Need help? Ask the community or hire an expert.
Go to Avira Answers
Date discovered:09/12/2009
In the wild:Yes
Reported Infections:Low
Distribution Potential:Low to medium
Damage Potential:Low to medium
Static file:Yes
File size:196.096 Bytes
MD5 checksum:d93c0dea37ebfacb9d475085b712fad0
IVDF version:

 General Method of propagation:
   • Email

   •  Panda: W32/Kolabc.AW.worm
   •  Eset: Win32/Delf.OXF
   •  Bitdefender: IRC-Worm.Generic.8682

Platforms / OS:
   • Windows 2000
   • Windows XP
   • Windows 2003

Side effects:
   • Downloads a malicious file
   • Drops malicious files
   • Registry modification

 Files It copies itself to the following location:
   • %SYSDIR%\msvmcls64.exe

It tries to download some files:

– The location is the following:
   •**********?id=%number%&tick=%number%&ver=486&smtp=%character string%

– The location is the following:

 Registry One of the following values is added in order to run the process after reboot:

–  [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • "MS Virtual CLS"="%SYSDIR%\msvmcls64.exe"

The following registry key is added:

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\BITS]
   • "host"=""
   • "id"="23318476078427455795981961071089"
   • "ii"="1"

 Email It contains an integrated SMTP engine in order to send emails. A direct connection with the destination server will be established. The characteristics are described in the following:

Generated addresses. Please do not assume that it was the sender's intention to send this email to you. He might not know about his infection or might not even be infected at all. Furthermore it is possible that you will receive bounced emails telling you that you are infected. This might also not be the case.

– Email addresses found in specific files on the system.

– Contains HTML code.


The attachment is a copy of the malware itself.

 Mailing MX Server:
It has the ability to contact one of the following MX servers:

 File details Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.

Description inserted by Petre Galan on Wednesday, March 31, 2010
Description updated by Petre Galan on Wednesday, March 31, 2010

Back . . . .