Home / malware Virus:Win32/Teazodo.A
First posted on 30 August 2010.
Source: SecurityHomeAliases :
Virus:Win32/Teazodo.A is also known as Trojan.Generic.4099215 (BitDefender), Trojan.DL.Win32.Undef.rle (Rising AV), Trojan.Win32.Generic!SB.0 (Sunbelt Software).
Explanation :
Virus:Win32/Teazodo.A is a virus that infects executable files. It also drops other malware.
Top
Virus:Win32/Teazodo.A is a virus that infects executable files. It also drops other malware. Installation When run, Virus:Win32/Teazodo.A copies itself as the hidden file "C:\Recycler\{530E6735-313E-4295-94A3-3C3CD09D80EA}.tmp". Spreads via€¦ File infection When run, Virus:Win32/Teazodo.A searches for and infects the Windows file "logonui.exe". Payload Drops malware components Virus:Win32/Teazodo.A checks if antivirus software is installed in the computer. If antivirus software is installed, it performs the following actions:adds the Temporary Files folder path to the following registry subkey: HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment\Pathdrops the following files: %TEMP%\{B843D61F-868B-45aa-9C52-3417D05DE1C4}.dll - detected as Trojan:Win32/Teazodo.A!dll reloc.dll - detected as Trojan:Win32/Teazodo.A!Copierinjects "reloc.dll" into the legitimate process "explorer.exe" and waits for it to performs its malicious routine If antivirus software is not installed, it performs the following action:drops the following file: %SystemRoot%\afxs.dll - detected as Trojan:Win32/Teazodo.A!dllmodifies the legitimate files "logonui.exe" to load the dropped file "afxs.dll". checks if the "ccSvcHst.exe" process is currently running. If it is, Virus:Win32/Teazodo.A calls the API "ZwSystemDebugControl" to disable the image-loading callback set by the "PsSetLoadImageNotifyRoutine" API
Analysis by Jingli LiLast update 30 August 2010
