Need help? Ask the community or hire an expert.
Go to Avira Answers
Virus:TR/Pakes.ola
Date discovered:20/01/2011
Type:Trojan
In the wild:Yes
Reported Infections:Low to medium
Distribution Potential:Low
Damage Potential:Low to medium
Static file:Yes
File size:166.912 Bytes
MD5 checksum:39651e474d7ef8d52f4f18db91b7ee56
IVDF version:7.11.01.183 - Thursday, January 20, 2011

 General Aliases:
   •  Kaspersky: Trojan.Win32.Pakes.ola
   •  Sophos: Mal/FakeAV-IS
   •  Bitdefender: Trojan.Agent.ARFL
   •  Panda: Bck/Cycbot.A
   •  GData: Trojan.Agent.ARFL


Platforms / OS:
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Drops malicious files
   • Registry modification

 Files It copies itself to the following location:
   • %HOME%\Application Data\Microsoft\conhost.exe



The following file is created:

– %HOME%\Application Data\01E2.543

 Registry The following registry key is added in order to run the process after reboot:

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • "conhost"="%HOME%\Application Data\Microsoft\conhost.exe"

 Backdoor Contact server:
All of the following:
   • http://pcdocpro.com/images/**********?tq=%character string%
   • http://zonetf.com/**********?tq=%character string%
   • http://zonetf.com/**********?tq=%character string%
   • http://zonetf.com/**********?tq=%character string%
   • http://zoneij.com/images/**********?tq=%character string%
   • http://zonetf.com/**********?tq=%character string%
   • http://zonetf.com/**********?tq=%character string%
   • http://bigspiderwomen.com/images/**********?tq=%character string%
   • http://zonetf.com/**********?tq=%character string%


 Miscellaneous Accesses internet resources:
   • http://freeonlinedatingtips.net/images/**********;
      http://sharewareconnection.com/images/**********;
      http://sharewareconnection.com/images/**********;
      http://sharewareconnection.com/im/**********;
      http://www.internetsecure.com/images/**********;
      http://136136.com/lb5000/non-cgi/images/**********;
      http://136136.com/LB5000/CGI-BIN/**********;
      http://136136.com/LB5000/CGI-BIN/**********;
      http://pcdocpro.com/images/**********;
      http://pcdocpro.com/images/**********;
      http://historykillerpro.com/img/**********;
      http://blenderartists.org/external/Banners/**********;
      http://blenderartists.org/external/Banners/**********


Mutex:
It creates the following Mutexes:
   • {61B98B86-5F44-42b3-BCA1-33904B067B81}
   • {7791C364-DE4E-4000-9E92-9CCAFDDD90DC}
   • {A5B35993-9674-43cd-8AC7-5BC5013E617B}
   • {C66E79CE-8005-4ed9-A6B1-4983619CB922}
   • {B37C48AF-B05C-4520-8B38-2FE181D5DC78}

 File details Programming language:
The malware program was written in MS Visual C++.


Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.

Description inserted by Petre Galan on Monday, April 18, 2011
Description updated by Petre Galan on Monday, April 18, 2011

Back . . . .