Need help? Ask the community or hire an expert.
Go to Avira Answers
Date discovered:19/07/2011
In the wild:No
Reported Infections:Low
Distribution Potential:Low
Damage Potential:Low to medium
Static file:Yes
File size:33.792 Bytes
MD5 checksum:B9CF011968971CDD8424BC463603B71D
VDF version: - Tuesday, July 19, 2011
IVDF version: - Tuesday, July 19, 2011

 General Aliases:
   •  TrendMicro: TROJ_RANSOM.AMM
   •  Sophos: Mal/Zbot-DE
   •  Microsoft: Trojan:Win32/Ransom.DF

Platforms / OS:
   • Windows 2000
   • Windows XP
   • Windows 2003
   • Windows Vista
   • Windows 7

Side effects:
   • Drops files
   • Registry modification

Right after execution the following information is displayed:

 Files It copies itself to the following locations:
   • %ALLUSERSPROFILE%\Application Data\%hex values%.exe
   • %SYSDIR%\taskmgr.exe
   • %SYSDIR%\userinit.exe
   • %SYSDIR%\dllcache\taskmgr.exe
   • %SYSDIR%\dllcache\userinit.exe

 Registry One of the following values is added in order to run the process after reboot:

–  [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
   • "Shell"="%ALLUSERSPROFILE%\Application Data\%hex values%.exe"

 Process termination The following process is terminated:
   • %WINDIR%\explorer.exe

 Miscellaneous Anti debugging
Checks for debugger or virtual machine using time related techniques.

 File details Programming language:
The malware program was written in MS Visual C++.

Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.

설명 삽입자 Andrei Ilie   2011년 10월 7일 금요일
설명 업데이트 Andrei Ilie   2011년 10월 10일 월요일

뒤로 . . . .
https:// 이 창은 보안을 위해 암호화되었습니다.