Need help? Ask the community or hire an expert.
Go to Avira Answers
In the wild:No
Reported Infections:Low to medium
Distribution Potential:Low
Damage Potential:Low to medium
Static file:Yes
File size:96.768 Bytes
MD5 checksum:9015f808a4a1b7d56d7b35c33adfaba0
VDF version:
IVDF version:

 General Aliases:
   •  Sophos: Troj/Zbot-TD
   •  Bitdefender: Trojan.Generic.KD.21838
   •  Panda: Trj/Proxy.DF
   •  Eset: Win32/Olmarik.SC

Platforms / OS:
   • Windows 2000
   • Windows XP
   • Windows 2003

Side effects:
   • Drops malicious files

 Files It copies itself to the following location:
   • %TEMPDIR%\%number%.tmp

It deletes the initially executed copy of itself.

 Registry The following registry keys are added in order to load the service after reboot:

– [HKLM\SYSTEM\CurrentControlSet\Services\%character string%]
   • "Type"=dword:00000001
   • "ImagePath"="%TEMPDIR%\%number%.tmp"

 Backdoor Contact server:
The following:
   • jro**********.com:443 (TCP)

 Injection –  It injects the following file into a process: %TEMPDIR%\%number%.tmp

    Process name:
   • spoolsv.exe

Description inserted by Petre Galan on Friday, January 14, 2011
Description updated by Petre Galan on Thursday, January 27, 2011

Back . . . .