Besoin d’aide ? Fais appel à la communauté ou embauche un spécialiste.
Aller à Avira Answers
Date discovered:17/04/2013
In the wild:No
Reported Infections:Low to medium
Distribution Potential:Low
Damage Potential:Low
File size:105984 Bytes
MD5 checksum:20951565fdc35cf85135361452c184a3
VDF version: - Wednesday, April 17, 2013
IVDF version: - Wednesday, April 17, 2013

 General Method of propagation:
   • No own spreading routine

   •  Bitdefender: Trojan.GenericKD.948144
   •  Eset: Win32/Trustezeb.C trojan

Platforms / OS:
   • Windows 2000
   • Windows XP
   • Windows 2003
   • Windows Vista
   • Windows Server 2008
   • Windows 7

Side effects:
   • Registry modification

 Files It copies itself to the following locations:
   • %temp%\%10 digit random character string% .pre
   • %HOME%\%random character string%\%random character string%.exe

It deletes the initially executed copy of itself.

It deletes the following file:
   • %temp%\%10 digit random character string% .pre

 Registry One of the following values is added in order to run the process after reboot:

–  [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   • "%random character string%"="%HOME%\\%random character string%\\%random character string%.exe"

The following registry keys are added in order to load the service after reboot:

– [HKLM\SYSTEM\ControlSet001\Control\Session Manager]
   • "PendingFileRenameOperations"="\??\%temp%\%10 digit random character string% .pre;"

 Injection     All of the following processes:
   • %SYSDIR%\svchost.exe
   • %WINDIR%\explorer.exe

 Miscellaneous Internet connection:
In order to check for its internet connection the following DNS server is contacted:
   • nvufv**********.com/inbox.php?ltype=ld&ccr=1&id=D8812EB1434E**********&stat=0&ver=2000803&loc=0x0809&os=Windows%20XP

Event handler:
It creates the following Event handlers:
   • IsDebuggerPresent
   • IsProcessorFeaturePresent
   • CreateFile

Furthermore it contains the following string:
   • Are you kinding me?

Description insérée par Wensin Lee le vendredi 19 avril 2013
Description mise à jour par Wensin Lee le vendredi 19 avril 2013

Retour . . . .