Home / malwarePDF  

Virus:Win32/Teazodo.A


First posted on 30 August 2010.
Source: SecurityHome

Aliases :

Virus:Win32/Teazodo.A is also known as Trojan.Generic.4099215 (BitDefender), Trojan.DL.Win32.Undef.rle (Rising AV), Trojan.Win32.Generic!SB.0 (Sunbelt Software).

Explanation :

Virus:Win32/Teazodo.A is a virus that infects executable files. It also drops other malware.
Top

Virus:Win32/Teazodo.A is a virus that infects executable files. It also drops other malware. Installation When run, Virus:Win32/Teazodo.A copies itself as the hidden file "C:\Recycler\{530E6735-313E-4295-94A3-3C3CD09D80EA}.tmp". Spreads via€¦ File infection When run, Virus:Win32/Teazodo.A searches for and infects the Windows file "logonui.exe". Payload Drops malware components Virus:Win32/Teazodo.A checks if antivirus software is installed in the computer. If antivirus software is installed, it performs the following actions:

  • adds the Temporary Files folder path to the following registry subkey:
  • HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment\Path
  • drops the following files:
  • %TEMP%\{B843D61F-868B-45aa-9C52-3417D05DE1C4}.dll - detected as Trojan:Win32/Teazodo.A!dll reloc.dll - detected as Trojan:Win32/Teazodo.A!Copier
  • injects "reloc.dll" into the legitimate process "explorer.exe" and waits for it to performs its malicious routine
  • If antivirus software is not installed, it performs the following action:
  • drops the following file:
  • %SystemRoot%\afxs.dll - detected as Trojan:Win32/Teazodo.A!dll
  • modifies the legitimate files "logonui.exe" to load the dropped file "afxs.dll".
  • checks if the "ccSvcHst.exe" process is currently running. If it is, Virus:Win32/Teazodo.A calls the API "ZwSystemDebugControl" to disable the image-loading callback set by the "PsSetLoadImageNotifyRoutine" API


  • Analysis by Jingli Li

    Last update 30 August 2010

     

    TOP