Virus Profile: New Win32

Threat Search
Print
   
Virus Profile information details
Risk Assessment: Home Low | Corporate Low
Date Discovered: 3/6/2005
Date Added: 1/22/2002
Origin: Unknown
Length: Varies
Type: Virus
Subtype: Win32
DAT Required: 4528
Removal Instructions
   
 
 
   

Description

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Indication of Infection

These symptoms of this detection are the files, registry, and network communication referenced in the characteristics section.

Methods of Infection

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, e-mail, etc
   

Virus Characteristics

-------------- Updated on March 7,2005 --------------------
Aliases
  • VBA32    -    Trojan.Siscos
  • Ikarus     -    Packer.RLPack.D
  • Avast       -    Win32:Malware-gen
  • Avira        -    TR/Crypt.XPACK.Gen
Characteristics –

New Win32” is detection for a Trojan which connects to the malicious URLs, drops files in system, registry entries and changes the host settings.

Upon execution, Trojan connects to the following IP Addresses.

  • 192.[Removed].255
  • 118. [Removed].139
  • 96. [Removed].57
  • 101. [Removed].119
  • 224. [Removed].22
  • 64. [Removed].33
Upon execution the Trojan drops the file in the following location.

  • %ProgramFiles%\Windows NT\czrss.exe
  • %SystemDrive%\4382.vbs
The following registry key values have been added to the system.

  • HKEY_LOCAL_MECHINE\SYSTEM\CurrentControlSet\Services\Protection program
  • HKEY_LOCAL_MECHINE\SYSTEM\CurrentControlSet\Services\Qgrhck awatmm
  • HKEY_USER\S-1-5-[Varies]-500\Software\Microsoft\Windows Script Host
  • HKEY_USER\S-1-5[Varies]-500\Software\Microsoft\Windows Script Host\Settings
The following registry values have been modified to the system.

  • HKEY_LOCAL_MECHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SQLÊý¾Ý•þÎñ¹ÜÀíÆô¶¯,Í£Ö¹¿ÉÄÜÊý¾ÝÒì³£: "C:\Program Files\Windows NT\czrss.exe"
  • HKEY_LOCAL_MECHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SQLÊý¾Ý•þÎñ¹ÜÀíÆô¶¯,Í£Ö¹¿ÉÄÜÊý¾ÝÒì³£
The above mentioned registry entry confirms that, the Trojan executes every time when windows starts.
  • HKEY_LOCAL_MECHINE\SYSTEM\CurrentControlSet\Services\Protection program\ReleiceName: "Qgrhck awatmm"
  • HKEY_LOCAL_MECHINE\SYSTEM\CurrentControlSet\Services\Qgrhck awatmm\ConnectGroup: "Default"
  • HKEY_LOCAL_MECHINE\SYSTEM\CurrentControlSet\Services\Qgrhck awatmm\MarkTime: "2013-08-06 19:11"
  • HKEY_LOCAL_MECHINE\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet

-------------- Updated on March 7,2005 --------------------

This is a heuristic detection which indicates that a file is possibly a Win32 virus. Win32 stands for 32-bit Windows and includes Windows 95, 98, NT, 2000, XP, ME, etc. Ensure that you are using the latest engine and DATs and send a copy of the file to AVERT if it is still detected as "New Win32"

   

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

   

PC Infected? Get Expert Help

McAfee
Virus Removal Service

Connect to one of our Security Experts by phone. Have your PC fixed remotely - while you watch!

$89.95