Sus/Behav-1009

Category: Suspicious Behavior and Files Protection available since:28 Mar 2007 00:00:00 (GMT)
Type: Suspicious file Last Updated:16 Jun 2011 22:06:23 (GMT)

Download Download our free Virus Removal Tool - Find and remove threats your antivirus missed

Summary

Files detected as Sus/Behav-1009 exhibit suspicious behavior.

Detailed analysis

Example behaviors of Sus/Behav-1009 follow:

Example 1

File Information

Size
216K
SHA-1
e2e68b8388ab80df2b2072c245f3e176010cbae0
MD5
4078ba8ba60122d37ba02ddd598740d3
CRC-32
6cd26779
File type
application/x-ms-dos-executable
First seen
2010-09-23

Example 2

File Information

Size
1.3M
SHA-1
d461bc62952a77a73143c3eb6cf69a4ea5caeb90
MD5
a51614add30c5d4bb3990f8bc6834e1d
CRC-32
86718908
File type
application/x-ms-dos-executable
First seen
2010-08-27

Example 3

File Information

Size
66K
SHA-1
cee467490333f950c82e34de954f8364c90636fe
MD5
95cd716ed9384a0b3767eeaa9235e2cc
CRC-32
a698b85c
File type
application/x-ms-dos-executable
First seen
2010-09-10

Runtime Analysis

Copies Itself To
  • C:\WINDOWS\system32\regadit32.exe
Dropped Files
  • F:/AutoRun.inf
Registry Keys Created
  • HKLM\SYSTEM\CurrentControlSet\Services\darkshell
    DisplayName
    darkshell
  • HKLM\SYSTEM\CurrentControlSet\Services\BaekGround Switch\Security
    Security
    01 00 14 80 90 00 00 00 9c 00 00 00 14 00 00 00 30 00 00 00 02 00 1c 00 01 00 00 00 02 80 14 00 ff 01 0f 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 fd 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 ff 01 0f 00 01 02 00 00 00 00 00 05 20 00 00 00 20 02 00 00 00 00 14 00 8d 01 02 00 01 01 00 00 00 00 00 05 0b 00 00 00 00 00 18 00 fd 01 02 00 01 02 00 00 00 00 00 05 20 00 00 00 23 02 00 00 01 01 00 00 00 00 00 05 12 00 00 00 01 01 00 00 00 00 00 05 12 00 00 00
  • HKLM\SYSTEM\CurrentControlSet\Services\BaekGround Switch
    Type
    0x00000110
  • HKLM\SYSTEM\CurrentControlSet\Services\BaekGround Switch\Enum
    NextInstance
    0x00000001
  • HKLM\SYSTEM\CurrentControlSet\Services\darkshell\Security
    Security
    01 00 14 80 90 00 00 00 9c 00 00 00 14 00 00 00 30 00 00 00 02 00 1c 00 01 00 00 00 02 80 14 00 ff 01 0f 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 fd 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 ff 01 0f 00 01 02 00 00 00 00 00 05 20 00 00 00 20 02 00 00 00 00 14 00 8d 01 02 00 01 01 00 00 00 00 00 05 0b 00 00 00 00 00 18 00 fd 01 02 00 01 02 00 00 00 00 00 05 20 00 00 00 23 02 00 00 01 01 00 00 00 00 00 05 12 00 00 00 01 01 00 00 00 00 00 05 12 00 00 00
Processes Created
  • c:\windows\system32\cmd.exe
  • c:\windows\system32\regadit32.exe
  • c:\windows\system32\svchost.exe
DNS Requests
  • lzy790801.3322.org

download Try Sophos products for free
Download now

© 1997 - 2012 Sophos Ltd. All rights reserved. Legal Privacy