Find a Partner
This window is encrypted for your security.
Need help? Ask the community or hire an expert.
Go to Avira Answers
In the wild:
Low to medium
- Friday, May 14, 2010
Method of propagation:
• Autorun feature
Platforms / OS:
• Windows 2000
• Windows XP
• Windows 2003
• Downloads a file
• Drops files
• Drops malicious files
• Lowers security settings
• Registry modification
• Steals information
It copies itself to the following locations:
It deletes the initially executed copy of itself.
It deletes the following files:
The following files are created:
\autorun.inf This is a non malicious text file with the following content:
%code that runs malware%
\nodqq0.dll Furthermore it gets executed after it was fully created. Further investigation pointed out that this file is malware, too. Detected as: TR/Magania.daxl
It tries to download a file:
– The location is the following:
It is saved on the local hard drive under:
%temporary internet files%
\Content.IE5\YGRGUTKK\am.rar Furthermore this file gets executed after it was fully downloaded.
It tries to executes the following file:
The following registry key is added in order to run the process after reboot:
The following registry keys are changed:
– It injects itself as a thread into a process.
– It injects the following file into a process:
The malware program was written in MS Visual C++.
In order to aggravate detection and reduce size of the file it is packed with the following runtime packers:
Description inserted by Ana Maria Niculescu on Tuesday, July 6, 2010
Description updated by Ana Maria Niculescu on Wednesday, July 7, 2010