Date discovered:28/08/2009
In the wild:No
Reported Infections:Low
Distribution Potential:Low
Damage Potential:Low
File size:114688 Bytes
MD5 checksum:237f86451bbfb4341d130a5de71ca9e3
VDF version:
IVDF version: - Friday, August 28, 2009

 General Method of propagation:
   • No own spreading routine

Platforms / OS:
   • Windows 2000
   • Windows XP
   • Windows 2003
   • Windows Vista
   • Windows Server 2008
   • Windows 7

Side effects:
   • Registry modification

 Files It copies itself to the following location:
   • %temp%\%10 digit random character string% .pre

It deletes the initially executed copy of itself.

The following file is created:

– %temp%\%random character string%\random character string%.exe Furthermore it gets executed after it was fully created. Further investigation pointed out that this file is malware, too.

 Registry One of the following values is added in order to run the process after reboot:

–  [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   • "%random character string%"="%HOME%\%random character string%\%random character string%.exe"

The following registry keys are added in order to load the services after reboot:

– [HKLM\SYSTEM\ControlSet001\Control\Session Manager]
   • "PendingFileRenameOperations"="\??\%temp%\%10 digit random character string% .pre"

– [HKLM\SYSTEM\CurrentControlSet\Control\Session Manager]
   • "PendingFileRenameOperations"="\??\%temp%\%10 digit random character string% .pre"

 Miscellaneous Internet connection:
In order to check for its internet connection the following DNS servers are contacted:
   • zeo**********-gt.com
   • fen**********.com

説明の挿入者 Wensin Lee の 2013年3月13日水曜日
説明の更新者 Wensin Lee の 2013年3月13日水曜日

戻る . . . .
https:// このウィンドウは暗号化されています。