Need help? Ask the community or hire an expert.
Go to Avira Answers
Virus:BDS/Sinowal.avnam
Date discovered:23/11/2011
Type:Backdoor Server
In the wild:No
Reported Infections:Low to medium
Distribution Potential:Low
Damage Potential:Medium
Static file:No
VDF version:7.11.18.23 - Wednesday, November 23, 2011
IVDF version:7.11.18.23 - Wednesday, November 23, 2011

 General Method of propagation:
   • No own spreading routine


Aliases:
   •  Bitdefender: Gen:Variant.Kazy.37889
     DrWeb: BackDoor.MaosBoot.1148


Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003
    Windows Vista
    Windows Server 2008
    Windows 7


Side effects:
   • Registry modification

 Files It copies itself to the following locations:
   • %SYSDIR%\vpload85.dll
   • %HOME%\vpload85.dll
   • %HOME%\Start Menu\Programs\Startup\scanrdiskaw72.dll



The following file is created:

%HOME%\Start Menu\Programs\Startup\scandisk.lnk

 Registry The following registry keys are continuously in an infinite loop added in order to run the processes after reboot.

  HKCU\Software\Microsoft\Windows\CurrentVersion\Run
   • "NvCplDaemonTool"="rundll32.exe %HOME%\\vpload85.dll,_IWMPEvents"

  HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   • "NvCplDaemonTool"="rundll32.exe %SYSDIR%\\vpload85.dll,_IWMPEvents"

 Miscellaneous Internet connection:
In order to check for its internet connection the following DNS server is contacted:
   • google.com

It queries with the name:
   • http://google.com/
Accesses internet resources:
   • http://www.oh**********von.com
   • http://www.oh**********von.net
   • http://www.oh**********von.biz
   • http://www.be**********von.com

Description inserted by Szewee Tan on Friday, November 25, 2011
Description updated by Szewee Tan on Friday, November 25, 2011

Back . . . .