Need help? Ask the community or hire an expert.
Go to Avira Answers
Date discovered:23/06/2010
In the wild:Yes
Reported Infections:Low to medium
Distribution Potential:Low
Damage Potential:Low to medium
Static file:Yes
File size:520.704 Bytes
MD5 checksum:003ca2e0074cc4ca379090b696bb5615
IVDF version: - Wednesday, June 23, 2010

 General Aliases:
   •  Sophos: Mal/Behav-053
   •  Panda: Trj/Keylogger.GK
   •  Eset: Win32/Spy.KeyLogger.NDW

Platforms / OS:
   • Windows 2000
   • Windows XP
   • Windows 2003

Side effects:
   • Drops malicious files
   • Registry modification

 Files It copies itself to the following location:
   • %SYSDIR%\svchost.exe

The following file is created:


 Registry The following registry key is added in order to run the process after reboot:

   • "Svchost"="%SYSDIR%\svchost.exe"

 Email It doesn't have its own spreading routine but it has the ability to send an email. It is most likely that the receiver is the author. The characteristics are described below:

The sender of the email is the following:

The recipient of the email is the following:


The attachment is a copy of the created file: %SYSDIR%\keyS.txt

 Mailing MX Server:
It has the ability to contact the MX server:

 Stealing It tries to steal the following information:
– Windows Product ID

 File details Programming language:
The malware program was written in Delphi.

설명 삽입자 Petre Galan   2010년 11월 4일 목요일
설명 업데이트 Petre Galan   2010년 11월 4일 목요일

뒤로 . . . .
https:// 이 창은 보안을 위해 암호화되었습니다.