Need help? Ask the community or hire an expert.
Go to Avira Answers
Date discovered:30/05/2011
In the wild:Yes
Reported Infections:Low to medium
Distribution Potential:Low
Damage Potential:Low to medium
Static file:Yes
File size:185.856 Bytes
MD5 checksum:137d614bcab51797b4be6b6cac0016b6
IVDF version: - Monday, May 30, 2011

 General Aliases:
   •  Bitdefender: Trojan.Downloader.JOID
   •  GData: Trojan.Downloader.JOID

Platforms / OS:
   • Windows 2000
   • Windows XP
   • Windows 2003

Side effects:
   • Downloads a malicious file
   • Drops malicious files
   • Registry modification

 Files It copies itself to the following location:
   • %HOME%\Application Data\dwm.exe

It deletes the following files:
   • %TEMPDIR%\4.exe
   • %TEMPDIR%\5.exe

The following files are created:

– %HOME%\Application Data\01E2.543
– %HOME%\Application Data\Microsoft\conhost.exe

It tries to download a file:

– The locations are the following:
   •**********?v37=%number%&tq=%character string%
   •**********?v46=%number%&tq=%character string%

It tries to execute the following files:

– Filename:
   • %TEMPDIR%\4.exe check

– Filename:
   • %HOME%\Application Data\Microsoft\conhost.exe

– Filename:
   • %TEMPDIR%\5.exe check

– Filename:
   • %TEMPDIR%\csrss.exe

 Registry The following registry keys are added in order to run the processes after reboot:

– [HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
   • "Shell"="explorer.exe,%HOME%\Application Data\dwm.exe"

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • "conhost"="%HOME%\Application Data\Microsoft\conhost.exe"

The following registry key is changed:

– [HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows]
   New value:
   • "Load"="%TEMPDIR%\csrss.exe"

 Miscellaneous  Checks for an internet connection by contacting the following web site:
Accesses internet resources:
   •**********?v78=%number%&tq=%character string%
   •**********?tq=%character string%
   •**********?gravatar_id=%character string%&tq=%character string%
   •**********?v44=%number%&tq=%character string%
   •**********?tq=%character string%
   •**********?v67=%number%&tq=%character string%
   •**********?v55=%number%&tq=%character string%
   •**********?v67=%number%&tq=%character string%

It creates the following Mutexes:
   • {1ACD3490-8843-47EB-867B-EDDDD7FA37FD}
   • CH5B35993-9674-43cd-8AC7-5BC5013E617B}
   • {B16C7E24-B3B8-4962-BF5E-4B33FD2DFE78}
   • {4D92BB9F-9A66-458f-ACA4-66172A7016D4}
   • {45BCA615-C82A-4152-8857-BCC626AE4C8D}
   • {B5B35993-9674-43cd-8AC7-5BC5013E617B}
   • {B37C48AF-B05C-4520-8B38-2FE181D5DC78}
   • {35BCA615-C82A-4152-8857-BCC626AE4C8D}
   • {0ECE180F-6E9E-4FA6-A154-6876D9DB8906}
   • {A5B35993-9674-43cd-8AC7-5BC5013E617B}
   • {5D92BB9F-9A66-458f-ACA4-66172A7016D4}
   • {61B98B86-5F44-42b3-BCA1-33904B067B81}
   • CHD92BB9F-9A66-458f-ACA4-66172A7016D4}

 File details Programming language:
The malware program was written in MS Visual C++.

Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.

설명 삽입자 Petre Galan   2011년 6월 30일 목요일
설명 업데이트 Petre Galan   2011년 6월 30일 목요일

뒤로 . . . .
https:// 이 창은 보안을 위해 암호화되었습니다.