HPsus/Botta-A

Category: Suspicious Behavior and Files
Type: Suspicious behavior

Download Download our free Virus Removal Tool - Find and remove threats your antivirus missed

Summary

Files detected as HPsus/Botta-A exhibit suspicious behavior.

Detailed analysis

Example behaviors of HPsus/Botta-A follow:

Example 1

Runtime Analysis

Copies Itself To
  • C:\WINDOWS\sysdiag64.exe
  • F:/cold/hott/sysdiag64.exe
Dropped Files
  • F:/cold/hott/Desktop.ini
  • F:/auTORUN.inf
Registry Keys Created
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
    MicrosoftCorp
    C:\Windows\sysdiag64.exe
  • HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
    c:\sample.exe
    c:\sample.exe:*:Enabled:Windows Messanger
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Run
    sysdiag64.exe
    C:\Windows\sysdiag64.exe
  • HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile
    DoNotAllowExceptions
    0x00000000
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    MicrosoftNAPC
    C:\Windows\sysdiag64.exe
Processes Created
  • c:\windows\sysdiag64.exe
  • c:\windows\system32\cmd.exe
  • c:\windows\system32\reg.exe
DNS Requests
  • justcallmescope.info

Example 2

Runtime Analysis

Copies Itself To
  • C:\WINDOWS\dhvp.exe
Registry Keys Created
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    Windows System Info Serivce
    dhvp.exe
Processes Created
  • c:\windows\dhvp.exe
  • c:\windows\system32\cmd.exe
  • c:\windows\system32\net.exe
  • c:\windows\system32\net1.exe
DNS Requests
  • gangbang.mytijn.org

download Try Sophos products for free
Download now

© 1997 - 2013 Sophos Ltd. All rights reserved. Legal Privacy Cookie Information