¿Necesita ayuda? Pregunte a la comunidad o contrate a un experto.
Ir a Avira Answers
Date discovered:18/04/2008
In the wild:No
Reported Infections:Low
Distribution Potential:Low
Damage Potential:Medium
File size:160256 Bytes
MD5 checksum:7b2dd976849df0d37d1773d201478525
VDF version:
IVDF version:

 General Method of propagation:
   • No own spreading routine

   •  Sophos: Troj/Mdrop-EZF
   •  Bitdefender: Trojan.GenericKD.933878
   •  Eset: a variant of Win32/Injector.AFAL trojan

Platforms / OS:
   • Windows 2000
   • Windows XP
   • Windows 2003
   • Windows Vista
   • Windows Server 2008
   • Windows 7

Side effects:
   • Drops files
   • Infects files
   • Registry modification

 Files It copies itself to the following locations:
   • %temp%\%10 digit random character string% .pre
   • %appdata%\%random character string%\%nine-digit random character string%/exe
   • C:\run\sample.exe

It deletes the initially executed copy of itself.

It deletes the following files:
   • C:\run\sample.exe
   • %temp%\%10 digit random character string% .pre

 Registry One of the following values is added in order to run the process after reboot:

–  [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   • "%random character string%"="%appdata%\\%random character string%\\%10 digit random character string% .exe"

The following registry keys are added in order to load the service after reboot:

– [HKLM\SYSTEM\ControlSet001\Control\Session Manager]
   • "PendingFileRenameOperations"="\??\%temp%\%10 digit random character string% .pre;"

 Injection     All of the following processes:
   • %SYSDIR%\ctfmon.exe
   • %SYSDIR%\svchost.exe

 Miscellaneous Internet connection:
In order to check for its internet connection the following DNS servers are contacted:
   • nvu**********eg.com
   • goga**********jman.ru
   • set1**********.ru

Event handler:
It creates the following Event handlers:
   • ReadProcessMemory
   • WriteProcessMemory
   • SetWindowsHook
   • CreateRemoteThread
   • GetSystemDirectory
   • CreateProcess
   • CreateFile
   • CreateServcie

Descripción insertada por Wensin Lee el jueves, 11 de abril de 2013
Descripción actualizada por Wensin Lee el jueves, 11 de abril de 2013

Volver . . . .