TSPY_GEDDEL.EVL

Posted: April 18, 2012

Threat Metric

The Threat Meter is a malware assessment that SpywareRemove.com's research team is able to give every identifiable malware threat. Our Threat Meter includes several criteria based off of specific malware threats to value their severity, reach and volume. The Threat Meter is able to give you a numerical breakdown of each threat's initial Threat Level, Detection Count, Volume Count, Trend Path and Percentage Impact. The overall ranking of each threat in the Threat Meter is a basic breakdown of how all threats are ranked within our own extensive malware database. The scoring for each specific malware threat can be easily compared to other emerging threats to draw a contrast in its particular severity. The Threat Meter is a useful tool in the endeavor of seeking a solution to remove a threat or pursue additional analytical research for all types of computer users.

The following fields listed on the Threat Meter containing a specific value, are explained in detail below:

Threat Level: The threat level scale goes from 1 to 10 where 10 is the highest level of severity and 1 is the lowest level of severity. Each specific level is relative to the threat's consistent assessed behaviors collected from SpyHunter's risk assessment model.

Detection Count: The collective number of confirmed and suspected cases of a particular malware threat. The detection count is calculated from infected PCs retrieved from diagnostic and scan log reports generated by SpyHunter.

Volume Count: Similar to the detection count, the Volume Count is specifically based on the number of confirmed and suspected threats infecting systems on a daily basis. High volume counts usually represent a popular threat but may or may not have infected a large number of systems. High detection count threats could lay dormant and have a low volume count. Criteria for Volume Count is relative to a daily detection count.

Trend Path: The Trend Path, utilizing an up arrow, down arrow or equal symbol, represents the level of recent movement of a particular threat. Up arrows represent an increase, down arrows represent a decline and the equal symbol represent no change to a threat's recent movement.

% Impact (Last 7 Days): This demonstrates a 7-day period change in the frequency of a malware threat infecting PCs. The percentage impact correlates directly to the current Trend Path to determine a rise or decline in the percentage.

Threat Level:	2/10
Infected PCs:	8

First Seen:	April 18, 2012
OS(es) Affected:	Windows

TSPY_GEDDEL.EVL is a Trojan that's installed by a Trojan dropper, TROJ_MDROP.GDL, that's distributed by mass-mailed e-mail messages. Standard templates for TROJ_MDROP.GDL and TSPY_GEDDEL.EVL pretend to contain exclusive news about the Bo Xilai (a senior member of China's communist party) scandal, but besides dropping an actual text document, TROJ_MDROP.GDL also drops TSPY_GEDDEL.EVL by exploiting the CVE-2012-0158 vulnerability. Avoiding suspicious e-mail files and keeping your software updated can help to prevent TSPY_GEDDEL.EVL from being installed on your computer, but SpywareRemove.com malware experts note that TSPY_GEDDEL.EVL doesn't display visible symptoms after installation and is difficult to detect without using anti-malware programs for the purpose. As spyware that's designed to steal identity, financial or account-related information for criminal purposes, TSPY_GEDDEL.EVL is a high-level danger to your PC's privacy at all times.

When Some Light Reading Turns Out to Be TSPY_GEDDEL.EVL

TSPY_GEDDEL.EVL is installed with a little help from TROJ_MDROP.GDL, which is distributed under the disguise of a .doc file. In fact, TROJ_MDROP.GDL is a corrupted .rtf file that's specially-crafted to take advantage of the CVE-2012-0158 exploit with an embedded .exe. After opening TROJ_MDROP.GDL's file, the result is that your PC will be home to both a dummy text document and TROJ_MDROP.GDL, with no obvious symptoms that the latter is on your hard drive at all. Since Microsoft has issued a patch for this vulnerability, SpywareRemove.com malware analysts advise you to download it if you don't have it already and are on an operating system that's vulnerable to this attack. Vulnerable OSes include Windows XP, Windows Server 2003 and Windows 2000.

Because TSPY_GEDDEL.EVL will not be installed unless you intentionally open TROJ_MDROP.GDL, SpywareRemove.com malware experts also encourage you to practice basic PC security protocol while you're interacting with unusual e-mail messages. Similar PC threats that also use e-mail-based RTF Trojans are also being distributed with slightly different spins to their scams, all of which should be deleted immediately to avoid infection by TSPY_GEDDEL.EVL, remote access tools and other PC threats.

Why Avoiding TSPY_GEDDEL.EVL is Easier than Removing TSPY_GEDDEL.EVL Once and for All

TSPY_GEDDEL.EVL's primary purpose is to steal personal information from your PC; however, TSPY_GEDDEL.EVL's secondary characteristics lead TSPY_GEDDEL.EVL to being exceptionally difficult to detect or delete, which is why SpywareRemove.com malware analysts encourage usage of anti-malware applications whenever TSPY_GEDDEL.EVL is suspected to be present. Other traits of a typical TSPY_GEDDEL.EVL infection include:

Unusual behavior or resource usage from the explorer.exe process, which TSPY_GEDDEL.EVL injects its code into to conceal its attacks.
The presence of some of TSPY_GEDDEL.EVL's components in your Windows and Application Data directories.
Problems with anti-virus and security programs. TSPY_GEDDEL.EVL will try to block applications such as AntiVir, Kingsoft corporation products and Norton AntiVirus so that it's more difficult than usual for you to remove TSPY_GEDDEL.EVL. Despite this, TSPY_GEDDEL.EVL should be deleted safely by appropriate anti-malware products, although you may have to disable TSPY_GEDDEL.EVL before you can launch a system scan.

SpywareRemove.com malware researchers have additionally acknowledged that TSPY_GEDDEL.EVL has keylogging capabilities, and recommend that you take suitable safety measures to protect any keyboard-typed information after you've deleted TSPY_GEDDEL.EVL.

Technical Details

File System Modifications

Tutorials: If you wish to learn how to remove malware components manually, you can read the tutorials on how to find malware, kill unwanted processes, remove malicious DLLs and delete other harmful files. Always be sure to back up your PC before making any changes.

The following files were created in the system:

%System Root%\Documents and Settings\All Users\Application Data\Windows NT\Support\{numbers}.kb.

File name: %System Root%\Documents and Settings\All Users\Application Data\Windows NT\Support\{numbers}.kb.
Group: Malware file

%System Root%\Documents and Settings\All Users\Application Data\Windows NT\NtHelpIndex.sbr

File name: %System Root%\Documents and Settings\All Users\Application Data\Windows NT\NtHelpIndex.sbr
Mime Type: unknown/sbr
Group: Malware file

%System Root%\Documents and Settings\All Users\Application Data\Windows NT\NtHelpKey.cfg

File name: %System Root%\Documents and Settings\All Users\Application Data\Windows NT\NtHelpKey.cfg
Mime Type: unknown/cfg
Group: Malware file

%System Root%\Documents and Settings\All Users\Application Data\Windows NT\NtHelpConfig.log

File name: %System Root%\Documents and Settings\All Users\Application Data\Windows NT\NtHelpConfig.log
Mime Type: unknown/log
Group: Malware file

%System Root%\Documents and Settings\All Users\Application Data\Windows NT\common.cfg

File name: %System Root%\Documents and Settings\All Users\Application Data\Windows NT\common.cfg
Mime Type: unknown/cfg
Group: Malware file

%System Root%\Documents and Settings\All Users\Application Data\Windows NT\NtHelpKey.sbr

File name: %System Root%\Documents and Settings\All Users\Application Data\Windows NT\NtHelpKey.sbr
Mime Type: unknown/sbr
Group: Malware file

%System Root%\WINDOWS\fxsst.dll

File name: %System Root%\WINDOWS\fxsst.dll
File type: Dynamic link library
Mime Type: unknown/dll
Group: Malware file