Need help? Ask the community or hire an expert.
Go to Avira Answers
Date discovered:13/05/2008
In the wild:Yes
Reported Infections:Low
Distribution Potential:Low to medium
Damage Potential:Low to medium
Static file:Yes
File size:21.504 Bytes
MD5 checksum:6744c7d7ecdc7fa5359103507a649af0
VDF version:
IVDF version:

 General Method of propagation:
   • Mapped network drives

   •  Symantec: W32.Mandaph
   •  Kaspersky: Trojan-Downloader.Win32.Small.vrv
   •  TrendMicro: TROJ_SMALL.KFO
   •  F-Secure: Trojan-Downloader.Win32.Small.vrv
   •  Sophos: W32/Niya-C
   •  Panda: W32/Mandaph.A.worm
   •  VirusBuster: Trojan.DL.Small.AOTJ
   •  Eset: Win32/Zalup
   •  Bitdefender: Trojan.Downloader.Agent.ZJI

Platforms / OS:
   • Windows 2000
   • Windows XP
   • Windows 2003

Side effects:
   • Downloads files
   • Drops a malicious file
   • Registry modification

 Files It copies itself to the following locations:
   • %SYSDIR%\drivers\spools.exe
   • %HOME%\cftmon.exe
   • %drive%\autorun.exe

The following files are created:

– Non malicious files:
   • %HOME%\mpr.dat
   • %HOME%\mpr2.dat
   • %HOME%\cs.dat
   • %HOME%\update.dat

%drive%\autorun.inf This is a non malicious text file with the following content:
   • %code that runs malware%

%SYSDIR%\ftp34.dll Further investigation pointed out that this file is malware, too. Detected as: TR/Spy.Gen

– %HOME%\ftp34.dll Detected as: TR/Spy.Gen

 Registry – [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • "ntuser" = "%SYSDIR%\drivers\spools.exe"

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • "autoload" = "%UserProfile%\cftmon.exe"

– [HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • "ntuser" = "%SYSDIR%\drivers\spools.exe"

– [HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • "autoload" = "%UserProfile%\cftmon.exe"

The following registry keys are added in order to load the service after reboot:

– [HKLM\SYSTEM\CurrentControlSet\Services\Schedule]
   • "ImagePath" = "%SYSDIR%\drivers\spools.exe"

The following registry keys including all values and subkeys are removed:
   • [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • [HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

The following registry key is added:

– [HKCR\exefile\shell\open\command]
   • @="%HOME%\cftmon.exe "%1" %*"

The following registry key is changed:

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
   New value:
   • "Shell"="Explorer.exe"

 Backdoor Contact server:
All of the following:
   • http://zonephp.**********
   • http://zonephp.**********

 File details Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with the following runtime packer:
   • UPX

Description inserted by Alexandru Dinu on Thursday, August 7, 2008
Description updated by Andrei Ivanes on Tuesday, September 16, 2008

Back . . . .