Date discovered:16/10/2012
In the wild:Yes
Reported Infections:Low
Distribution Potential:Low
Damage Potential:Low
Static file:Yes
File size:308224 Bytes
MD5 checksum:2498cb88ebfdf2f8a19a692948a9c415
VDF version:
IVDF version:

 General Method of propagation:
   • No own spreading routine

   •  Eset: Win32/Spy.Shiz.NCF
   •  DrWeb: Trojan.PWS.Ibank.456

Platforms / OS:
   • Windows XP
   • Windows 2003
   • Windows Vista
   • Windows Server 2008
   • Windows 7

Side effects:
   • Can be used to execute malicious code
   • Can be used by rogue users or malware to lower security settings
   • Can be used to modify system settings that allow or augment potential malware behaviour.
   • Drops a malicious file

 Files It copies itself to the following location:
   • %WINDIR%\appatch\%six-digit random character string%.exe

 Registry The following registry key is added in order to run the process after reboot:

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   • "userinit"="%WINDIR%\apppatch\%six-digit random character string%.exe"

The following registry key is added:

– [HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows]
   • "load"="%WINDIR%\apppatch\%six-digit random character string%.exe"
   • "run"="%WINDIR%\apppatch\%six-digit random character string%.exe"

The following registry key is changed:

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
   Old value:
   • "userinit"="%SYSDIR%\userinit.exe
   New value:
   • "userinit"="%SYSDIR%\userinit.exe,c:\windows\apppatch\%six-digit random character string%.exe,"
   • "System"="%WINDIR%\apppatch\%six-digit random character string%.exe"

 Backdoor Contact server:
All of the following:
   • cih**********.eu
   • nope**********.eu
   • vofo**********.eu
   • qeqi**********.eu
   • foda**********.eu
   • gate**********.eu
   • digi**********.eu
   • lyve**********eu
   • mar**********.eu
   • ryna**********.eu
   • voc**********.eu
   • tucy**********.eu
   • ...

説明の挿入者 Elias Lan の 2012年10月21日日曜日
説明の更新者 Elias Lan の 2012年10月21日日曜日

戻る . . . .