Avira Virus Lab

BDS/Androm.uda

  • Name
    BDS/Androm.uda
  • Date discovered
    Nov 24, 2015
  • Type
    Malware
  • Impact
    Medium 
  • Reported Infections
    Low 
  • Operating System
    Windows
  • VDF version
    7.11.82.162 (2013-06-04 02:34)

Stay safe from all these threats with Avira Free Antivirus.

Avira Free Antivirus Download Free

The term 'BDS' denotes a backdoor server program. Backdoor server programs are used to spy out, modify, or delete data.

  • VDF
    7.11.82.162 (2013-06-04 02:34)
  • Aliases
    Avast: Win32:MalPack-G
    AVG: SHeur4.BJTP
    ClamAV: Win.Trojan.Agent-944769
    Dr. Web: BackDoor.IRC.NgrBot.42
    F-PROT: W32/Dorkbot.P.gen!Eldorado (generic, not disinfectable)
    Trend Micro: WORM_DORKBOT.SK
    Microsoft: Worm:Win32/Dorkbot.I
    G Data: Trojan.Dorkbot.IC
    Kaspersky Lab: Trojan.Win32.Agent.ibnd
    Bitdefender: Trojan.Dorkbot.IC
    ESET: Win32/Dorkbot.B worm
  • Files
    The following copies of itself are created:
    • %APPDATA%\temp.bin
    • %APPDATA%\ScreenSaverPro.scr
    • %USERPROFILE%\Start Menu\Programs\Startup\NTDETECT.COM
    • %APPDATA%\Microsoft\Klocom.exe
    The following files are renamed:
    • %TEMPDIR%\WinPcap_4_1_3.exe
    The following files are deleted:
    • %TEMPDIR%\WinPcap_4_1_3.exe.gonewiththewings
    The following files are changed:
    • %temporary internet files%\Content.IE5\index.dat
    • %USERPROFILE%\Cookies\index.dat
    • %USERPROFILE%\Local Settings\History\History.IE5\index.dat
    • %WINDIR%\Sti_Trace.log
    • %temporary internet files%\Content.IE5\index.dat
    • %USERPROFILE%\Cookies\index.dat
    • %USERPROFILE%\Local Settings\History\History.IE5\index.dat
    • %WINDIR%\Prefetch\SVCHOST.EXE-3530F672.pf
  • Injections
    • %SYSDIR%\cmd.exe
    • %SYSDIR%\ipconfig.exe
    • %DISKDRIVE%\hips\loader.exe
    • %WINDIR%\System32\svchost.exe
    • %SYSDIR%\svchost.exe
    • %SYSDIR%\mspaint.exe
    • \SystemRoot\System32\smss.exe
    • \??\%SYSDIR%\csrss.exe
    • \??\%SYSDIR%\winlogon.exe
    • %SYSDIR%\services.exe
    • %PROGRAM FILES%\VMware\VMware Tools\vmacthlp.exe
    • %WINDIR%\Explorer.EXE
    • %SYSDIR%\spoolsv.exe
    • %PROGRAM FILES%\FileZilla Server\FileZilla Server Interface.exe
    • %PROGRAM FILES%\VMware\VMware Tools\VMwareTray.exe
    • %PROGRAM FILES%\VMware\VMware Tools\vmtoolsd.exe
    • %WINDIR%\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
    • %PROGRAM FILES%\FileZilla Server\FileZilla Server.exe
    • %WINDIR%\System32\alg.exe
    • %SYSDIR%\wscntfy.exe
    • %DISKDRIVE%\totalcmd\TOTALCMD.EXE
    • %SYSDIR%\msiexec.exe
    • %PROGRAM FILES%\Java\jre6\bin\jqs.exe
    • %SYSDIR%\wbem\wmiprvse.exe
    • %PROGRAM FILES%\WinPcap\rpcapd.exe
  • Registry
    The following registry entries are added:
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run ("Screen Saver Pro 3.1": "%APPDATA%\ScreenSaverPro.scr")
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\ServiceCurrent (@: dword:00000011)
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_STISVC\0000\Control ("ActiveService": "stisvc")
    • HKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings ("ProxyEnable": dword:00000000)
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run ("Klocom": "%APPDATA%\Microsoft\Klocom.exe")
    • HKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings ("ProxyEnable": dword:00000000)
    The values of the following registry keys are removed:
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run (StillImageMonitor: -)
  • HTTP Requests
    • api.*****nia.com/

Help make the web safer by sending us suspicious files/URLs to analyze

Submit your file/URL or Go to support.avira.com

Why submit a suspicious file?

If you encountered a suspicious file or website that’s not in our database, we’ll analyze it and determine whether it’s harmful. Our findings are then pushed out to our millions of users with their next virus database update. If you have Avira, you’ll get that update too. Don’t have Avira? Get it on our homepage.