Need help? Ask the community or hire an expert.
Go to Avira Answers
Virus:BDS/WinO.A
Date discovered:09/03/2010
Type:Backdoor Server
In the wild:Yes
Reported Infections:Low to medium
Distribution Potential:Low
Damage Potential:Low to medium
Static file:Yes
File size:63.639 Bytes
MD5 checksum:463f93ee63271f385e100aafb53f7790
IVDF version:7.10.05.08 - Tuesday, March 9, 2010

 General Aliases:
   •  Mcafee: Nebuler.b
   •  Bitdefender: Trojan.Generic.3563493


Platforms / OS:
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Downloads a malicious file
   • Drops malicious files
   • Registry modification

 Files It deletes the initially executed copy of itself.



It deletes the following file:
   • %TEMPDIR%\fig24.tmp



The following files are created:

%TEMPDIR%\fig24.bat
%SYSDIR%\win%character string%32.dll Further investigation pointed out that this file is malware, too. Detected as: TR/Spy.Gen

%TEMPDIR%\fig24.tmp Further investigation pointed out that this file is malware, too. Detected as: TR/Spy.Gen

"%malware execution directory%\%executed file.bat%"



It tries to download a file:

The locations are the following:
   • http://oberaufseher.net/img/**********?c=I0&v=22&b=1012&id=%character string%&cnt=ENU&q=1D0D8F
   • http://tubestock.net/img/**********?c=I0&v=22&b=1013&id=%character string%&cnt=ENU&q=1C74F9




It tries to executes the following files:

Filename:
   • cmd /c start iexplore -embedding


Filename:
   • "%PROGRAM FILES%\Internet Explorer\iexplore.exe" -embedding


Filename:
   • cmd /c "%TEMPDIR%\fig24.bat"


Filename:
   • cmd /c "%malware execution directory%\%executed file.bat%"

 Registry One of the following values is added in order to run the process after reboot:

  [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
   win%character string%32]
   • "Asynchronous"=dword:0x00000001
   • "DllName"="win%character string%32.dll"
   • "Impersonate"=dword:0x00000000
   • "Shutdown"="PJOPCufsu"
   • "Startup"="UfVTjtHHISS"



The following registry keys are changed:

[HKCU\Software\Microsoft\Internet Explorer\Toolbar]
   New value:
   • "Locked"=dword:0x00000000

[HKLM\SOFTWARE\Microsoft\MSSMGR]
   New value:
   • "Brnd"=dword:0x000003f4
   • "Data"=dword:0x097fe351
   • "LSTV"=hex:DA,07,04,00,02,00,06,00,07,00,1B,00,23,00,6D,02
   • "PSTV"=hex:DA,07,04,00,02,00,06,00,07,00,1B,00,2E,00,B5,03

 Injection It injects itself as a remote thread into a process.

    Process name:
   • explorer.exe


 File details Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.

Description inserted by Petre Galan on Tuesday, April 6, 2010
Description updated by Petre Galan on Tuesday, April 6, 2010

Back . . . .