| Alias/es | Backdoor.MSNMaker.F, Backdoor.Win32.MSNMaker.w, W32/Kelvir.worm.gen |
| Release Date | Sep 25, 2006 |
| Detection Availability | Current Antivirus Definition Database Version: 12.339 | | Description | Visible Symptomspresence of the C:\drsmartload.exeDetailed AnalysisThe malware attempts to connect to the following sites:
69.64.38.140
http://www.uglyphotos.net/
http://content.dollarrevenue.com/
http://activex.matcash.com/
http://apps.deskwizz.com/
and downloads various packages of Adware and Trojan based malwares
Some of the downloaded files are as follows:
C:\drsmartload.exe
C:\windows\RDFX4.exe
C:\drsmartload1.exe
C:\warebundlenewer.exe
C:\Installer4.exe
%SystemDir%\iqmon.dll
%Windows%\Gck26.exe
%Systemdir%\lxcalmon.dll
%Windows%\Downloaded Program Files\speedtest2.dll
%Program Files%\ToolBar888\MyToolBar.dll
drsmartload1135a.exe dropped on the current directory
There are several other files dropped that appears to be randomly named and mostly trojan components.
It applies several registry modifications mostly related to the Adware Toolbar components.
HKEY_CURRENT_USER\Software\Avenue Media
HKEY_CURRENT_USER\Software\Effective-i
HKEY_CURRENT_USER\Software\Maxthon
HKEY_LOCAL_MACHINE\SOFTWARE\System\sysold
HKEY_CURRENT_USER\Software\MyToolBar
One of its components installs itself as a service with the following registry:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\cmdService
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Network Monitor
The malware will spontaneously open up instances of IE.
The malware usually disguisses as a shortcut file, and is packed with MEW, having an approximate filesize of 13,629 bytes.
|
Description Last Updated Date: Sep 30, 2006
Reference: ID - 292509
|