Need help? Ask the community or hire an expert.
Go to Avira Answers
Date discovered:15/04/2011
Type:Backdoor Server
In the wild:Yes
Reported Infections:Low to medium
Distribution Potential:Low to medium
Damage Potential:Low to medium
Static file:Yes
File size:348.240 Bytes
MD5 checksum:7424b691e2ab78511e7c9679674a0016
VDF version:
IVDF version:

 General Method of propagation:
   • Messenger

   •  Kaspersky: Trojan-Spy.Win32.Zbot.bjjv
   •  F-Secure: Trojan-Spy.Win32.Zbot.bjjv
   •  Bitdefender: Trojan.Generic.5954028
   •  GData: Trojan.Generic.5954028
   •  DrWeb: Trojan.DownLoader2.35423

Platforms / OS:
   • Windows 2000
   • Windows XP
   • Windows 2003

Side effects:
   • Drops malicious files
   • Registry modification
   • Steals information

 Files It copies itself to the following location:
   • %ALLUSERSPROFILE%\application data\microsoft\uaiwny6\uaiwny6.exe

The following files are created:

– %ALLUSERSPROFILE%\application data\microsoft\uaiwny6\uaiwny6.dll
– %ALLUSERSPROFILE%\application data\microsoft\uaiwny6\uaiwny.dll

It tries to execute the following files:

– Filename:
   • %ALLUSERSPROFILE%\application data\microsoft\uaiwny6\uaiwny6.exe

– Filename:
   • cmd /c ping -n 10 localhost && del "%executed file%"

– Filename:
   • %PROGRAM FILES%\Internet Explorer\iexplore.exe

 Registry The following registry key is added in order to run the process after reboot:

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • "zhpauja"=""%ALLUSERSPROFILE%\application data\microsoft\uaiwny6\uaiwny6.exe""

 Messenger It is spreading via Messenger. The characteristics are described below:

– Windows Live Messenger

The URL then refers to a copy of the described malware. If the user downloads and executes this file the infection process will start again.

 Stealing It tries to steal the following information:
– Passwords typed into 'password input fields'
– Recorded passwords used by the AutoComplete function

– Passwords from the following programs:
   • Internet Explorer
   • Mozilla Firefox
   • Microsoft Outlook

 Injection –  It injects the following file into a process: %ALLUSERSPROFILE%\application data\microsoft\uaiwny6\uaiwny6.dll

    Process name:
   • explorer.exe

 Miscellaneous  Checks for an internet connection by contacting the following web sites:
Accesses internet resources:

It creates the following Mutexes:
   • uaiwny6%current username%
   • uaiwny%current username%

 File details Programming language:
The malware program was written in MS Visual C++.

Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.

Description inserted by Petre Galan on Monday, June 6, 2011
Description updated by Petre Galan on Monday, June 6, 2011

Back . . . .