Need help? Ask the community or hire an expert.
Go to Avira Answers
Date discovered:25/03/2008
In the wild:Yes
Reported Infections:Low to medium
Distribution Potential:Low
Damage Potential:Low to medium
Static file:Yes
File size:216.576 Bytes
MD5 checksum:4508a6e276acfa84f5da376aa9078d2c
IVDF version:

 General Aliases:
   •  Mcafee: W32/Spybot.worm
   •  Panda: W32/Gaobot.OXI.worm
   •  Eset: Win32/SpamTool.Tedroo.AL
   •  Bitdefender: Backdoor.Bot.117614

Platforms / OS:
   • Windows 2000
   • Windows XP
   • Windows 2003

Side effects:
   • Downloads malicious files
   • Drops malicious files
   • Registry modification

 Files It copies itself to the following location:
   • %SYSDIR%\msvmcls64.exe

It tries to download some files:

– The location is the following:
   •**********?id=%number%&tick=%number%&ver=%number%&smtp=%character string%

– The location is the following:
   •**********?task=%number%&id=%character string%

 Registry One of the following values is added in order to run the process after reboot:

–  [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • "MS Virtual CLS"="%SYSDIR%\msvmcls64.exe"

The following registry key is added:

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\BITS]
   • "host"="%character string%"
   • "id"="%character string%"
   • "ii"="1"

 Email It contains an integrated SMTP engine in order to send emails. A direct connection with the destination server will be established. The characteristics are described in the following:

The sender address is spoofed.

– Email addresses found in specific files on the system.

– Contains HTML code.


The attachment is a copy of the malware itself.

 Mailing MX Server:
It has the ability to contact one of the following MX servers:

 File details Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.

Description inserted by Petre Galan on Thursday, April 8, 2010
Description updated by Andrei Ivanes on Friday, April 9, 2010

Back . . . .