Need help? Ask the community or hire an expert.
Go to Avira Answers
Date discovered:23/11/2011
In the wild:No
Reported Infections:Low
Distribution Potential:Low to medium
Damage Potential:Medium
File size:721745 Bytes
MD5 checksum:759ca80274db9600865f98dd29ea7d5a
VDF version: - Wednesday, November 23, 2011
IVDF version: - Wednesday, November 23, 2011

 General Method of propagation:
    Autorun feature

   •  Mcafee: W32/YahLover.worm.gen
   •  Kaspersky: Worm.Win32.AutoIt.dn
   •  Bitdefender: Win32.Worm.Sohanat.CK
   •  Grisoft: Dropper.Generic4.CAYF
   •  Eset: Win32/Autoit.EP.Gen worm
     GData: Win32.Worm.Sohanat.CK
     Norman: New unknown virus W32/Obfuscated.H!genr

Platforms / OS:
   • Windows 2000
   • Windows XP
   • Windows 2003
    Windows Vista
    Windows Server 2008
    Windows 7

Side effects:
   • Registry modification

 Files It copies itself to the following locations:
   • %SYSDIR%\gphone.exe
   • %WINDIR%\gphone.exe

 Registry One of the following values is added in order to run the process after reboot:

   • "Yahoo Messengger"="c:\windows\\system32\\gphone.exe"

The following registry keys are added in order to load the services after reboot:

   • "NofolderOptions"=dword:00000001

   • "AtTaskMaxHours"=dword:00000000

   Internet Settings
   • "ProxyEnable"=dword:00000000

HKLM\SOFTWARE\Microsoft\Internet Explorer\Main
   • "Start Page"=""

The following registry keys are changed:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
   Old value:
   • "Shell"="Explorer.exe"
   New value:
   • "Shell"="Explorer.exe gphone.exe"

HKLM\SOFTWARE\Microsoft\Internet Explorer\Main
   Old value:
   • "Default_Page_URL"=""
   • "Default_Search_URL"=""
   • "Search Page"=""
   New value:
   • "Default_Page_URL"=""
   • "Default_Search_URL"=""
   • "Search Page"=""

Internet Explorer's start page:

HKCU\Software\Microsoft\Internet Explorer\Main
   Old value:
   • "Start Page"="about:blank"
   New value:
   • "Start Page"=""

 Miscellaneous Accesses internet resources:
   • **********go.**********
   • **********cam.**********

Event handler:
It creates the following Event handlers:
   • CloseServiceHandle
   • OpenSCManager
   • ReadProcessMemory
   • WriteProcessMemory
   • GetKeyState
   • GetAsyncKeyState
   • HttpOpenRequest
   • FtpOpenFile
   • InternetOpenUrl
   • InternetOpen
   • GetDriveType
   • CreateFile
   • ShellExecute

 File details Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.

Açıklamayı yerleştiren Wensin Lee tarihinde 30 Mayıs 2012 Çarşamba
Açıklamayı güncelleyen: Wensin Lee tarihinde 30 Mayıs 2012 Çarşamba

Geri . . . .
https:// Bu pencere güvenlik amacıyla şifrelenmiştir.