English
Deutsch
Français
Español
Italiano
Home
Virus Info
TR/ZZDimy.13
Search
Home
Support
Solutions
Products
Downloads
Virus Info
Statistics
Phishing Worldmap
VDF History
Virus Science
Submit Sample
Security News
Viruses In the Wild
Company
Press
Partners
Newsletter
TechBlog
TR/ZZDimy.13 - Trojan
See also
Summary
Full description
Statistics
How would you rate this information?
Worthless
Excellent
Virus:
TR/ZZDimy.13
Date discovered:
15/05/2009
Type:
Trojan
In the wild:
Yes
Reported Infections:
Medium
Distribution Potential:
Medium
Damage Potential:
Medium
Static file:
Yes
File size:
13.824 Bytes
MD5 checksum:
feb9fcb58b7537c47a0Cfc1c00702b50
IVDF version:
7.01.03.215
- Fri, 15 May 2009 15:22 (GMT+1)
General
Aliases:
• Symantec: Backdoor.Paproxy
• Mcafee: Generic Proxy!a trojan !!!
• Kaspersky: Trojan.Win32.Agent2.jyy
• Panda: W32/Koobface.AD.worm
• Eset: a variant of Win32/Tinxy.AD trojan
Platforms / OS:
• Windows 2000
• Windows XP
• Windows 2003
Side effects:
• Downloads a malicious file
• Drops a malicious file
• Lowers security settings
• Registry modification
Files
It copies itself to the following location:
•
%SYSDIR%
\SYS32DLL.exe
It deletes the initially executed copy of itself.
It deletes the following file:
• C:\SYS32DLL.bat
The following file is created:
– C:\SYS32DLL.bat Furthermore it gets executed after it was fully created. This batch file is used to delete a file.
It tries to download a file:
– The location is the following:
• http://85.13**********/v50/?v=63&s=I&uid=0&p=6004&q=
Furthermore this file gets executed after it was fully downloaded. At the time of writing this file was not online for further investigation.
Registry
It creates the following entry in order to bypass the Windows XP firewall:
– [HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\
FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
• "7171:TCP"="7171:TCP:*:Enabled:SYS32DLL"
• "80:TCP"="80:TCP:*:Enabled:SYS32DLL"
The following registry key is changed:
– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings]
New value:
• "ProxyServer"="http=localhost:7171"
• "ProxyOverride"="*.local;
"
• "ProxyEnable"=dword:00000001
Backdoor
The following port is opened:
–
%SYSDIR%
\SYS32DLL.exe on TCP port 7171 in order to provide an HTTP server.
Contact server:
One of the following:
• yy-d**********.com
• zz-d**********.com
File details
Programming language:
The malware program was written in MS Visual C++.
Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with the following runtime packer:
• UPX
See a brief description
here
.
Description inserted by Petre Galan on Tue, 06 Oct 2009 15:58 (GMT+1)
Description updated by Andrei Ivanes on Wed, 07 Oct 2009 13:10 (GMT+1)
»
About Malware
»
About Phishing
»
Viruses In the Wild
« back
Print this page
TR/Crypt.XPACK.Gen
HEUR/HTML.Malware
HTML/Infected.WebPage.Gen
ADSPY/AdSpy.Gen
HTML/Crypted.Gen
W32/Induc.Gen
TR/ATRAPS.Gen2
TR/Click.Yabector.8857.2
TR/PSW.Magania.auv
TR/Dldr.Bredolab.AX
Get comfortable up to the minute info from Avira as
Detects and removes distinct malware and its variants.
Download here
Click
here
to get the panel...
© 2009 Avira GmbH
Copyright
|
Privacy
|
Sitemap
|
Feedback
|
Imprint
|
FAQ
|
Contact
Virus Info TR/ZZDimy.13
Print this page
.gif)
