Examples of Mal/Behav-243 include:
Example 1
File Information
- Size
- 44K
- SHA-1
- 20f4daa5553315dd854c816fb487f6e633c199f1
- MD5
- 21476e110653704af228ca08136bdf20
- CRC-32
- eb5660d5
- File type
- application/x-ms-dos-executable
- First seen
- 2010-08-17
Other vendor detection
- Avira
- TR/Lockscr.VE.59392
Runtime Analysis
Copies Itself To
- C:\Documents and Settings\All Users\TempDir\mspro32.scr
Dropped Files
- C:\Documents and Settings\All Users\TempDir\mspro32.scr_ADS_AlternateDataStream_Found_zone.identifier
- C:\Documents and Settings\All Users\TempDir\start.bat
- C:\Documents and Settings\All Users\TempDir\rdb.bat
Registry Keys Created
- HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
- AAPatch
- C:\Documents and Settings\All Users\TempDir\start.bat
- HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
- EnableLUA
- 0x00000000
Processes Created
- c:\documents and settings\all users\tempdir\mspro32.scr
- c:\windows\system32\cmd.exe
Example 2
File Information
- Size
- 98K
- SHA-1
- ce503d35f76842e472264b2ba8237714d454e2db
- MD5
- 5d350bc9aad88698dfacb99c7115f6b2
- CRC-32
- 0d7d952d
- File type
- application/x-ms-dos-executable
- First seen
- 2010-09-03
Other vendor detection
- Kaspersky
- Trojan-Ransom.Win32.XBlocker.apv
Runtime Analysis
Copies Itself To
- C:\Documents and Settings\All Users\Media\kasper_zaebal.exe
Dropped Files
- C:\Documents and Settings\All Users\Media\kasper_zaebal.exe_ADS_AlternateDataStream_Found_zone.identifier
- C:\Documents and Settings\All Users\Media\rdb.bat
Registry Keys Created
- HKLM\SOFTWARE\PdmSoftware
- Version
- 0x000002c8
- HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
- EnableLUA
- 0x00000000
- HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
- Module
- %ALLUSERSPROFILE%\Media\kasper_zaebal.exe
Processes Created
- c:\documents and settings\all users\media\kasper_zaebal.exe
- c:\windows\system32\cmd.exe
HTTP Requests
- http://adspaces.ero-advertising.com/adspace/27676.js
- http://main.redtube.eu/ad.html
- http://main.redtube.eu/right1.html
- http://main.redtube.eu/top1.html
- http://pages.etology.com/imp2/87816.php
- http://pages.etology.com/js2/87060.php
- http://pages.etology.com/js2/87815.php
- http://pcash.imlive.com/releasese/da27.asp
- http://pcash.imlive.com/releasese/da_js.asp
- http://whos.amung.us/widget/0q7kknotruz0.png
- http://www.google-analytics.com/ga.js
- http://www.redtube.eu/
- http://www.redtube.eu/media/videos/tmb/13228/5.jpg
- http://www.redtube.eu/media/videos/tmb/13809/6.jpg
- http://www.redtube.eu/media/videos/tmb/14107/9.jpg
- http://www.redtube.eu/media/videos/tmb/16544/1.jpg
- http://www.redtube.eu/media/videos/tmb/16545/1.jpg
- http://www.redtube.eu/media/videos/tmb/16546/1.jpg
- http://www.redtube.eu/media/videos/tmb/16547/1.jpg
- http://www.redtube.eu/media/videos/tmb/16548/1.jpg
- http://www.redtube.eu/media/videos/tmb/16549/1.jpg
- http://www.redtube.eu/media/videos/tmb/16550/1.jpg
- http://www.redtube.eu/media/videos/tmb/16551/1.jpg
- http://www.redtube.eu/media/videos/tmb/16552/1.jpg
- http://www.redtube.eu/media/videos/tmb/16553/1.jpg
- http://www.redtube.eu/media/videos/tmb/16554/1.jpg
- http://www.redtube.eu/media/videos/tmb/16555/1.jpg
- http://www.redtube.eu/media/videos/tmb/16556/1.jpg
- http://www.redtube.eu/media/videos/tmb/16557/1.jpg
- http://www.redtube.eu/media/videos/tmb/16558/1.jpg
- http://www.redtube.eu/media/videos/tmb/16559/1.jpg
- http://www.redtube.eu/media/videos/tmb/16560/1.jpg
- http://www.redtube.eu/media/videos/tmb/16561/1.jpg
- http://www.redtube.eu/rtalabel.gif
- http://www.redtube.eu/templates/frontend/redtube/css/iefix2.css
- http://www.redtube.eu/templates/frontend/redtube/css/style.css
- http://www.redtube.eu/templates/frontend/redtube/css/style_ie6.css
- http://www.redtube.eu/templates/frontend/redtube/css/style_menu.css
- http://www.redtube.eu/templates/frontend/redtube/images/button.png
- http://www.redtube.eu/templates/frontend/redtube/images/logo.png
- http://www.redtube.eu/templates/frontend/redtube/images/nav_left.png
- http://www.redtube.eu/templates/frontend/redtube/images/nav_mid.png
- http://www.redtube.eu/templates/frontend/redtube/images/nav_right.png
- http://www.redtube.eu/templates/frontend/redtube/images/pagination_bg.gif
- http://www.redtube.eu/templates/frontend/redtube/images/red_left_bot_cor.png
- http://www.redtube.eu/templates/frontend/redtube/images/red_left_top_cor.png
- http://www.redtube.eu/templates/frontend/redtube/images/red_mid_bot.png
- http://www.redtube.eu/templates/frontend/redtube/images/red_mid_left.png
- http://www.redtube.eu/templates/frontend/redtube/images/red_mid_right.png
- http://www.redtube.eu/templates/frontend/redtube/images/red_mid_top.png
- http://www.redtube.eu/templates/frontend/redtube/images/red_right_bot_cor.png
- http://www.redtube.eu/templates/frontend/redtube/images/red_right_top_cor.png
- http://www.redtube.eu/templates/frontend/redtube/images/star_small.png
- http://www.redtube.eu/templates/frontend/redtube/images/submit_bg.png
- http://www.redtube.eu/templates/frontend/redtube/images/upload_btn.png
- http://www.redtube.eu/templates/frontend/redtube/js/jquery-1.2.6.pack.js
- http://www.redtube.eu/templates/frontend/redtube/js/jquery.avs-0.2.js
- http://www.redtube.eu/templates/frontend/redtube/js/jquery.livequery.pack.js
- http://www.redtube.eu/templates/frontend/redtube/js/jquery.rotator-0.2.js
DNS Requests
- adspaces.ero-advertising.com
- main.redtube.eu
- media.etology.com
- media.pussycash.com
- pages.etology.com
- pcash.imlive.com
- whos.amung.us
- www.google-analytics.com
- www.redtube.eu
Example 3
File Information
- Size
- 46K
- SHA-1
- 00072f1aa6ea9564c3babca2f874373c40e06bd6
- MD5
- 1ed2198bea9caf50f0cbd336505b207a
- CRC-32
- 2b10ba76
- File type
- application/x-ms-dos-executable
- First seen
- 2010-10-15