Besoin d’aide ? Fais appel à la communauté ou embauche un spécialiste.
Aller à Avira Answers
Date discovered:03/11/2010
In the wild:Yes
Reported Infections:Low
Distribution Potential:Low to medium
Damage Potential:Low to medium
Static file:Yes
File size:94.208 Bytes
MD5 checksum:1E3066B7E6960505F567D28A529DDBA8
VDF version:
IVDF version:

 General Method of propagation:
   • Autorun feature

   •  Symantec: Backdoor.IRC.Bot
   •  Mcafee: W32/IRCbot.worm
   •  Kaspersky: Trojan.Win32.VBKrypt.rut
   •  TrendMicro: BKDR_IRCBOT.DAQ
   •  F-Secure: Backdoor.Bot.130321

Platforms / OS:
   • Windows 2000
   • Windows XP
   • Windows 2003
   • Windows Vista
   • Windows 7

Side effects:
   • Drops files
   • Lowers security settings
   • Registry modification

 Files It copies itself to the following location:
   • %WINDIR%\oldbi.exe

 Registry To each registry key one of the values is added in order to run the processes after reboot:

–  [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • "Ci Servs"="oldbi.exe"

–  [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\
   • "Ci Servs"="oldbi.exe"

 IRC – Furthermore it has the ability to perform actions such as:
    • connect to IRC server
    • Join IRC channel
    • Upload file

 Miscellaneous Internet connection:
In order to check for its internet connection the following DNS server is contacted:

Anti debugging
It checks for running programs that contain one of the following strings:
   • tcpview
   • filemon
   • procmon

 File details Programming language:
The malware program was written in MS Visual C++.

Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.

Description insérée par Andrei Ilie le lundi 21 mars 2011
Description mise à jour par Andrei Ilie le mercredi 23 mars 2011

Retour . . . .