Avira Virus Lab


  • Name
  • Date discovered
    Oct 2, 2015
  • Type
  • Impact
  • Reported Infections
  • Operating System
  • VDF version (2013-05-13 20:20)

Stay safe from all these threats with Avira Free Antivirus.

Avira Free Antivirus Download Free

The term 'WORM' denotes a worm that is able to spread itself, for instance, over the Internet (using email, peer-to-peer networks, or IRC networks, etc.).

  • VDF (2013-05-13 20:20)
  • Aliases
    Avast: MSIL:Agent-ABU
    AVG: Generic27.BIHM
    Dr. Web: Trojan.Siggen3.38290
    F-PROT: W32/Backdoor2.HWKM (exact)
    McAfee: Generic Malware.og!ats
    Trend Micro: TROJ_SPNR.06DC13
    Microsoft: Worm:MSIL/Mofin.A
    G Data: Trojan.Generic.KDV.690486
    Kaspersky Lab: Worm.MSIL.Agent.aet
    Bitdefender: Trojan.Generic.KDV.690486
    ESET: MSIL/Agent.AY worm
  • Files
    The following files are changed:
    • %USERPROFILE%\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
    • %USERPROFILE%\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
    • %temporary internet files%\Content.IE5\index.dat
    • %USERPROFILE%\Cookies\index.dat
    • %USERPROFILE%\Local Settings\History\History.IE5\index.dat
    • %DISKDRIVE%\Documents and Settings\All Users\Application Data\Adobe\Reader\9.2\ARM\BIT1.tmp
    • %APPDATA%\Microsoft\Protect\CREDHIST
    • %APPDATA%\Microsoft\Protect\S-1-5-21-602162358-879983540-682003330-1003\Preferred
    • %SYSDIR%\wbem\Logs\wbemcore.log
    • %WINDIR%\Prefetch\WMIADAP.EXE-2DF425B2.pf
    • %WINDIR%\Prefetch\WMIPRVSE.EXE-28F301A9.pf
    • %SYSDIR%\wbem\Logs\wmiprov.log
    The following copies of itself are created:
    • %USERPROFILE%\Start Menu\Programs\Startup\svchost..exe
    • %WINDIR%\system\suchost..exe
    The following files are renamed:
    • %DISKDRIVE%\Documents and Settings\All Users\Application Data\Adobe\Reader\9.2\ARM\BIT1.tmp
    The following files are created:
    • %APPDATA%\Microsoft\Protect\S-1-5-21-602162358-879983540-682003330-1003\33052481-a09e-4d92-b590-f20fd4c4bb81
  • Registry
    The values of the following registry keys are removed:
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates (4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5: -)
    The following registry entries are added:
    • HKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings ("ProxyEnable": dword:00000000)
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\BITS ("StateIndex": dword:00000000)
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5 ("Blob": %hex values%)

Help make the web safer by sending us suspicious files/URLs to analyze

Submit your file/URL or Go to support.avira.com

Why submit a suspicious file?

If you encountered a suspicious file or website that’s not in our database, we’ll analyze it and determine whether it’s harmful. Our findings are then pushed out to our millions of users with their next virus database update. If you have Avira, you’ll get that update too. Don’t have Avira? Get it on our homepage.