English
Deutsch
Español
Italian
Home
Virus Info
ADSPY/Boran.O.1
Search
Home
Support
Solutions
Products
Downloads
Virus Info
Statistics
Phishing Worldmap
VDF History
Virus Science
Submit Sample
Security News
Viruses In the Wild
Company
Press
Partners
Newsletter
ADSPY/Boran.O.1 - Adware / Spyware
See also
Summary
Full description
Statistics
How would you rate this information?
Worthless
Excellent
Virus:
ADSPY/Boran.O.1
Date discovered:
05/10/2006
Type:
Trojan
In the wild:
No
Reported Infections:
Low
Distribution Potential:
Low
Damage Potential:
Medium
Static file:
Yes
File size:
131.072 Bytes
MD5 checksum:
3c6f191fe0a913c40E7139d66ba0f7ac
VDF version:
6.35.01.09
IVDF version:
6.35.01.09
General
Method of propagation:
• No own spreading routine
Alias:
• Eset: Win32/Adware.Boran
Platforms / OS:
• Windows 95
• Windows 98
• Windows 98 SE
• Windows NT
• Windows ME
• Windows 2000
• Windows XP
• Windows 2003
Side effects:
• Downloads files
• Registry modification
• Makes use of software vulnerability
Files
It tries to download some files:
– The location is the following:
• http://www.update.borlander.cn/updadini/**********
It is saved on the local hard drive under:
%malware execution directory%
\updadini.ini Furthermore this file gets executed after it was fully downloaded. This file may contain further download locations and might serve as source for new threats.
– The location is the following:
• http://www.update.borlander.cn/updstd/**********
It is saved on the local hard drive under:
%malware execution directory%
\updstdex.ini Furthermore this file gets executed after it was fully downloaded.
– The location is the following:
• http://www.update.borlander.cn/updstd/**********
It is saved on the local hard drive under:
%malware execution directory%
\updstdup.ini Furthermore this file gets executed after it was fully downloaded. This file may contain further download locations and might serve as source for new threats.
Registry
It registers a browser helper object (BHO) by adding the following key:
– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\
Browser Helper Objects\{6A512BF7-EC78-4e8d-9841-6C02E8FA9838}]
• @="stdup"
The following registry keys are added:
– [HKCR\CLSID\{6A512BF7-EC78-4e8d-9841-6C02E8FA9838}\InprocServer32]
• @="
%malware execution directory%
\
%executed file%
"
• "ThreadingModel"="Apartment"
– [HKCR\CLSID\{6A512BF7-EC78-4e8d-9841-6C02E8FA9838}\ProgID]
• @="Ad.AxObj.1"
– [HKCR\CLSID\{6A512BF7-EC78-4e8d-9841-6C02E8FA9838}\Programmable]
– [HKCR\CLSID\{6A512BF7-EC78-4e8d-9841-6C02E8FA9838}\TypeLib]
• @="{22F87D75-7DD1-4545-94B3-CA80C0F462C6}"
– [HKCR\CLSID\{6A512BF7-EC78-4e8d-9841-6C02E8FA9838}\
VersionIndependentProgID]
• @="Ad.AxObj"
– [HKCR\TypeLib\{22F87D75-7DD1-4545-94B3-CA80C0F462C6}\1.0]
• @="Ad 1.0 Type Library"
– [HKCR\TypeLib\{22F87D75-7DD1-4545-94B3-CA80C0F462C6}\1.0\0\win32]
• @="
%malware execution directory%
\
%executed file%
"
– [HKCR\TypeLib\{22F87D75-7DD1-4545-94B3-CA80C0F462C6}\1.0\FLAGS]
• @="0"
– [HKCR\TypeLib\{22F87D75-7DD1-4545-94B3-CA80C0F462C6}\1.0\HELPDIR]
• @="%malware execution directoy%"
– [HKCR\Interface\{AB45CE36-C280-4525-BCF9-1BD01D3E4B57}]
• @="IAxObj"
– [HKCR\Interface\{AB45CE36-C280-4525-BCF9-1BD01D3E4B57}\
ProxyStubClsid]
• @="{00020424-0000-0000-C000-000000000046}"
– [HKCR\Interface\{AB45CE36-C280-4525-BCF9-1BD01D3E4B57}\
ProxyStubClsid32]
• @="{00020424-0000-0000-C000-000000000046}"
– [HKCR\Interface\{AB45CE36-C280-4525-BCF9-1BD01D3E4B57}\TypeLib]
• @="{22F87D75-7DD1-4545-94B3-CA80C0F462C6}"
• "Version"="1.0"
– [HKCR\Ad.AxObj]
• @="stdup"
– [HKCR\Ad.AxObj\CLSID]
• @="{6A512BF7-EC78-4e8d-9841-6C02E8FA9838}"
– [HKCR\Ad.AxObj\CurVer]
• @="Ad.AxObj.1"
– [HKLM\SOFTWARE\Stdup]
• "stdup"="3.2.2.2"
– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\
{6A512BF7-EC78-4e8d-9841-6C02E8FA9838}]
• "DisplayName"="WinStdup"
• "UninstallString"="
%SYSDIR%
\rundll32.exe
%malware execution directory%
\
%executed file%
,Uninstall"
– [HKCR\CLSID\{6A512BF7-EC78-4e8d-9841-6C02E8FA9838}]
• @="stdup"
Backdoor
Contact server:
All of the following:
• http://www.borlander.com.cn/**********
• http://www.borlander.com.cn/**********
• http://www.borlander.com.cn/jsp/**********
Once connected it will retrieve an additional list of servers.
As a result it may send information and remote control could be provided. This is done via the HTTP GET request on a PHP script.
Sends information about:
• Current malware status
• Malware uptime
Remote control capabilities:
• Visit a website
File details
Programming language:
The malware program was written in MS Visual C++.
Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.
See a brief description
here
.
Description inserted by Monica Ghitun on Fri, 06 Oct 2006 11:06 (GMT+1)
Description updated by Andrei Ivanes on Fri, 27 Oct 2006 08:18 (GMT+1)
»
About Malware
»
About Phishing
»
Viruses In the Wild
« back
Print this page
W32/Elkern.C
TR/Crypt.CFI.Gen
Worm/KillAV.GR
Worm/Mytob.AP
Worm/Mytob.AT
TR/Crypt.PEPM.Gen
TR/Vundo.ewz.9
TR/Monderb.318720
Worm/IrcBot.39673.1
TR/PSW.Steam.DU
Get comfortable up to the minute info from Avira as
Detects and removes the following malware and its variants:
Worm/Sober.J
Worm/Sober.P
Worm/Sober.Y
W32/Stanit.A
Worm/NetSky.AA
Worm/NetSky.B.1
Worm/NetSky.C
Worm/Netsky.D.Dam
Worm/NetSky.P
Worm/NetSky.X
Worm/Mytob.IN.2
Worm/Mytob.KS
TR/Spy.Banker.AATZ
TR/Spy.Banker.AATZ.1
TR/Spy.Banker.AATZ.2
TR/Spy.Banker.AATZ.3
Download here
Click
here
to get the panel...
© 2008 Avira GmbH
Copyright
Privacy
Sitemap
Feedback
Imprint
FAQ
Contact
Virus Info ADSPY/Boran.O.1
Print this page
.gif)
