¿Necesita ayuda? Pregunte a la comunidad o contrate a un experto.
Ir a Avira Answers
Date discovered:08/08/2012
Type:File infector
In the wild:Yes
Reported Infections:Low
Distribution Potential:Medium
Damage Potential:Medium
VDF version:
IVDF version:

 General Method of propagation:
   • Infects files

   •  Kaspersky: Trojan-Dropper.Win32.Dorifel.has
   •  Eset: Win32/Quervar.C

It was previously detected as:
   •  TR/Rogue.kdv.691754.7
   •  TR/Rogue.kdv.691754
   •  TR/Spy.150016.65

Platforms / OS:
   • Windows 2000
   • Windows XP
   • Windows 2003
   • Windows Vista
   • Windows Server 2008
   • Windows 7

Side effects:
   • Drops files
   • Infects files
   • Registry modification

 Files It copies itself to the following location:
   • %APPDATA%\%random character string%\%random character string%.exe

It renames the following files:

    •  %infected files%.doc into %infected files%.cod.scr
    •  %infected files%.docx into %infected files%.cod.scr
    •  %infected files%.xls into %infected files%.slx.scr
    •  %infected files%.xlsx into %infected files%.slx.scr

The following files are created:

– A file that is for temporary use and it might be deleted afterwards:
   • %APPDATA%\%random character string%\RCX%number%.tmp

– %APPDATA%\%random character string%\%random character string%.exe.lnk
– %APPDATA%\%random character string%\%random character string%.exe.ini This is a non malicious text file that contains information about the program itself.
%malware execution directory%\%executed file%-- This is the original version of the file before infection.

 Registry The following registry key is added in order to run the process after reboot:

– [HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows]
   • Load = "%APPDATA%\%random character string%\%random character string%.exe.lnk"

 File infection Infector type:

Prepender - The virus code is added at the begining of the infected file.


This direct-action infector actively searches for files.

This memory-resistent infector remains active in memory.

Infection length:

Approximately 150.000 Bytes

Ignores files that:

Contain any of the following strings in their path:
   • System Volume Information

The following files are infected:

By file type:
   • .exe
   • .doc
   • .xls
   • .docx
   • .xlsx

 Miscellaneous Event handler:
It creates the following Event handler:
   • SayHellotomyLittleFriend

Anti debugging
It checks if the following program is running:
   • taskmgr.exe

 File details Programming language:
The malware program was written in Delphi.

Descripción insertada por Andrei Gherman el viernes, 10 de agosto de 2012
Descripción actualizada por Andrei Gherman el viernes, 10 de agosto de 2012

Volver . . . .