Date discovered:09/06/2011
In the wild:Yes
Reported Infections:Low
Distribution Potential:Low to medium
Damage Potential:Medium
File size:3.328.947 Bytes
MD5 checksum:8A6D83F8E169F2508F978C1B7D57D13F
VDF version:
IVDF version:

 General Method of propagation:
   • Autorun feature

   •  Kaspersky: Worm.Win32.AutoRun.hud
   •  TrendMicro: WORM_OTORUN.HU
   •  Microsoft: Worm:Win32/Colowned.A

Platforms / OS:
   • Windows 2000
   • Windows XP
   • Windows 2003
   • Windows Vista
   • Windows 7

Side effects:
   • Third party control
   • Drops files
   • Registry modification

 Files It copies itself to the following locations:
   • %APPDATA%\taskhost.exe
   • %drive%\viewDrive.exe

%drive%\autorun.inf This is a non malicious text file with the following content:
   • %code that runs malware%

It tries to download a file:

– The location is the following:
   • http://link.colo.**********.hu:31099/l.txt
This file may contain further download locations and might serve as source for new threats.

 Registry To each registry key one of the values is added in order to run the processes after reboot:

–  [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   • "Windows Task Host"="%APPDATA%\taskhost.exe"

–  [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • "Windows Task Host"="%APPDATA%\taskhost.exe"

 Backdoor The following port is opened:

– svchost.exe on UDP port 1033

Contact server:
The following:
   • http://link.colo.**********.hu:31099

 Injection – It injects itself as a remote thread into processes.

    Process name:
   • svchost.exe

 File details Programming language:
The malware program was written in MS Visual C++.

Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.

説明の挿入者 Andrei Ilie の 2011年8月1日月曜日
説明の更新者 Andrei Ilie の 2011年8月2日火曜日

戻る . . . .