Need help? Ask the community or hire an expert.
Go to Avira Answers
Date discovered:10/06/2011
In the wild:Yes
Reported Infections:Low
Distribution Potential:Low to medium
Damage Potential:Medium
File size:538.624 Bytes
MD5 checksum:5E510AA7FB77DA2C6EA7230D38FC524B
VDF version:
IVDF version:

 General Method of propagation:
   • Autorun feature

   •  TrendMicro: WORM_AUTORUN.IW
   •  Bitdefender: Trojan.Autorun.AZQ
   •  Microsoft: Worm:Win32/Autorun.ACV

Platforms / OS:
   • Windows 2000
   • Windows XP
   • Windows 2003
   • Windows Server 2008
   • Windows 7

Side effects:
   • Drops files
   • Registry modification
   • Steals information

 Files It copies itself to the following location:
   • %drive%\%executed file%

It modifies the following file:
   • "%APPDATA%\Mozilla\Firefox\Profiles\%character string%.default\prefs.js"
As a result various security mechanisms are disabled.

The following files are created:

%drive%\autorun.inf This is a non malicious text file with the following content:
   • %code that runs malware%

%malware execution directory%\auto.bat Further investigation pointed out that this file is malware, too. Detected as: BAT/Deedon.A

 Registry The following registry key is changed:

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
   New value:
   • "EnableHttp1_1"=dword:00000001
   • "ProxyHttp1.1"=dword:00000001
   • "ProxyEnable"=dword:00000001
   • "AutoConfigURL"="http://www.descadastramento.**********/seguranca.pac"

 File details Programming language:
The malware program was written in MS Visual C++.

Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.

Description inserted by Andrei Ilie on Thursday, July 28, 2011
Description updated by Andrei Ilie on Thursday, August 4, 2011

Back . . . .