Sus/Behav-1000

Category: Suspicious Behavior and Files Protection available since:28 Mar 2007 00:00:00 (GMT)
Type: Suspicious file Last Updated:08 Jul 2011 17:36:49 (GMT)

Download Download our free Virus Removal Tool - Find and remove threats your antivirus missed

Summary

Files detected as Sus/Behav-1000 exhibit suspicious behaviour.

Detailed analysis

Example behaviours of Sus/Behav-1000 follow:

Example 1

File Information

Size
422K
SHA-1
a8d840d100814782b1b466d1f176867b91185c50
MD5
777b6b1cda93316830a3ad41ce909890
CRC-32
dad786e5
File type
application/x-ms-dos-executable
First seen
2010-08-26

Runtime Analysis

Registry Keys Created
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    smss
    C:\WINDOWS\system32\sys\smss.exe
HTTP Requests
  • http://202.49.93.122/images/ttz.gif
  • http://218.9.66.142/picture/ttz.gif
IP Connections
  • 202.49.93.122:80
  • 218.9.66.142:80

Example 2

File Information

Size
185K
SHA-1
a909c5cdcd41554f7180829594b7bc41379955b8
MD5
b999935f8b4d5d840436e12536688d3f
CRC-32
91875880
File type
application/x-ms-dos-executable
First seen
2010-09-03

Other vendor detection

Avira
TR/Dldr.Delphi.Gen

Runtime Analysis

Dropped Files
  • C:\Windows Movie Maker.lnk
  • C:\Volume Control.lnk
  • C:\Help.lnk
  • C:\gVim Read-only.lnk
  • C:\Network Setup Wizard.lnk
  • C:\Accessibility Wizard.lnk
  • C:\Hearts.lnk
  • C:\Tour Windows XP.lnk
  • C:\Pinball.lnk
  • C:\On-Screen Keyboard.lnk
  • C:\System Restore.lnk
  • C:\Calculator.lnk
  • C:\MSN.lnk
  • C:\Notepad.lnk
  • C:\Internet Checkers.lnk
  • C:\Utility Manager.lnk
  • C:\gVim Diff.lnk
  • C:\Scheduled Tasks.lnk
  • C:\WordPad.lnk
  • C:\Program Files\WinPcap\StormII.exe
  • C:\Address Book.lnk
    Size
    774
    SHA-1
    1040c56e1645b05763415661ad45e70ab46139a7
    MD5
    30547369eb3c39b82272c13109bcf3f6
    CRC-32
    804fa952
    File type
    application/octet-stream
    First seen
    2010-08-11
  • C:\Windows Explorer.lnk
  • C:\Internet Reversi.lnk
  • C:\Outlook Express.lnk
    Size
    738
    SHA-1
    76cc40efd40860ddbb2a0784d7a39bc8fc6e9bdc
    MD5
    5d67cdcbe9ec2cd2f162b5b575db7c9c
    CRC-32
    f745bafa
    File type
    application/octet-stream
    First seen
    2010-08-11
  • C:\Internet Spades.lnk
  • C:\Adobe Reader 8.lnk
    Size
    2.4K
    SHA-1
    0268a235bb7f01a93bf7793c0d96c3c473a7c5d6
    MD5
    219f02edccda9d3012a3dfe1e436439e
    CRC-32
    fb461dc4
    File type
    application/octet-stream
    First seen
    2010-09-03
  • C:\Windows Media Player.lnk
  • C:\Sound Recorder.lnk
  • C:\Freecell.lnk
  • C:\Sophos Endpoint Security and Control.lnk
    Size
    1.7K
    SHA-1
    06ff9c16e62abdf785f4456c6d781c05df67cb58
    MD5
    2529d419fc5fb1812640df019f89ba0d
    CRC-32
    8a26e622
    File type
    application/octet-stream
    First seen
    2010-08-20
  • C:\Vim Diff.lnk
  • C:\gVim.lnk
  • C:\System Information.lnk
  • C:\cmd.exe.lnk
  • C:\Remote Assistance.lnk
  • C:\Disk Cleanup.lnk
  • C:\Narrator.lnk
  • C:\Backup.lnk
  • C:\Remote Desktop Connection.lnk
  • C:\Solitaire.lnk
  • C:\Files and Settings Transfer Wizard.lnk
  • C:\New Connection Wizard.lnk
  • C:\Paint.lnk
  • C:\Character Map.lnk
  • C:\Synchronize.lnk
  • C:\HyperTerminal.lnk
  • C:\Network Connections.lnk
  • C:\Config.ini
    Size
    47
    SHA-1
    d91a2ea705873a8508909196e5f896841576c5e7
    MD5
    e7df29710d9310b03c5b7a0ea9ecbfc8
    CRC-32
    fb47ccd7
    File type
    application/octet-stream
    First seen
    2010-09-03
  • C:\Sample ActiveX Controls Readme.lnk
    Size
    587
    SHA-1
    8771e24b03d6fd30d1fb4bbfe80640c3bf5d4f19
    MD5
    30441c7b49a6a95d6b85ca81f83e8a28
    CRC-32
    5f312026
    File type
    application/octet-stream
    First seen
    2010-08-11
  • C:\gVim Easy.lnk
  • C:\Vim.lnk
  • C:\Wireless Network Setup Wizard.lnk
  • C:\Minesweeper.lnk
  • C:\Internet Backgammon.lnk
  • C:\Vim Read-only.lnk
  • C:\Internet Hearts.lnk
  • C:\Spider Solitaire.lnk
  • C:\Uninstall.lnk
  • C:\Data Sources (ODBC).lnk
  • C:\Magnifier.lnk
  • C:\Command Prompt.lnk
Modified Files
  • C:\Documents and Settings\All Users\Start Menu\Programs\Games\Pinball.lnk
  • C:\Documents and Settings\All Users\Start Menu\Programs\Games\Internet Hearts.lnk
  • C:\Documents and Settings\All Users\Start Menu\Programs\Games\Hearts.lnk
  • C:\Documents and Settings\All Users\Start Menu\Programs\Accessories\Paint.lnk
  • C:\Documents and Settings\All Users\Start Menu\Programs\Accessories\WordPad.lnk
  • %STARTMENU%\Programs\Outlook Express.lnk
  • C:\Documents and Settings\All Users\Start Menu\Programs\Adobe Reader 8.lnk
  • %STARTMENU%\Programs\Sample ActiveX Database\Sample ActiveX Controls Readme.lnk
  • %STARTMENU%\Programs\Accessories\Tour Windows XP.lnk
  • C:\Documents and Settings\All Users\Start Menu\Programs\Accessories\Communications\HyperTerminal.lnk
  • %STARTMENU%\cmd.exe.lnk
  • %STARTMENU%\Programs\Remote Assistance.lnk
  • %STARTMENU%\Programs\Accessories\Accessibility\Narrator.lnk
  • %STARTMENU%\Programs\Accessories\Windows Explorer.lnk
  • C:\Documents and Settings\All Users\Start Menu\Programs\Accessories\Accessibility\Accessibility Wizard.lnk
  • C:\Documents and Settings\All Users\Start Menu\Programs\Games\Internet Backgammon.lnk
  • C:\Documents and Settings\All Users\Start Menu\Programs\Games\Freecell.lnk
  • C:\Documents and Settings\All Users\Start Menu\Programs\Games\Internet Reversi.lnk
  • C:\Documents and Settings\All Users\Start Menu\Programs\Sophos\Sophos Endpoint Security and Control\Sophos Endpoint Security and Control.lnk
  • C:\Documents and Settings\All Users\Start Menu\Programs\Accessories\System Tools\Scheduled Tasks.lnk
  • %STARTMENU%\Programs\Accessories\Command Prompt.lnk
  • C:\Documents and Settings\All Users\Start Menu\Programs\Accessories\System Tools\System Information.lnk
  • C:\Documents and Settings\All Users\Start Menu\Programs\Games\Internet Checkers.lnk
  • %STARTMENU%\Programs\Accessories\Entertainment\Windows Media Player.lnk
  • %STARTMENU%\Programs\Accessories\Accessibility\Utility Manager.lnk
  • C:\Documents and Settings\All Users\Start Menu\Programs\Vim 7.0\gVim Diff.lnk
  • C:\Documents and Settings\All Users\Start Menu\Programs\Vim 7.0\gVim Easy.lnk
  • %STARTMENU%\Programs\Accessories\Accessibility\Magnifier.lnk
  • C:\Documents and Settings\All Users\Start Menu\Programs\Accessories\System Tools\Files and Settings Transfer Wizard.lnk
  • C:\Documents and Settings\All Users\Start Menu\Programs\Accessories\Communications\Network Setup Wizard.lnk
  • C:\Documents and Settings\All Users\Start Menu\Programs\Accessories\Communications\Network Connections.lnk
  • C:\Documents and Settings\All Users\Start Menu\Programs\Accessories\Calculator.lnk
  • C:\Documents and Settings\All Users\Start Menu\Programs\MSN.lnk
  • C:\Documents and Settings\All Users\Start Menu\Programs\Vim 7.0\Uninstall.lnk
  • C:\Documents and Settings\All Users\Start Menu\Programs\Accessories\Entertainment\Sound Recorder.lnk
  • C:\Documents and Settings\All Users\Start Menu\Programs\Accessories\System Tools\Disk Cleanup.lnk
  • C:\Documents and Settings\All Users\Start Menu\Programs\Games\Minesweeper.lnk
  • C:\Documents and Settings\All Users\Start Menu\Programs\Accessories\System Tools\Backup.lnk
  • C:\Documents and Settings\All Users\Start Menu\Programs\Games\Spider Solitaire.lnk
  • C:\Documents and Settings\All Users\Start Menu\Programs\Windows Movie Maker.lnk
  • C:\Documents and Settings\All Users\Start Menu\Programs\Vim 7.0\Vim Diff.lnk
  • C:\Documents and Settings\All Users\Start Menu\Programs\Vim 7.0\gVim.lnk
  • C:\Documents and Settings\All Users\Start Menu\Programs\Accessories\Communications\New Connection Wizard.lnk
  • C:\Documents and Settings\All Users\Start Menu\Programs\Vim 7.0\Vim.lnk
  • C:\Documents and Settings\All Users\Start Menu\Programs\Accessories\System Tools\Character Map.lnk
  • C:\Documents and Settings\All Users\Start Menu\Programs\Vim 7.0\gVim Read-only.lnk
  • %STARTMENU%\Programs\Accessories\Address Book.lnk
  • %STARTMENU%\Programs\Accessories\Accessibility\On-Screen Keyboard.lnk
  • C:\Documents and Settings\All Users\Start Menu\Programs\Accessories\Entertainment\Volume Control.lnk
  • C:\Documents and Settings\All Users\Start Menu\Programs\Games\Solitaire.lnk
  • C:\Documents and Settings\All Users\Start Menu\Programs\Vim 7.0\Help.lnk
  • C:\Documents and Settings\All Users\Start Menu\Programs\Accessories\System Tools\System Restore.lnk
  • %STARTMENU%\Programs\Accessories\Notepad.lnk
  • C:\Documents and Settings\All Users\Start Menu\Programs\Accessories\Communications\Wireless Network Setup Wizard.lnk
  • C:\Documents and Settings\All Users\Start Menu\Programs\Games\Internet Spades.lnk
  • %STARTMENU%\Programs\Windows Media Player.lnk
  • C:\Documents and Settings\All Users\Start Menu\Programs\Vim 7.0\Vim Read-only.lnk
  • %STARTMENU%\Programs\Accessories\Synchronize.lnk
  • C:\Documents and Settings\All Users\Start Menu\Programs\Administrative Tools\Data Sources (ODBC).lnk
  • C:\Documents and Settings\All Users\Start Menu\Programs\Accessories\Remote Desktop Connection.lnk
DNS Requests
  • ddd.hetodo.com
  • eee.hetodo.com
  • ip.hetodo.com
  • ip1.hetodo.com

Example 3

File Information

Size
168K
SHA-1
a584e89b30854ac04994597559e8a1d523971aef
MD5
edd17ad15a17dc6540892770915b0b28
CRC-32
b5afb7b6
File type
application/x-ms-dos-executable
First seen
2010-07-18

Runtime Analysis

Registry Keys Created
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    Safetrayacon\
    C:\WINDOWS\system32\sample.exe
Processes Created
  • c:\windows\system32\reg.exe
DNS Requests
  • ddd.hetodo.com
  • eee.hetodo.com

download Try Sophos products for free
Download now