English
Deutsch
Français
Español
Italiano
Home
Virus Info
TR/AgentMB.PEHAB9080094.1
Search
Home
Support
Solutions
Products
Downloads
Virus Info
Statistics
Phishing Worldmap
VDF History
Virus Science
Submit Sample
Security News
Viruses In the Wild
Company
Press
Partners
Newsletter
TechBlog
TR/AgentMB.PEHAB9080094.1 - Trojan
See also
Summary
Full description
Statistics
How would you rate this information?
Worthless
Excellent
Virus:
TR/AgentMB.PEHAB9080094.1
Date discovered:
27/11/2008
Type:
Worm
In the wild:
Yes
Reported Infections:
Low
Distribution Potential:
Low
Damage Potential:
Low
Static file:
Yes
IVDF version:
7.01.00.149
- Thu, 27 Nov 2008 16:58 (GMT+1)
General
Aliases:
• Symantec: W32.Harakit
• Mcafee: W32/Autorun.worm.cj
• Panda: W32/Autoit.BT
• Grisoft: Worm/Autoit.GTF
• Eset: Win32/Autoit.FO
• Bitdefender: Trojan.AgentMB.PEHAB9080094
Platforms / OS:
• Windows 2000
• Windows XP
• Windows 2003
Side effects:
• Drops files
• Registry modification
Files
It copies itself to the following location:
•
%WINDIR%
\system32 \csrcs.exe
It deletes the initially executed copy of itself.
The following file is created:
–
%SYSDIR%
\autorun.inf This is a non malicious text file with the following content:
•
%code that runs malware%
–
%TEMPDIR%
\suicide.bat Furthermore it gets executed after it was fully created. This batch file is used to delete a file.
It tries to executes the following file:
– Filename:
•
%TEMPDIR%
\suicide.bat
This batch file is used to delete a file.
Registry
One of the following values is added in order to run the process after reboot:
– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
• "Shell"="Explorer.exe csrcs.exe"
The values of the following registry key are removed:
– [HKCU\Software\Microsoft\windows\CurrentVersion\Internet Settings]
• "ProxyServer"
• "ProxyOverride"
• "AutoConfigURL"
The following registry keys are added:
– [HKLM\SOFTWARE\Microsoft\DRM\amty]
• "ilop"="1"
• "exp1"="408406541BC5BBE4DC197A2A0C46B9AFF2F90D96B151D7C7BCBD177741EE95F062E634D70EB70FB65FC8FBF0EC312619"
• "dreg"="408406541BC5BBE4DC197A2A0C46B9ACF2F90D96B151D7C7BCBD177641EE95F562E634D70EB70FB65FC8FBF0EC31276D8626D05B1ED70CC881A48DA07A7E649B"
• "fix"=""
• "fix1"="1"
• "regexp"="-0.215134707364621"
– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\
Run]
• "csrcs"="
%SYSDIR%
\csrcs.exe"
The following registry keys are changed:
– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
New value:
• "SuperHidden"=dword:00000000
"Hidden"=dword:00000001
"ShowSuperHidden"=dword:00000001
– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\
Folder\Hidden\SHOWALL]
New value:
• "CheckedValue"=dword:00000001
Miscellaneous
Anti debugging
If it was successful it displays the following and terminates immediately:
See a brief description
here
.
Description inserted by Petre Galan on Fri, 03 Jul 2009 11:36 (GMT+1)
Description updated by Andrei Ivanes on Mon, 17 Aug 2009 15:40 (GMT+1)
»
About Malware
»
About Phishing
»
Viruses In the Wild
« back
Print this page
TR/Crypt.XPACK.Gen
HEUR/HTML.Malware
HTML/Infected.WebPage.Gen
ADSPY/AdSpy.Gen
HTML/Crypted.Gen
W32/Induc.Gen
TR/ATRAPS.Gen2
TR/Click.Yabector.8857.2
TR/PSW.Magania.auv
TR/Dldr.Bredolab.AX
Get comfortable up to the minute info from Avira as
Detects and removes distinct malware and its variants.
Download here
Click
here
to get the panel...
© 2009 Avira GmbH
Copyright
|
Privacy
|
Sitemap
|
Feedback
|
Imprint
|
FAQ
|
Contact
Virus Info TR/AgentMB.PEHAB9080094.1
Print this page
.gif)
