Ha bisogno di assistenza? Chieda alla community oppure consulti un esperto.
Vai ad Avira Answers
Virus:TR/Scar.cmvo
Date discovered:19/08/2010
Type:Trojan
In the wild:Yes
Reported Infections:Low to medium
Distribution Potential:Low to medium
Damage Potential:Low to medium
Static file:Yes
File size:571.904 Bytes
MD5 checksum:69873d92d870598c0c6dec3f720e25b9
IVDF version:7.10.10.226 - Thursday, August 19, 2010

 General Method of propagation:
    Autorun feature


Aliases:
   •  Sophos: Mal/EncPk-MX
   •  Bitdefender: Win32.Worm.Rimecud.AD
   •  Panda: W32/Autorun.KAB
   •  Eset: Win32/AutoRun.PSW.Delf.C


Platforms / OS:
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Downloads malicious files
   • Drops malicious files
   • Registry modification

 Files It copies itself to the following locations:
   • %ALLUSERSPROFILE%\Application Data\srtserv\%executed file%.bak
   • %ALLUSERSPROFILE%\Application Data\srtserv\%executed file%



It deletes the initially executed copy of itself.



It deletes the following files:
   • %ALLUSERSPROFILE%\Application Data\srtserv\set.dat
   • %ALLUSERSPROFILE%\Application Data\srtserv\update.dat



The following files are created:

%drive%\aUtoRuN.iNF This is a non malicious text file with the following content:
   • %code that runs malware%

%ALLUSERSPROFILE%\Application Data\srtserv\update.dat Further investigation pointed out that this file is malware, too. Detected as: TR/Crypt.XPACK.Gen

%ALLUSERSPROFILE%\Application Data\srtserv\sdata.dll Further investigation pointed out that this file is malware, too. Detected as: TR/Agent2.cthq

%ALLUSERSPROFILE%\Application Data\srtserv\mdhimv.exe Further investigation pointed out that this file is malware, too. Detected as: TR/Crypt.XPACK.Gen

%ALLUSERSPROFILE%\Application Data\srtserv\set.dat
%ALLUSERSPROFILE%\Application Data\srtserv\task.dat
%drive%\mdhimv.exe Further investigation pointed out that this file is malware, too. Detected as: TR/Crypt.XPACK.Gen




It tries to download some files:

The location is the following:
   • http://termoteh.com/data/**********


The location is the following:
   • http://psynergi.dk/data2/**********


The location is the following:
   • http://psynergi.dk/data2/**********


The location is the following:
   • http://vesterm.freehostia.com/**********




It tries to execute the following files:

Filename:
   • "%ALLUSERSPROFILE%\Application Data\srtserv\%executed file%" -wait


Filename:
   • "%ALLUSERSPROFILE%\Application Data\srtserv\mdhimv.exe" -wait

 Registry The values of the following registry key are removed:



The values of the following registry keys are removed:

–  [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   • srtserv



The following registry key is added:

[HKCU\Software\Microsoft\Windows\CurrentVersion\MSrtn]
   • "value1"="mdhimv.exe"
   • "value2"=dword:0x000000b4

 Injection –  It injects the following file into a process: %ALLUSERSPROFILE%\Application Data\srtserv\sdata.dll

    Process name:
   • explorer.exe


 Miscellaneous It creates the following Mutexes:
   • YCS0mRtQ316
   • KAENA_HOOK

 File details Programming language:
The malware program was written in Delphi.


Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.

Descrizione inserita da Petre Galan su venerdì 15 ottobre 2010
Descrizione aggiornata da Petre Galan su venerdì 15 ottobre 2010

Indietro . . . .
https:// Questa finestra è criptata per tua sicurezza.