Win32/Kverzdoor [Threat Name] go to Threat

Win32/Kverzdoor.A [Threat Variant Name]

Category trojan,worm
Size 32768 B
Detection created Jan 12, 2010
Detection database version 4764
Aliases Trojan.Win32.Inject.amhj (Kaspersky)
Short description

The trojan serves as a backdoor. It can be controlled remotely.


When executed, the trojan copies itself into the following location:

  • C:\­RECYCLE\­services.exe

In order to be executed on every system start, the trojan sets the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Winlogon]
    • "Taskman" = "C:\­RECYCLE\­services.exe"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Winlogon]
    • "Userinit" = "%originalvalue%,C:\­RECYCLE\­services.exe"

The trojan may set the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Active Setup\­FeatureComponentID]
    • "{54127469-EDAB-56ED-2D69-AC32169C5874}" = "MEDIAPLAYER"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Active Setup\­Installed Components\­{54127469-EDAB-56ED-2D69-AC32169C5874}]
    • "Locale" = "EN"
    • "Version" = "5,0,2000,15000"
    • "StubPath" = 'rundll32.exe URL.DLL,FileProtocolHandler "C:\­RECYCLE\­services.exe'
    • "ComponentID" = "MEDIAPLAYER"
    • "(Default)" = "Microsoft Windows Media Player"

The trojan may create the following files:

  • C:\­RECYCLE\­Desktop.ini
  • %temp%\­ugrde.exe
Information stealing

The trojan collects the following information:

  • information about the operating system and system settings
  • volume serial number
  • locale
  • computer name
  • user name

The trojan attempts to send gathered information to a remote machine.

Other information

The trojan acquires data and commands from a remote computer or the Internet.

The trojan contains a URL address. The HTTP protocol is used.

It may perform the following actions:

  • download files from a remote computer and/or the Internet
  • run executable files
  • execute shell commands
  • update itself to a newer version
  • set up a proxy server
  • stop itself for a certain time period
  • perform DoS/DDoS attacks

Please enable Javascript to ensure correct displaying of this content and refresh this page.