You're in: Panda Security > Home Users > security-info > about-malware > encyclopedia > overview
Active Scan. Scan your PC free
Panda Security Product Line 2012

Virus Encyclopedia

Welcome to the Virus Encyclopedia of Panda Security.

Encyclopedia GetVirusCard True 0

tnegA.A

 
Threat LevelModerate threatDamageHighDistributionNot widespread

Effects 

tnegA.A carries out the following actions:

  • It connects to the server 64.2<blocked>172 through the port 8080. This way, it allows remote access to the computer and takes action that compromises user confidentiality.
  • It prevents users from accessing the following websites, which belong to several antivirus companies, among others:
    avast.com
    avp.com
    bitdefender.com
    ca.com
    customer.symantec.com
    dispatch.mcafee.com
    download.bitdefender.com
    download.mcafee.com
    ewido.net
    free.grisoft.com
    f-secure.com
    ftp.f-secure.com
    ftp.sophos.com
    grisoft.com
    housecall.trendmicro.com
    kaspersky.com
    liveupdate.symantec.com
    mast.mcafee.com
    mcafee.com
    merijn.org
    my-etrust.com
    nai.com
    networkassociates.com
    onguardonline.gov
    pandasoftware.com
    paretologic.com
    rads.mcafee.com
    safety.live.com
    secure.nai.com
    securityresponse.symantec.com
    service1.symantec.com
    services.google.com
    sophos.com
    spywareinfo.com
    support.microsoft.com
    symantec.com
    sysinternals.com
    trendmicro.com
    update.symantec.com
    updates.symantec.com
    upgrade.bitdefender.com
    us.mcafee.com
    vil.nai.com
    viruslist.com
    virusscan.jotti.org
    www.avast.com
    www.avp.com
    www.bitdefender.com
    www.ca.com
    www.ewido.net
    www.f-secure.com
    www.grisoft.com
    www.kaspersky.com
    www.mcafee.com
    www.merijn.org
    www.my-etrust.com
    www.nai.com
    www.onguardonline.gov
    www.pandasoftware.com
    www.paretologic.com
    www.sophos.com
    www.spywareinfo.com
    www.symantec.com
    www.sysinternals.com
    www.trendmicro.com
    www.viruslist.com
    www.zonelabs.com
    www3.ca.com
    zonelabs.com
  • It prevents users from running the following monitoring and computer configuration programs:
    Windows Registry Editor
    Ethereal
    HijackThis
    ProcessExplorer
    RegistryMonitor

Infection strategy 

tnegA.A creates the following files in a subfolder with a random name in the Windows system directory:

  • CSRSS.EXE, which is a copy of the backdoor.
  • CSRSS.INI, where it stores the configuration options.

Additionally, it creates the following files:

  • NETSTAT.COM and TASKKILL.COM, in the Windows system directory. This way, it does not allow users to run files with the same name and with EXE extension, which are files belonging to the system. That occurs because when the extension is not indicated, there is a hierarchy among the executable files, which follows this order: the files with COM extension go first, followed by EXE and BAT.
  • CSRSS.LNK in the StartUp directory. This way, it ensures that it is run whenever Windows is started.

 

tnegA.A modifies the HOSTS file, so that certain antivirus cannot be updated, as the corresponding web sites are redirected to the local IP address 127.0.0.1.

 

tnegA.A creates the following entries in the Windows Registry:

  • HKEY_CURRENT_USER\ Software\ Microsoft\ Windows NT\ CurrentVersion\ Windows
    run =     %sysdir%\%subfolder%\csrss.exe
    where %sysdir% is the Windows system directory and %subfolder% is a subfolder with a random name.
  • HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ Run
    csrss
  • HKEY_CURRENT_USER\ Software\ Microsoft\ Windows\ CurrentVersion\ Run
    csrss
    By creating these entries, tnegA.A ensures that it is run whenever Windows is started.
  • HKEY_CURRENT_USER\ Software\ Microsoft\ Windows\ CurrentVersion\ Policies\ System
    DisableRegistryTools = 1
  • HKEY_CURRENT_USER\ Software\ Microsoft\ Windows\ CurrentVersion\ Policies\ System
    NoAdminPage = 1
  • HKEY_CURRENT_USER\ Software\Microsoft\ Internet Explorer\ PhishingFilter
    Enabled = 01, 00, 00, 00
    By creating this entry, tnegA.A disables the antiphishing filter of Internet Explorer 7.

 

tnegA.A modifies the following entries of the Windows Registry:

  • HKEY_CURRENT_USER\ Software\ Microsoft\ Windows\ CurrentVersion\ Explorer\ Advanced
    Hidden = 01, 00, 00, 00
    It changes this entry to:
    HKEY_CURRENT_USER\ Software\ Microsoft\ Windows\ CurrentVersion\ Explorer\ Advanced
    Hidden = 02, 00, 00, 00
  • HKEY_CURRENT_USER\ Software\ Microsoft\ Windows\ CurrentVersion\ Explorer\ Advanced
    ShowSuperHidden = 01, 00, 00, 00
    It changes this entry to:
    HKEY_CURRENT_USER\ Software\ Microsoft\ Windows\ CurrentVersion\ Explorer\ Advanced
    SowSuperHidden = 00, 00, 00, 00
  • HKEY_CURRENT_USER\ Software\ Microsoft\ Windows\ CurrentVersion\ Explorer\ Advanced
    SuperHidden = 01, 00, 00, 00
    It changes this entry to:
    HKEY_CURRENT_USER\ Software\ Microsoft\ Windows\ CurrentVersion\ Explorer\ Advanced
    SuperHidden = 00, 00, 00, 00
    By modifying these entries, tnegA.A ensures that it is run whenever Windows is started.
  • HKEY_CLASSES_ROOT\ regfile\ shell\ open\ command
    (Default) = regedit.exe "%1"
    It changes this entry to:
    HKEY_CLASSES_ROOT\ regfile\ shell\ open\ command
    (Default) = "%1"
    By modifying this entry, tnegA.A prevents users from accessing the Windows Registry Editor.

Means of transmission 

tnegA.A does not spread automatically using its own means. It needs an attacking user's intervention in order to reach the affected computer. The means of transmission used include, among others, floppy disks, CD-ROMs, email messages with attached files, Internet downloads, FTP, IRC channels, peer-to-peer (P2P) file sharing networks, etc.

Further Details  

tnegA.A is written in the programming language Visual Basic v5. This backdoor is 75,264 bytes in size and it is compressed with PecBundle.