Need help? Ask the community or hire an expert.
Go to Avira Answers
Date discovered:14/06/2010
In the wild:Yes
Reported Infections:Low to medium
Distribution Potential:Low
Damage Potential:Medium
Static file:Yes
File size:196.608 Bytes
MD5 checksum:dbc2437f8c641451a998631c0bf2d0eb
IVDF version:

 General Aliases:
   •  Bitdefender: Worm.Generic.255650
   •  Panda: Bck/IrcBot.CYB
   •  Eset: Win32/Boberog.AQ

Platforms / OS:
   • Windows 2000
   • Windows XP
   • Windows 2003

Side effects:
   • Third party control
   • Lowers security settings
   • Drops malicious files
   • Registry modification

 Files It copies itself to the following location:
   • %HOME%\Application Data\msnl.exe

The following file is created:


It tries to execute the following file:

– Filename:
   • "%HOME%\Application Data\msnl.exe"

 Registry The following registry key is added in order to run the process after reboot:

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • "Windows System Guard"="%HOME%\Application Data\msnl.exe"

It creates the following entry in order to bypass the Windows XP firewall:

– [HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\
   • "%HOME%\Application Data\msnl.exe"="%HOME%\Application
      Data\msnl.exe:*:Enabled:Windows System Guard"

 IRC To deliver system information and to provide remote control it connects to the following IRC Server:

Server: ght**********.com
Port: 81
Channel: #newbin#
Nickname: n[USA|XP]%number%

 File details Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.

Description inserted by Petre Galan on Thursday, October 7, 2010
Description updated by Petre Galan on Thursday, October 7, 2010

Back . . . .