Virus:TR/Agent.bqi
Date discovered:15/09/2010
Type:Trojan
In the wild:Yes
Reported Infections:Low
Distribution Potential:Low to medium
Damage Potential:Medium
Static file:Yes
File size:439.296 Bytes
MD5 checksum:E93B115A57C2B3C75D21387DAC59A3E2
IVDF version:7.10.11.187 - Wednesday, September 15, 2010

 General Method of propagation:
   • Autorun feature


Aliases:
   •  Symantec: W32.SillyFDC
   •  Mcafee: W32/Autorun.worm.g
   •  Kaspersky: Worm.MSIL.Autorun.fn
   •  F-Secure: Trojan.MSIL.Agent.P
   •  Sophos: W32/Autorun-BJR
   •  Bitdefender: Trojan.MSIL.Agent.P
   •  Avast: MSIL:AutoRun-W
   •  Microsoft: Worm:MSIL/Autorun.F
   •  Panda: MSIL/Autorun.KBQ
   •  PCTools: Net-Worm.SillyFDC!rem
   •  VirusBuster: Trojan.Agent2.MOU
   •  Eset: MSIL/Autorun.Agent.S
   •  GData: Trojan.MSIL.Agent.P
   •  Authentium: W32/Autorun.WV
   •  Norman: W32/Autorun.BMAY


Platforms / OS:
   • Windows 2000
   • Windows XP
   • Windows 2003
   • Windows Vista
   • Windows Server 2008
   • Windows 7


Side effects:
   • Registry modification

 Files It copies itself to the following locations:
   • %PROGRAM FILES%\system32.exe
   • %drive%\lamberguini.avi.exe
   • %drive%\Marcedesse_SLR-722.avi.exe



The following files are created:

%drive%\autorun.inf This is a non malicious text file with the following content:
   • %code that runs malware%

 Registry One of the following values is added in order to run the process after reboot:

–  [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • "mlh"="%PROGRAM FILES%\system32.exe"

 Backdoor Contact server:
One of the following:
   • http://raw3a.over-blog.com/
   • http://www.raw3a.org/
   • http://barchamusic.over-blog.com/


 File details Programming language:
  • CIL (.NET 2.x)

説明の挿入者 Irina Diaconescu の 2010年11月2日火曜日
説明の更新者 Irina Diaconescu の 2010年11月5日金曜日

戻る . . . .

© 2013 Avira Operations GmbH & Co. KG. All rights reserved.

マイアカウント

https:// このウィンドウは暗号化されています。