Need help? Ask the community or hire an expert.
Go to Avira Answers
Date discovered:26/05/2010
In the wild:Yes
Reported Infections:Low to medium
Distribution Potential:Medium
Damage Potential:Low to medium
Static file:Yes
File size:612.864 Bytes
MD5 checksum:a2d32455fe6eae45237b90eff61046f0
IVDF version:

 General Methods of propagation:
   • Email
   • Peer to Peer

   •  Sophos: Mal/CryptBox-A
   •  Bitdefender: Trojan.Generic.4126322
   •  Panda: W32/P2PShared.U.worm
   •  Eset: Win32/Merond.O

Platforms / OS:
   • Windows 2000
   • Windows XP
   • Windows 2003

Side effects:
   • Lowers security settings
   • Downloads malicious files
   • Drops malicious files
   • Registry modification

 Files It copies itself to the following location:
   • %SYSDIR%\AdobeARM.exe

It deletes the following file:
   • %SYSDIR%\adoberun.exe

The following files are created:

%PROGRAM FILES%\Mozilla Firefox\extensions\{9CE11043-9A15-4207-A565-0C94C42D590D}\chrome\content\timer.xul Further investigation pointed out that this file is malware, too. Detected as: JS/Dursg.G

%PROGRAM FILES%\Mozilla Firefox\extensions\{9CE11043-9A15-4207-A565-0C94C42D590D}\chrome.manifest
%SYSDIR%\adoberun.exe Further investigation pointed out that this file is malware, too. Detected as: TR/Buzus.eajm

%SYSDIR%\adobe.exe Further investigation pointed out that this file is malware, too. Detected as: TR/Drop.Typic.bec

%WINDIR%\adobe.exe Further investigation pointed out that this file is malware, too. Detected as: TR/Drop.Typic.bec

%PROGRAM FILES%\Mozilla Firefox\extensions\{9CE11043-9A15-4207-A565-0C94C42D590D}\install.rdf
– %HOME%\Application Data\SystemProc\lsass.exe Further investigation pointed out that this file is malware, too. Detected as: TR/Buzus.eajm

It tries to download some files:

– The location is the following:
   •**********?aid=%character string%

– The locations are the following:
   •**********?sd=%character string%&aid=%character string%
   •**********?sd=%character string%&aid=%character string%
   •**********?sd=%character string%&aid=%character string%
   •**********?sd=%character string%&aid=%character string%

It tries to execute the following files:

– Filename:
   • "%SYSDIR%\adoberun.exe"

– Filename:
   • "%SYSDIR%\adobe.exe"

– Filename:
   • %SYSDIR%\adoberun.exe

– Filename:
   • %SYSDIR%\adobe.exe

– Filename:
   • "%HOME%\Application Data\SystemProc\lsass.exe"

– Filename:
   • "%WINDIR%\adobe.exe"

– Filename:
   • %WINDIR%\adobe.exe

– Filename:
   • "%PROGRAM FILES%\Internet Explorer\iexplore.exe"

 Registry The following registry keys are added in order to run the processes after reboot:

– [HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\
   • "Adobe Acrobat Reader"="%WINDIR%\adobe.exe"

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   • "Adobe Acrobat Reader"="%WINDIR%\adobe.exe"
   • "Adobe Reader Updater"="%SYSDIR%\AdobeARM.exe"

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\
   • "RTHDBPL"="%HOME%\Application Data\SystemProc\lsass.exe"

–  [HKCU\Identities]
   • First Start
   • KillSelf
   • Send Inst

It creates the following entry in order to bypass the Windows XP firewall:

– [HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\
   • "%SYSDIR%\AdobeARM.exe"="%SYSDIR%\AdobeARM.exe:*:Enabled:Explorer"

The following registry keys are added:

– [HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\
   • "StubPath"=""%WINDIR%\adobe.exe""

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer]
   • "aup1"="%current date%"
   • "aup2"="%current date%"

– [HKCU\Software\Microsoft\Windows NT\CurrentVersion]
   • "@"="H1UYEEMA[QRamnmg.nqk"

– [HKCU\Identities]
   • "Curr version"="25"
   • "Inst Date"="%current date%"
   • "Last Date"="%current date%"
   • "Popup count"="0"
   • "Popup date"="0"
   • "Popup time"="0"

 Email It contains an integrated SMTP engine in order to send emails. A direct connection with the destination server will be established. The characteristics are described in the following:

The sender address is spoofed.

– Email addresses found in specific files on the system.
– Email addresses gathered from WAB (Windows Address Book)

One of the following:
   • Cindy would like to be your friend on hi5!
   • Shipping update for your order
   • Thank you from Google!
   • You have got a new message on Facebook!
   • You have received A Hallmark E-Card!
   • Your friend invited you to Twitter!

– Contains HTML code.

The filename of the attachment is one of the following:
   • Facebook
   • Invitation
   • Shipping

The attachment is an archive containing a copy of the malware itself.

 P2P In order to infect other systems in the Peer to Peer network community the following action is performed: It searches for the following directories:
   • %PROGRAM FILES%\winmx\shared\
   • %PROGRAM FILES%\tesla\files\
   • %PROGRAM FILES%\limewire\shared\
   • %PROGRAM FILES%\morpheus\my shared folder\
   • %PROGRAM FILES%\emule\incoming\
   • %PROGRAM FILES%\edonkey2000\incoming\
   • %PROGRAM FILES%\bearshare\shared\
   • %PROGRAM FILES%\grokster\my grokster\
   • %PROGRAM FILES%\icq\shared folder\
   • %PROGRAM FILES%\kazaa lite k++\my shared folder\
   • %PROGRAM FILES%\kazaa lite\my shared folder\
   • %PROGRAM FILES%\kazaa\my shared folder\

   If successful, the following files are created:
   • YouTubeGet 5.6.exe; Youtube Music Downloader 1.3.exe; WinRAR v3.x
      keygen [by HiXem].exe; Windows2008 keygen and activator.exe; [+ MrKey
      +] Windows XP PRO Corp SP3 valid-key generator.exe; Windows Password
      Cracker + Elar3 key.exe; [Eni0j0 team] Windows 7 Ultimate keygen.exe;
      Windows 2008 Enterprise Server VMWare Virtual Machine.exe;
      Winamp.Pro.v7.xx.PowerPack.Portable+installer.exe; Website Hacker.exe;
      [Eni0j0 team] Vmvare keygen.exe; VmWare 7.x keygen.exe; UT 2003
      KeyGen.exe; Twitter FriendAdder 2.3.9.exe; Tuneup Ultilities 2010.exe;
      [antihack tool] Trojan Killer v2.9.4173.exe; Total Commander7
      license+keygen.exe; Super Utilities Pro 2009 11.0.exe; Sub7 2.5.1
      Private.exe; Sophos antivirus updater bypass.exe; sdbot with NetBIOS
      Spread.exe; [fixed]RapidShare Killer AIO 2010.exe; Rapidshare Auto
      Downloader 3.8.6.exe; Power ISO v4.4 + keygen milon.exe; [patched,
      serial not needed] PDF Unlocker v2.0.5.exePDF-XChange Pro.exe;
      [patched, serial not needed] PDF to Word Converter 3.4.exe; PDF
      password remover (works with all acrobat reader).exe; Password
      Cracker.exe; Norton Internet Security 2010 crack.exe; Norton
      Anti-Virus 2010 Enterprise Crack.exe; Norton Anti-Virus 2005
      Enterprise Crack.exe; NetBIOS Hacker.exe; NetBIOS Cracker.exe;
      [patched, serial not need] Nero 9.x keygen.exe; Myspace theme
      collection.exe; MSN Password Cracker.exe; Mp3 Splitter and Joiner Pro
      v3.48.exe; Motorola, nokia, ericsson mobil phone tools.exe;
      Microsoft.Windows 7 ULTIMATE FINAL activator+keygen x86.exe; Microsoft
      Visual Studio KeyGen.exe; Microsoft Visual C++ KeyGen.exe; Microsoft
      Visual Basic KeyGen.exe; McAfee Total Protection 2010 [serial patch by
      AnalGin].exe; Magic Video Converter 8.exe; LimeWire Pro v4.18.3
      [Cracked by AnalGin].exe; L0pht 4.0 Windows Password Cracker.exe;
      K-Lite Mega Codec v5.2 Portable.exe; K-Lite Mega Codec v5.2.exe;
      Keylogger unique builder.exe; Kaspersky Internet Security 2010
      keygen.exe; Kaspersky AntiVirus 2010 crack.exe; IP Nuker.exe; Internet
      Download Manager V5.exe; Image Size Reducer Pro v1.0.1.exe; ICQ Hacker
      Trial version [brute].exe; Hotmail Hacker [Brute method].exe; Hotmail
      Cracker [Brute method].exe; Half-Life 2 Downloader.exe; Grand Theft
      Auto IV [Offline Activation + mouse patch].exe; Google SketchUp 7.1
      Pro.exe; G-Force Platinum v3.7.6.exe; FTP Cracker.exe; DVD Tools Nero
      10.x.x.x.exe; Download Boost 2.0.exe; Download Accelerator Plus
      v9.2.exe; Divx Pro 7.x version Keymaker.exe; DivX 5.x Pro KeyGen
      generator.exe; DCOM Exploit archive.exe; Daemon Tools Pro 4.8.exe;
      Counter-Strike Serial key generator [Miona patch].exe; CleanMyPC
      Registry Cleaner v6.02.exe; Brutus FTP Cracker.exe; Blaze DVD Player
      Pro v6.52.exe; BitDefender AntiVirus 2010 Keygen.exe; Avast 5.x
      Professional.exe; Avast 4.x Professional.exe; Ashampoo Snap 3.xx
      [Skarleot Group].exe; AOL Password Cracker.exe; AOL Instant Messenger
      (AIM) Hacker.exe; AnyDVD HD v. Beta incl crack.exe; Anti-Porn
      v13.x.x.x.exe; Alcohol 120 v1.9.x.exe; Adobe Photoshop CS4 crack by
      M0N5KI Hack Group.exe; Adobe Illustrator CS4 crack.exe; Adobe Acrobat
      Reader keygen.exe; Ad-aware 2010.exe; [patched, serial not needed]
      Absolute Video Converter 6.2-7.exe

 File details Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.

Description inserted by Petre Galan on Tuesday, September 21, 2010
Description updated by Petre Galan on Tuesday, September 21, 2010

Back . . . .