following registry keys are added:

– [HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_BITS\0000]
   • "Service"="BITS"
   • "Legacy"=dword:00000001
   • "ConfigFlags"=dword:00000000
   • "Class"="LegacyDriver"
   • "ClassGUID"="%CLSID%"
   • "DeviceDesc"="Background Intelligent Transfer Service"

– [HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_BITS\0000\Control]
   • "*NewlyCreated*"=dword:00000000
   • "ActiveService"="BITS"

– [HKLM\SYSTEM\ControlSet001\Services\BITS\Enum]
   • "0"="Root\LEGACY_BITS\0000"
   • "Count"=dword:00000001
   • "NextInstance"=dword:00000001

Description inserted by Alexander Bauer on Saturday, November 9, 2013
Description updated by Alexander Bauer on Saturday, November 9, 2013

Back . . . .