English
Deutsch
Español
Italian
Home
Virus Info
TR/FwBypass.A.537
Search
Home
Support
Solutions
Products
Downloads
Virus Info
Statistics
Phishing Worldmap
VDF History
Virus Science
Submit Sample
Security News
Viruses In the Wild
Company
Press
Partners
Newsletter
TR/FwBypass.A.537 - Trojan
See also
Summary
Full description
Statistics
How would you rate this information?
Worthless
Excellent
Virus:
TR/FwBypass.A.537
Date discovered:
04/07/2006
Type:
Trojan
In the wild:
No
Reported Infections:
Low
Distribution Potential:
Low
Damage Potential:
Medium
Static file:
Yes
File size:
113.152 Bytes
MD5 checksum:
3eb9e470350D6927cff49c790A1e6785
VDF version:
6.35.00.115
IVDF version:
6.35.00.141
- Mon, 10 Jul 2006 09:24 (GMT+1)
General
Method of propagation:
• No own spreading routine
Aliases:
• Kaspersky: Trojan-PSW.Win32.LdPinch.ats
• Bitdefender: Trojan.FirewallBypass
Platforms / OS:
• Windows 95
• Windows 98
• Windows 98 SE
• Windows NT
• Windows ME
• Windows 2000
• Windows XP
• Windows 2003
Side effects:
• Registry modification
• Steals information
Files
It copies itself to the following location:
•
%WINDIR%
\svchîst2.exe
The following file is created:
– c:\out.bin This file contains collected information about the system.
Registry
The following registry key is added in order to run the process after reboot:
– HKCU\Software\Microsoft\Windows\CurrentVersion\Run
• "System"="
%WINDIR%
\svchîst2.exe"
It creates the following entry in order to bypass the Windows XP firewall:
– HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\
FirewallPolicy\StandardProfile\AuthorizedApplications\List
• "
%WINDIR%
\svchîst2.exe"="
%WINDIR%
\svchîst2.exe:*:Enabled:svchîst2"
The following registry key is added:
– HKCR\.key
• "(Default)"="regfile"
Email
It doesn't have its own spreading routine but it has the ability to send an email. It is most likely that the receiver is the author. The characteristics are described below:
Email design:
To:
xinchpass@mail.ru
Subject:
Subject: Passes from Pinch 2
Attachment:
• out.bin
Stealing
It tries to steal the following information:
– Email account information obtained from the registry key: HKCU\Software\Microsoft\Internet Account Manager\Accounts
– Passwords from the following programs:
• ICQ
• CuteFTP
• CuteFTP PRO
• Far(ftp plugin)
• Miranda
• Outlook
• RimArts
• The Bat!
• Total Commander
• Trillian
• Windows Commander
File details
Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with the following runtime packer:
• ASProtect
See a brief description
here
.
Description inserted by Irina Boldea on Tue, 08 Aug 2006 15:10 (GMT+1)
Description updated by Andrei Gherman on Thu, 10 Aug 2006 10:04 (GMT+1)
»
About Malware
»
About Phishing
»
Viruses In the Wild
« back
Print this page
W32/Elkern.C
TR/Crypt.CFI.Gen
Worm/KillAV.GR
Worm/Mytob.AP
Worm/Mytob.AD
TR/Crypt.PEPM.Gen
TR/Vundo.ewz.9
TR/Monderb.318720
Worm/IrcBot.39673.1
TR/PSW.Steam.DU
Get comfortable up to the minute info from Avira as
Detects and removes the following malware and its variants:
Worm/Sober.J
Worm/Sober.P
Worm/Sober.Y
W32/Stanit.A
Worm/NetSky.AA
Worm/NetSky.B.1
Worm/NetSky.C
Worm/Netsky.D.Dam
Worm/NetSky.P
Worm/NetSky.X
Worm/Mytob.IN.2
Worm/Mytob.KS
TR/Spy.Banker.AATZ
TR/Spy.Banker.AATZ.1
TR/Spy.Banker.AATZ.2
TR/Spy.Banker.AATZ.3
Download here
Click
here
to get the panel...
© 2008 Avira GmbH
Copyright
Privacy
Sitemap
Feedback
Imprint
FAQ
Contact
Virus Info TR/FwBypass.A.537
Print this page
.gif)
