Need help? Ask the community or hire an expert.
Go to Avira Answers
Date discovered:27/01/2010
In the wild:Yes
Reported Infections:Low to medium
Distribution Potential:Low
Damage Potential:Low to medium
Static file:Yes
File size:201.728 Bytes
MD5 checksum:5b056eff9e08e6b3da45752edae22547
IVDF version:

 General    • Peer to Peer

   •  Mcafee: W32/Palack.worm
   •  Sophos: Mal/CryptBox-A
   •  Panda: Trj/Buzus.LF
   •  Eset: Win32/Dursg.A
   •  Bitdefender: Trojan.Buzus.GN

Platforms / OS:
   • Windows 2000
   • Windows XP
   • Windows 2003

Side effects:
   • Downloads a malicious file
   • Drops malicious files
   • Registry modification

 Files It copies itself to the following location:
   • %HOME%\Application Data\SystemProc\lsass.exe

It deletes the initially executed copy of itself.

The following files are created:

%PROGRAM FILES%\Mozilla Firefox\extensions\{8CE11043-9A15-4207-A565-0C94C42D590D}\chrome.manifest
%PROGRAM FILES%\Mozilla Firefox\extensions\{8CE11043-9A15-4207-A565-0C94C42D590D}\install.rdf
%PROGRAM FILES%\Mozilla Firefox\extensions\{8CE11043-9A15-4207-A565-0C94C42D590D}\chrome\content\timer.xul

It tries to download some files:

– The location is the following:

– The location is the following:
   •**********?sd=%character string%&aid=blackout

– The location is the following:
   •**********?pop=1&aid=%character string%&sid=%character string%&key=%character string%

It tries to executes the following file:

– Filename:
   • "%home%\Application Data\SystemProc\lsass.exe"

 Registry The following registry key is added:

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\
   • "RTHDBPL"="%HOME%\Application Data\SystemProc\lsass.exe"

The following registry key is changed:

– [HKCU\Identities]
   New value:
   • "Curr version"="%character string%"
   • "Inst Date"="%character string%"
   • "Last Date"="%character string%"
   • "Popup count"="%character string%"
   • "Popup date"="%character string%"
   • "Popup time"="%character string%"

 P2P In order to infect other systems in the Peer to Peer network community the following action is performed: It searches for the following directories:
   • %PROGRAM FILES%\winmx\shared\
   • %PROGRAM FILES%\tesla\files\
   • %PROGRAM FILES%\limewire\shared\
   • %PROGRAM FILES%\morpheus\my shared folder\
   • %PROGRAM FILES%\emule\incoming\
   • %PROGRAM FILES%\edonkey2000\incoming\
   • %PROGRAM FILES%\bearshare\shared\
   • %PROGRAM FILES%\grokster\my grokster\
   • %PROGRAM FILES%\icq\shared folder\
   • %PROGRAM FILES%\kazaa lite k++\my shared folder\
   • %PROGRAM FILES%\kazaa lite\my shared folder\
   • %PROGRAM FILES%\kazaa\my shared folder\

   If successful, the following files are created:
   • DivX 5.0 Pro KeyGen.exe; Counter-Strike KeyGen.exe; IP Nuker.exe;
      Website Hacker.exe; Keylogger.exe; AOL Password Cracker.exe; ICQ
      Hacker.exe; AOL Instant Messenger (AIM) Hacker.exe; MSN Password
      Cracker.exe; Microsoft Visual Studio KeyGen.exe; Microsoft Visual
      Basic KeyGen.exe; Microsoft Visual C++ KeyGen.exe; Sub7 2.3
      Private.exe; sdbot with NetBIOS Spread.exe; L0pht 4.0 Windows Password
      Cracker.exe; Windows Password Cracker.exe; NetBIOS Cracker.exe;
      NetBIOS Hacker.exe; DCOM Exploit.exe; Norton Anti-Virus 2005
      Enterprise Crack.exe; Hotmail Cracker.exe; Hotmail Hacker.exe; Brutus
      FTP Cracker.exe; FTP Cracker.exe; Password Cracker.exe; Half-Life 2
      Downloader.exe; UT 2003 KeyGen.exe; Windows 2003 Advanced Server

 Injection – It injects itself as a remote thread into a process.

    Process name:
   • explorer.exe

 File details Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.

Description inserted by Petre Galan on Thursday, April 8, 2010
Description updated by Petre Galan on Thursday, April 8, 2010

Back . . . .