Besoin d’aide ? Fais appel à la communauté ou embauche un spécialiste.
Aller à Avira Answers
Date discovered:03/07/2012
In the wild:Yes
Reported Infections:Low
Distribution Potential:Low to medium
Damage Potential:Medium
File size:94.720 Bytes
MD5 checksum:C142F7941922369C46E948FF508F67CE
VDF version:
IVDF version:

 General Method of propagation:
   • Autorun feature

   •  Mcafee: PWS-Spyeye
   •  Kaspersky: Worm.Win32.Cridex.dc
   •  Microsoft: Worm:Win32/Cridex.B
   •  Grisoft: SHeur4.AHBZ
   •  Eset: Win32/AutoRun.Spy.Banker.M worm
   •  DrWeb: Trojan.DownLoader6.13798

Platforms / OS:
   • Windows 2000
   • Windows XP
   • Windows 2003
   • Windows Vista
   • Windows Server 2008
   • Windows 7

Side effects:
   • Third party control
   • Drops files
   • Registry modification

 Files It copies itself to the following location:
   • %APPDATA%\KB00027502.exe

%drive%\autorun.inf This is a non malicious text file with the following content:
   • %code that runs malware%

%TEMPDIR%\POS1.tmp Furthermore it gets executed after it was fully created. This batch file is used to delete a file.

 Registry The following registry key is added in order to run the process after reboot:

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   • "KB00027502.exe"="%APPDATA%\KB00027502.exe"

The following registry keys are added:

– [HKCU\Software\Microsoft\Windows Media Center\C36E1C63]
– [HKCU\Software\Microsoft\Windows Media Center\2FB0C48D]
– HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings
   • "GlobalUserOffline"=dword:00000000

 Backdoor Contact server:
One of the following:
   • micros**********.ru
   • micros**********.ru
   • micros**********.ru
   • micros**********.ru

As a result it may send information and remote control could be provided.

 Injection – It injects itself as a remote thread into a process.

    Process name:
   • %WINDIR%\Explorer.EXE

 File details Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with the following runtime packer:
   • UPX

Description insérée par Daniel Mocanu le mercredi 8 août 2012
Description mise à jour par Daniel Mocanu le mercredi 8 août 2012

Retour . . . .