Content

W32/Perlovga

Type
Virus
SubType
Win32
Discovery Date
06/06/2006
Length
Minimum DAT
4778 (06/06/2006)
Updated DAT
4778 (06/06/2006)
Minimum Engine
5.1.00
Description Added
06/06/2006
Description Modified
02/20/2007 2:02 AM (PT)
Risk Assessment
Corporate User
Low
Home User
Low

Tab Navigation

Characteristics

File:   BindFile.EXE
Hash: 1d4c07370babee309401a73ebaa64f58
size:   73,728 bytes

Upon execution, drops following files on user's %system32% folder.

  • File: temp1.exe
    Hash: a5f8018df4209ae978b0907ce1664ff2
  • File: temp2.exe
    Hash: f7bd87b88e591e4ac9b3553852740984

temp1.exe opens fies listed below more frequently:

  • xcopy.exe
  • auotrun.inf
  • svchost.exe

temp2.exe opens tcp port (8888) and tries to connect to 211.69.242.91 address.

Symptoms

Presence of files shown below on %system32% folder.

  • temp1.exe
  • temp2.exe

temp2.exe listening on (8888) tcp port.

Method of Infection

Virus needs user's interaction for its propagation.

Removal

A combination of the latest DATs and the Engine will be able to detect and remove this threat. AVERT recommends users not to trust seemingly familiar or safe file icons, particularly when received via P2P clients, IRC, email or other media where users can share files.

Additional Windows ME/XP removal considerations

Variants

Variants

    N/A

All Information

Overview -

This is a virus detection. It might propagate using secondary storage devices as medium.

Aliases

  • Perlovga.A,Trojan (CA eTrust)
  • TROJ_PERLOVGA.A (Trend Micro)
  • Virus.Win32.Perlovga.a (Kaspersky)
  • W32/Perlovga.A (Fortinet)

Characteristics

Characteristics -

File:   BindFile.EXE
Hash: 1d4c07370babee309401a73ebaa64f58
size:   73,728 bytes

Upon execution, drops following files on user's %system32% folder.

  • File: temp1.exe
    Hash: a5f8018df4209ae978b0907ce1664ff2
  • File: temp2.exe
    Hash: f7bd87b88e591e4ac9b3553852740984

temp1.exe opens fies listed below more frequently:

  • xcopy.exe
  • auotrun.inf
  • svchost.exe

temp2.exe opens tcp port (8888) and tries to connect to 211.69.242.91 address.

Symptoms

Symptoms -

Presence of files shown below on %system32% folder.

  • temp1.exe
  • temp2.exe

temp2.exe listening on (8888) tcp port.

Method of Infection

Method of Infection -

Virus needs user's interaction for its propagation.

Removal -

Removal -

A combination of the latest DATs and the Engine will be able to detect and remove this threat. AVERT recommends users not to trust seemingly familiar or safe file icons, particularly when received via P2P clients, IRC, email or other media where users can share files.

Additional Windows ME/XP removal considerations

Variants

Variants -

    N/A