Sus/GUnkPack-A

Category: Suspicious Behavior and Files Protection available since:15 Sep 2010 08:48:34 (GMT)
Type: Suspicious file Last Updated:30 Sep 2010 13:25:40 (GMT)

Download Download our free Virus Removal Tool - Find and remove threats your antivirus missed

Summary

Files detected as Sus/GUnkPack-A exhibit suspicious behavior.

Detailed analysis

Example behaviors of Sus/GUnkPack-A follow:

Example 1

Other vendor detection

Avira
TR/Dropper.Gen
Kaspersky
Packed.Win32.Tdss.f
Trend
TROJ_FAKEAV.XB

Example 2

Other vendor detection

Avira
TR/Autorun.409637
Kaspersky
Worm.Win32.AutoRun.fvc
Trend
TROJ_VB.HZZ

Runtime Analysis

Copies Itself To
  • C:\WINDOWS\system32\explorer.exe
  • F:/RECYCLER/S-1-6-21-2434476521-1645641927-702000330-1542/redmond.exe
Dropped Files
  • C:\WINDOWS\system32\schost.exe
  • F:/RECYCLER/S-1-6-21-2434476521-1645641927-702000330-1542/Desktop.ini
  • F:/autorun.inf
Registry Keys Created
  • HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
    C:\WINDOWS\system32\explorer.exe
    C:\WINDOWS\system32\explorer.exe:*:Enabled:Explorer
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
    QnX
    C:\WINDOWS\system32\schost.exe
  • HKLM\SYSTEM\CurrentControlSet\Services\Sophos AutoUpdate Service
    FailureActions
    0a 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 b8 0b 00 00
  • HKCU\Software\Microsoft\Windows NT\CurrentVersion
    (Default)
    H1UYEEMA[QRspr{gm8;Rhaa}%ktn
  • HKLM\SYSTEM\CurrentControlSet\Services\wscsvc
    FailureActions
    0a 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 b8 0b 00 00
  • HKLM\SYSTEM\CurrentControlSet\Services\ERSvc
    FailureActions
    0a 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 b8 0b 00 00
  • HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{77520Q86-864L-N81R-0R2W-7U2G0P22436U}
    StubPath
    "C:\WINDOWS\system32\schost.exe"
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Run
    Internet Explorer Updater
    C:\WINDOWS\system32\explorer.exe
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer
    internet
    09
Registry Keys Modified
  • HKLM\SYSTEM\CurrentControlSet\Services\ERSvc
    Start
    0x00000004
  • HKLM\SYSTEM\CurrentControlSet\Services\wscsvc
    Start
    0x00000004
HTTP Requests
  • http://whatismyip.com/automation/n09230945.asp
DNS Requests
  • bogus.com
  • test.com
  • wibble.com
  • www.whatismyip.com

download Try Sophos products for free
Download now