Need help? Ask the community or hire an expert.
Go to Avira Answers
Date discovered:28/04/2011
In the wild:No
Reported Infections:Low to medium
Distribution Potential:Medium to high
Damage Potential:Medium
Static file:Yes
File size:671.788 Bytes
MD5 checksum:B8ED2E73B39AE02B15244C52DDA5505C
VDF version: - Thursday, April 28, 2011
IVDF version: - Thursday, April 28, 2011

 General Methods of propagation:
    Autorun feature

   •  Kaspersky: Trojan.Win32.Llac.yxq
   •  Sophos: Troj/Agent-RYH
     Microsoft: Worm:Win32/Silly_P2P.H

Platforms / OS:
   • Windows 2000
   • Windows XP
   • Windows 2003

Side effects:
   • Third party control
   • Drops malicious files
   • Lowers security settings
   • Registry modification
   • Steals information

 Files It copies itself to the following location:
   • %APPDATA%\webdev.exe

The following files are created:

%TEMPDIR%\google_cache2.tmp Contains parameters used by the malware.
%TEMPDIR%\%hex values% Contains parameters used by the malware.

 Registry The following registry keys are added in order to run the processes after reboot:

   • "WindowsUpdate"="%APPDATA%\webdev.exe"

   • "WindowsUpdate"="%APPDATA%\webdev.exe"

It creates the following entry in order to bypass the Windows XP firewall:

   • "WindowsUpdate"="%APPDATA%\webdev.exe"

 Messenger It is spreading via Messenger. The characteristics are described below:

 Windows Messenger

The URL then refers to a copy of the described malware. If the user downloads and executes this file the infection process will start again.

 IRC To deliver system information and to provide remote control it connects to the following IRC Server:


 This malware has the ability to collect and send information such as:
    • Platform ID
    • Information about the Windows operating system

 Furthermore it has the ability to perform actions such as:
     connect to IRC server
     disconnect from IRC server
    • Perform DDoS attack
     Start spreading routine

 File details Programming language:
The malware program was written in MS Visual C++.

Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with the following runtime packer:
   • ASPack

Description inserted by Andrei Ilie on Tuesday, September 20, 2011
Description updated by Andrei Ilie on Wednesday, September 21, 2011

Back . . . .