Content
Uploader-S
- Type
- Trojan
- SubType
- Win32
- Discovery Date
- 09/08/2004
- Length
- 15,113
- Minimum DAT
- 4390 (09/08/2004)
- Updated DAT
- 4390 (09/08/2004)
- Minimum Engine
- 5.1.00
- Description Added
- 09/08/2004
- Description Modified
- 09/10/2004 4:47 AM (PT)
Risk Assessment
- Corporate User
- Low-Profiled
- Home User
- Low-Profiled
Tab Navigation
Characteristics
-- Update September 9th, 2004 -- This trojan monitors http access from the victim machine and periodically uploads the information to the remote ftp site. It also downloads Backdoor-CIE
and kills many processes of the security products. System Changes:
When runs, it creates "x3yy" directory under the system directory, typically: Then it copies itself under the "x3yy" directories. The filename is chosen randomly. It modifies the following registry to startup itself when system reboot. This it also drops zero byte files as: Then the trojan drops unic2_32.dll under the System directory, typically: It loads this dll to activate the monitoring of http accesses from the victim machine. This dll periodically writes the result to the file. Ftp Upload:
The trojan also repeats uploading this log file to the remote ftp site. The information of the ftp site is initially encoded in the file as follows. ftp server: de.informationlevelone.biz These information are then saved to the registry. This trojan also periodically access "http://allcheapsolutions.com/de.txt" to read the ftp information and update the registries. Downloading/Kill Processes:
It then repeats the following. _AVP32.EXE
This threat has been updated to Low-Profiled due to media attention at:
http://www.heise.de/newsticker/meldung/50793
x3yy= (a random filename)
port: 21
c3fs=(ftp server)
c3fu=(user)
c3ft=(password)
c3fp=(port)
_AVPCC.EXE
_AVPM.EXE
ACKWIN32.EXE
ANTI-TROJAN.EXE
APVXDWIN.EXE
ARMOR2NET.EXE
AUTODOWN.EXE
AVCONSOL.EXE
AVE32.EXE
AVGCTRL.EXE
AVKSERV.EXE
AVNT.EXE
AVP.EXE
AVP32.EXE
AVPCC.EXE
AVPDOS32.EXE
AVPM.EXE
AVPTC32.EXE
AVPUPD.EXE
AVSCHED32.EXE
AVWIN95.EXE
AVWUPD32.EXE
BLACKD.EXE
BLACKICE.EXE
CFIADMIN.EXE
CFIAUDIT.EXE
CFINET.EXE
CFINET32.EXE
CLAW95.EXE
CLAW95CF.EXE
CLEANER.EXE
CLEANER3.EXE
DVP95.EXE
DVP95_0.EXE
ECENGINE.EXE
ESAFE.EXE
ESPWATCH.EXE
F-AGNT95.EXE
FINDVIRU.EXE
FPROT.EXE
F-PROT.EXE
F-PROT95.EXE
FP-WIN.EXE
FRW.EXE
F-STOPW.EXE
IAMAPP.EXE
IAMSERV.EXE
IBMASN.EXE
IBMAVSP.EXE
ICLOAD95.EXE
ICLOADNT.EXE
ICMON.EXE
ICSUPP95.EXE
ICSUPPNT.EXE
IFACE.EXE
IOMON98.EXE
JEDI.EXE
LOCKDOWN2000.EXE
LOOKOUT.EXE
LUALL.EXE
MOOLIVE.EXE
MPFTRAY.EXE
N32SCANW.EXE
NAVAPW32.EXE
NAVLU32.EXE
NAVNT.EXE
NAVW32.EXE
NAVWNT.EXE
NISUM.EXE
NMAIN.EXE
NORMIST.EXE
NPROTECT.EXE
NUPGRADE.EXE
NVC95.EXE
NVSVC32.EXE
OUTPOST.EXE
PADMIN.EXE
PAVCL.EXE
PAVSCHED.EXE
PAVW.EXE
PCCWIN98.EXE
PCFWALLICON.EXE
PERSFW.EXE
RAV7.EXE
RAV7WIN.EXE
RESCUE.EXE
SAFEWEB.EXE
SAVSCAN.EXE
SCAN32.EXE
SCAN95.EXE
SCANPM.EXE
SCRSCAN.EXE
SERV95.EXE
SMC.EXE
SPHINX.EXE
SWEEP95.EXE
TBSCAN.EXE
TCA.EXE
TDS2-98.EXE
TDS2-NT.EXE
VET95.EXE
VETTRAY.EXE
VSCAN40.EXE
VSECOMR.EXE
VSHWIN32.EXE
VSSTAT.EXE
WEBSCANX.EXE
WFINDV32.EXE
ZONEALARM.EXE
Symptoms
x3yy=(a random filename)
Method of Infection
Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, email, etc.
Removal
All Users:
Use current engine and DAT files for detection and removal.
Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).
Variants
Variants
N/A
All Information
Overview -
This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.
Aliases
- Tr/Small.az3 (H+BEDV)
Characteristics
Characteristics -
-- Update September 9th, 2004 -- This trojan monitors http access from the victim machine and periodically uploads the information to the remote ftp site. It also downloads Backdoor-CIE
and kills many processes of the security products. System Changes:
When runs, it creates "x3yy" directory under the system directory, typically: Then it copies itself under the "x3yy" directories. The filename is chosen randomly. It modifies the following registry to startup itself when system reboot. This it also drops zero byte files as: Then the trojan drops unic2_32.dll under the System directory, typically: It loads this dll to activate the monitoring of http accesses from the victim machine. This dll periodically writes the result to the file. Ftp Upload:
The trojan also repeats uploading this log file to the remote ftp site. The information of the ftp site is initially encoded in the file as follows. ftp server: de.informationlevelone.biz These information are then saved to the registry. This trojan also periodically access "http://allcheapsolutions.com/de.txt" to read the ftp information and update the registries. Downloading/Kill Processes:
It then repeats the following. _AVP32.EXE
This threat has been updated to Low-Profiled due to media attention at:
http://www.heise.de/newsticker/meldung/50793
x3yy= (a random filename)
port: 21
c3fs=(ftp server)
c3fu=(user)
c3ft=(password)
c3fp=(port)
_AVPCC.EXE
_AVPM.EXE
ACKWIN32.EXE
ANTI-TROJAN.EXE
APVXDWIN.EXE
ARMOR2NET.EXE
AUTODOWN.EXE
AVCONSOL.EXE
AVE32.EXE
AVGCTRL.EXE
AVKSERV.EXE
AVNT.EXE
AVP.EXE
AVP32.EXE
AVPCC.EXE
AVPDOS32.EXE
AVPM.EXE
AVPTC32.EXE
AVPUPD.EXE
AVSCHED32.EXE
AVWIN95.EXE
AVWUPD32.EXE
BLACKD.EXE
BLACKICE.EXE
CFIADMIN.EXE
CFIAUDIT.EXE
CFINET.EXE
CFINET32.EXE
CLAW95.EXE
CLAW95CF.EXE
CLEANER.EXE
CLEANER3.EXE
DVP95.EXE
DVP95_0.EXE
ECENGINE.EXE
ESAFE.EXE
ESPWATCH.EXE
F-AGNT95.EXE
FINDVIRU.EXE
FPROT.EXE
F-PROT.EXE
F-PROT95.EXE
FP-WIN.EXE
FRW.EXE
F-STOPW.EXE
IAMAPP.EXE
IAMSERV.EXE
IBMASN.EXE
IBMAVSP.EXE
ICLOAD95.EXE
ICLOADNT.EXE
ICMON.EXE
ICSUPP95.EXE
ICSUPPNT.EXE
IFACE.EXE
IOMON98.EXE
JEDI.EXE
LOCKDOWN2000.EXE
LOOKOUT.EXE
LUALL.EXE
MOOLIVE.EXE
MPFTRAY.EXE
N32SCANW.EXE
NAVAPW32.EXE
NAVLU32.EXE
NAVNT.EXE
NAVW32.EXE
NAVWNT.EXE
NISUM.EXE
NMAIN.EXE
NORMIST.EXE
NPROTECT.EXE
NUPGRADE.EXE
NVC95.EXE
NVSVC32.EXE
OUTPOST.EXE
PADMIN.EXE
PAVCL.EXE
PAVSCHED.EXE
PAVW.EXE
PCCWIN98.EXE
PCFWALLICON.EXE
PERSFW.EXE
RAV7.EXE
RAV7WIN.EXE
RESCUE.EXE
SAFEWEB.EXE
SAVSCAN.EXE
SCAN32.EXE
SCAN95.EXE
SCANPM.EXE
SCRSCAN.EXE
SERV95.EXE
SMC.EXE
SPHINX.EXE
SWEEP95.EXE
TBSCAN.EXE
TCA.EXE
TDS2-98.EXE
TDS2-NT.EXE
VET95.EXE
VETTRAY.EXE
VSCAN40.EXE
VSECOMR.EXE
VSHWIN32.EXE
VSSTAT.EXE
WEBSCANX.EXE
WFINDV32.EXE
ZONEALARM.EXE
Symptoms
Symptoms -
x3yy=(a random filename)
Method of Infection
Method of Infection -
Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, email, etc.
Removal -
Removal -
All Users:
Use current engine and DAT files for detection and removal.
Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).
Additional Windows ME/XP removal considerations
Variants
Variants -
N/A
