Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

Short description
The trojan tries to download and execute several files from the Internet. The trojan terminates various security related applications. The file is run-time compressed using UPX .
Installation
When executed, the trojan copies itself into the following location:
  • %system%\scvhost.exe (37888 B)
The trojan creates the following files:
  • %windir%\tete%random1%t.dll (44688 B)
  • %windir%\extext%random2%t.exe (11264 B)
  • %system%\drivers\pcidump.sys (11904 B)
  • %system%\drivers\aec.sys (2048 B)
  • %system%\drivers\asyncmac.sys (2816 B)
The %random1-2% stands for a random number.

Installs the following system drivers:
  • %system%\drivers\pcidump.sys
  • %system%\drivers\aec.sys
  • %system%\drivers\asyncmac.sys
The following Registry entries are deleted:
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
    CurrentVersion\Run]
In order to be executed on every system start, the trojan sets the following Registry entry:
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
    CurrentVersion\Run]
    "RsTray" = "%system%\scvhost.exe"
The following Registry entries are created:
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\
    CurrentVersion\Image File Execution Options\360Safebox.exe]
    "360Safebox.exe" = "svchost.exe"
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\
    CurrentVersion\Image File Execution Options\360tray.exe]
    "360tray.exe" = "svchost.exe"
Information stealing
The trojan collects the following information:
  • network adapter information
  • malware version
  • operating system version
The trojan can send the information to a remote machine. The HTTP protocol is used.
Other information
The trojan terminates processes with any of the following strings in the name:
  • .norton2009Reset
  • avp
  • LIVESRV
  • McAfeeEngineService
  • McAfeeFramework
The trojan launches the following processes:
  • cmd /c net stop wscsvc
  • cmd /c net stop SharedAccess
  • cmd /c sc config sharedaccess start= disabled
  • cmd /c cacls %system% /e /p everyone:f
  • cmd /c cacls %temp% /e /p everyone:f
The trojan is sent data and commands from a remote computer or the Internet.

The trojan contains a list of (1) URLs. It tries to download several files from the addresses.

These are stored in the following locations:
  • %filepath%
A string with variable content is used instead of %filepath% .

The files are then executed.

The trojan may create the following files:
  • %system%\drivers\12youxllsdfierjiernmnsdf.txt
  • %temp%\afc90a.bat