Need help? Ask the community or hire an expert.
Go to Avira Answers
Date discovered:25/04/2012
In the wild:No
Reported Infections:High
Distribution Potential:Low
Damage Potential:Medium
Static file:Yes
File size:67.072 Bytes
MD5 checksum:b2b0c8d66ef083810Bcf5f54e15ee806
VDF version:
IVDF version:

 General Method of propagation:
   • No own spreading routine

   •  Kaspersky: Trojan.Win32.Inject.dzsp
   •  Grisoft: SHeur4.AAYW
   •  Eset: Win32/Trustezeb.A
   •  GData: Trojan.Injector.ADI
   •  Norman: Trojan W32/Suspicious_Gen4.ACYPJ

Platforms / OS:
   • Windows 2000
   • Windows XP
   • Windows 2003
   • Windows Vista
   • Windows Server 2008
   • Windows 7

Side effects:
   • Registry modification

Right after execution the following information is displayed:

 Files It copies itself to the following locations:
   • %APPDATA%\Realtec\Realtecdriver.exe
   • %APPDATA%\Qvmh\C10199CBD8812EB1F92D.exe
   • %TEMP%\%10 digit random character string% .pre
   • %SYSDIR%\3E5D1393D8812EB16C61.exe

It deletes the initially executed copy of itself.

 Registry One of the following values is added in order to run the process after reboot:

–  [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   • "Realtecdriver"="%APPDATA\Realtec\Realtecdriver.exe"

–  [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
   • "userinit"="%SYSDIR%\userinit.exe,%SYSDIR%\3E5D1393D8812EB16C61.exe"

–  [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   • "D8812EB1"="%APPDATA\Qvmh\C10199CBD8812EB1F92D.exe"

The following registry keys are added in order to load the service after reboot:

– [HKLM\SYSTEM\ControlSet001\Control\Session Manager]
   • "PendingFileRenameOperations"="\??\%TEMP%\%10 digit random character string% .pre;"

 Injection – It injects itself into a process.

 Miscellaneous Internet connection:
In order to check for its internet connection the following DNS servers are contacted:
   • http://********************.php?id=D8812EB1434E41564549&cmd=img
   • http://********************.php?id=D8812EB1434E41564549&cmd=lfk&data=uJXbykvbhoZH1VxnSk0wIYg6TtL2zhzZ

Event handler:
It creates the following Event handlers:
   • CreateService
   • StartService
   • CreateRemoteThread
   • HttpOpenRequest
   • FtpOpenFile
   • InternetOpenUrl
   • InternetOpen
   • GetDriveType
   • CreateFile
   • CreateToolhelp32Snapshot
   • ShellExecute

 File details Programming language:
The malware program was written in Visual Basic.

Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.

Description inserted by Wensin Lee on Thursday, April 26, 2012
Description updated by Matthias Schlindwein on Thursday, April 26, 2012

Back . . . .