Besoin d’aide ? Fais appel à la communauté ou embauche un spécialiste.
Aller à Avira Answers
Date discovered:21/02/2013
In the wild:Yes
Reported Infections:Low
Distribution Potential:Low to medium
Damage Potential:Low to medium
Static file:No
File size:102400 Bytes
MD5 checksum:372905881cca4dcd7f71c5151b0a44b2
VDF version:
IVDF version:

 General Method of propagation:
   • No own spreading routine

   •  Kaspersky: Backdoor.Win32.Androm.xpe
   •  Sophos: Troj/Matsnu-AK
   •  Bitdefender: Trojan.GenericKDV.1052562
   •  Microsoft: Unknown threat
   •  Eset: Win32/TrojanDownloader.Tiny.NIH
   •  GData: Trojan.GenericKDV.1052562

Platforms / OS:
   • Windows 2000
   • Windows XP
   • Windows 2003
   • Windows Vista
   • Windows Server 2008
   • Windows 7

Side effects:
   • Drops a malicious file
   • Registry modification
   • Steals information

 Files It copies itself to the following location:
   • %TEMPDIR%\%random character string%.pre

It deletes the initially executed copy of itself.

It deletes the following file:
   • %TEMPDIR%\%random character string%.pre

The following file is created:

– %HOME%\%random character string%\%random character string%.exe Furthermore it gets executed after it was fully created. Further investigation pointed out that this file is malware, too.

 Registry The following registry key is added in order to run the process after reboot:

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   • "%random character string%"="%HOME%\%random character string%\%random character string%.exe"

 Injection –  It injects the following file into a process: ctfmon.exe

 Miscellaneous Accesses internet resources:
   • privat-**********

Description insérée par Wensin Lee le mardi 18 juin 2013
Description mise à jour par Wensin Lee le mardi 18 juin 2013

Retour . . . .