Avira Virus Lab


  • Name
  • Date discovered
    Dec 5, 2015
  • Type
  • Impact
  • Reported Infections
  • Operating System
  • VDF version (2015-02-28 12:18)

Stay safe from all these threats with Avira Free Antivirus.

Avira Free Antivirus Download Free

The term 'BDS' denotes a Backdoor-Server program. Backdoor-Server programs are used to spy out, modify or delete data.

  • VDF (2015-02-28 12:18)
  • Aliases
    Avast: Win32:Downloader-UCK
    AVG: Generic_r.DCT
    Dr. Web: Win32.HLLW.Autoruner2.7881
    F-PROT: W32/QQhelper.C.gen!Eldorado (generic, not disinfectable)
    Microsoft: DDoS:Win32/Nitol.A
    G Data: Generic.ServStart.F63A6CE6
    Kaspersky Lab: HEUR:Trojan.Win32.Generic
    Bitdefender: Generic.ServStart.F63A6CE6
    ESET: Win32/ServStart.C worm
  • Files
    The following copies of itself are created:
    • %SYSDIR%\xontks.exe
  • Registry
    The following registry entries are added:
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Ghijkl Nowepqrstu Wxy ("Type": dword:00000010; "Start": dword:00000002; "ErrorControl": dword:00000000; "ImagePath": "%SYSDIR%\xontks.exe"; "DisplayName": "Ghijkl Nopqwerstu Wxyabcde Ghij"; "ObjectName": "LocalSystem")
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Ghijkl Nowepqrstu Wxy\Security ("Security": %hex values%)
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_GHIJKL_NOWEPQRSTU_WXY ("NextInstance": dword:00000001)
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_GHIJKL_NOWEPQRSTU_WXY\0000 ("Service": "Ghijkl Nowepqrstu Wxy"; "Legacy": dword:00000001; "ConfigFlags": dword:00000000; "Class": "LegacyDriver"; "ClassGUID": "{8ECC055D-047F-11D1-A537-0000F8753ED1}"; "DeviceDesc": "Ghijkl Nopqwerstu Wxyabcde Ghij")
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_GHIJKL_NOWEPQRSTU_WXY\0000\Control ("*NewlyCreated*": dword:00000000; "ActiveService": "Ghijkl Nowepqrstu Wxy")
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Ghijkl Nowepqrstu Wxy\Enum ("0": "Root\LEGACY_GHIJKL_NOWEPQRSTU_WXY\0000"; "Count": dword:00000001; "NextInstance": dword:00000001)
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\ServiceCurrent (@: dword:0000000f)
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Ghijkl Nowepqrstu Wxy ("Description": "Ghijklmn Pqrswetuvwx Abcdefg Ijklmnop Rst")

Help make the web safer by sending us suspicious files/URLs to analyze

Submit your file/URL or Go to support.avira.com

Why submit a suspicious file?

If you encountered a suspicious file or website that’s not in our database, we’ll analyze it and determine whether it’s harmful. Our findings are then pushed out to our millions of users with their next virus database update. If you have Avira, you’ll get that update too. Don’t have Avira? Get it on our homepage.