Date discovered:16/07/2010
In the wild:No
Reported Infections:Low to medium
Distribution Potential:Low to medium
Damage Potential:Low to medium
Static file:Yes
File size:222.092 Bytes
MD5 checksum:d84a73bdde2ef478a5efd90af5c857e3
VDF version:
IVDF version: - Friday, July 16, 2010

 General Methods of propagation:
   • Autorun feature
   • Messenger

   •  F-Secure: Gen:Trojan.Heur.nmMfrzSTdNgib
   •  Bitdefender: Gen:Trojan.Heur.nmMfrzSTdNgib
   •  GData: Gen:Trojan.Heur.nmMfrzSTdNgib
   •  DrWeb: Win32.HLLW.Texmer.51

Platforms / OS:
   • Windows 2000
   • Windows XP
   • Windows 2003

Side effects:
   • Drops malicious files
   • Registry modification

 Files It copies itself to the following locations:
   • %drive%\SSVICHOSST.exe

The following files are created:

%drive%\autorun.inf This is a non malicious text file with the following content:
   • %code that runs malware%

It tries to execute the following files:

– Filename:
   • %SYSDIR%\cmd.exe /C AT /delete /yes

– Filename:
   • %SYSDIR%\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su %SYSDIR%\SSVICHOSST.exe

 Registry The following registry key is added in order to run the process after reboot:

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   • "Yahoo Messengger"="%SYSDIR%\SSVICHOSST.exe"

The following registry keys are added:

– [HKLM\SYSTEM\CurrentControlSet\Services\Schedule]
   • "AtTaskMaxHours"=dword:0x00000000

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\
   • "shared"="\New Folder.exe"

 Messenger It is spreading via Messenger. The characteristics are described below:

– Yahoo Messenger

The sent message looks like one of the following:

   • ang Web nay coi cung hay, vao coi thu di http://nhatquanglan1.0catch.com
     may, vao day coi co con nho nay ngon lam http://nhatquanglan1.0catch.com
     o day nghe bai nay di ban http://nhatquanglan1.0catch.com

 Miscellaneous Accesses internet resources:
   • http://nhatquanglan3.t3**********.com
   • http://nhatquanglan4.t3**********.com

 File details Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.

説明の挿入者 Wensin Lee の 2012年4月16日月曜日
説明の更新者 Wensin Lee の 2012年4月16日月曜日

戻る . . . .
https:// このウィンドウは暗号化されています。