Date discovered:08/09/2012
In the wild:Yes
Reported Infections:Low
Distribution Potential:Low
Damage Potential:Medium
Static file:Yes
File size:326.144 Bytes
MD5 checksum:46AAAA7006A62AD84391D132D6FB9EFD
VDF version:
IVDF version:

 General Method of propagation:
   • No own spreading routine

   •  Mcafee: W32/Spybot.bfr!f
   •  TrendMicro: TROJ_SPNR.22IB12
   •  Sophos: Mal/EncPk-AFT
   •  Avast: Win32:Susn-AQ [Trj]
   •  Eset: Win32/Spy.Zbot.AAO
   •  Fortinet: W32/Injector.WAF
   •  Norman: ZBot.BIGD

Platforms / OS:
   • Windows 2000
   • Windows XP
   • Windows 2003
   • Windows Vista
   • Windows Server 2008
   • Windows 7

Side effects:
   • Drops files
   • Drops a malicious file
   • Registry modification
   • Steals information

 Files The following file is created:

– %APPDATA%\%random character string%\%random character string%.exe Furthermore it gets executed after it was fully created. Further investigation pointed out that this file is malware, too. Detected as: TR/Injector.UT

– %APPDATA%\%random character string%\%random character string%
– %APPDATA%\%random character string%\%random character string%
%TEMPDIR%\%random character string%.bat Furthermore it gets executed after it was fully created. This batch file is used to delete a file.

 Registry The following registry key is added in order to run the process after reboot:

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   • "%random character string%"="%APPDATA%\%random character string%\%random character string%.exe"

 Miscellaneous Internet connection:
In order to check for its internet connection the following DNS server is contacted:
   • ehalgr**********a.ru
Accesses internet resources:
   • krugvkube.ru/pepp**********le.php

説明の挿入者 Eric Burk の 2013年3月1日金曜日
説明の更新者 Eric Burk の 2013年3月1日金曜日

戻る . . . .