Need help? Ask the community or hire an expert.
Go to Avira Answers
Date discovered:24/06/2011
In the wild:No
Reported Infections:Low
Distribution Potential:Medium to high
Damage Potential:Low to medium
Static file:Yes
File size:135.168 Bytes
MD5 checksum:85A953DD7B7712189329C3538C00B3EA
VDF version:
IVDF version:

 General Methods of propagation:
   • Autorun feature
   • Messenger

   •  Kaspersky:
   •  Avast: Win32:VB-VHK [Trj]
   •  DrWeb: BackDoor.Cybergate.1

Platforms / OS:
   • Windows 2000
   • Windows XP
   • Windows 2003
   • Windows Vista
   • Windows 7

Side effects:
   • Drops files
   • Registry modification

 Files It copies itself to the following locations:
   • %APPDATA%\%number%.exe
   • %APPDATA%\cmd.exe

 Registry To each registry key one of the values is added in order to run the processes after reboot:

–  [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   • "{cmd.exe}"="%APPDATA%\cmd.exe"
   • "SystemReq"="C:\Documents and Settings\Administrator\Application Data\%number%.exe"

–  [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • "{cmd.exe}"="%APPDATA%\cmd.exe"
   • "SystemReq"="C:\Documents and Settings\Administrator\Application Data\%number%.exe"

 Messenger It is spreading via Messenger. The characteristics are described below:

– Windows Live Messenger

 Miscellaneous Accesses internet resources:

It creates the following Mutex:
   • __PDH_PLA_MUTEX__

Description inserted by Andrei Ilie on Wednesday, October 5, 2011
Description updated by Andrei Ilie on Thursday, October 6, 2011

Back . . . .