Mal/Behav-321

Category: Viruses and Spyware Protection available since:07 Jul 2009 15:41:48 (GMT)
Type: Malicious behavior Last Updated:23 Jun 2010 13:41:33 (GMT)
Prevalence: Small Number of Reports

Download Download our free Virus Removal Tool - Find and remove threats your antivirus missed

Examples of Mal/Behav-321 include:

Example 1

File Information

Size
82K
SHA-1
1e50fb821c151dccb607f2526236f3ec9e587a4e
MD5
6a9722dce4933e25306e8fa96b16fc9d
CRC-32
32aed127
File type
application/x-ms-dos-executable
First seen
2010-08-18

Example 2

File Information

Size
72K
SHA-1
1ef8606054ccf39e064b870903d0b12be118b818
MD5
b1ea4fa8101178421f7ecb4c5a97524a
CRC-32
37972176
File type
application/x-ms-dos-executable
First seen
2010-09-25

Other vendor detection

Avira
TR/Crypt.XPACK.Gen3
Kaspersky
Trojan-Downloader.Win32.Agent.epey

Runtime Analysis

Dropped Files
  • C:\WINDOWS\system32\kr_done1
    Size
    10
    SHA-1
    224691207fab10ff2be358843a05a3ae99acb124
    MD5
    b781219741e6c497bc72218911a9dbc0
    CRC-32
    0d53efd9
    File type
    application/octet-stream
    First seen
    2010-09-25
Registry Keys Created
  • HKLM\SOFTWARE\Microsoft
    kr_done1
    0x4c9e818f
Processes Created
  • c:\windows\system32\cmd.exe
HTTP Requests
  • http://futnnlczus.ku2.in/t/d2hsdWF3OzJ0OHY5Oj0,cyJtIW8kaUVyam9zeHk9Tn5DSgIQAkxDUU1bFx0CHQAdCQECHQEABwVEDwgCDA0QCnVwcGUlM3tvJjwmJ2VrPC4jbGJ1MiA1PGVofC4yNC9iUUcDAAcKEwkcVA8TXF1dSQRMQ0FMQEJCTktNSloTHwu9sA==/count.htm
  • http://google.com/
DNS Requests
  • futnnlczus.ku2.in
  • google.com

Example 3

File Information

Size
31K
SHA-1
4e01db418e00c73e69adbfe7262d006f220998f4
MD5
d375388fb4f62f455409723f1329cecf
CRC-32
0722d976
File type
application/x-ms-dos-executable
First seen
2010-09-28

Other vendor detection

Avira
TR/Crypt.XPACK.Gen
Kaspersky
Packed.Win32.Krap.w

Runtime Analysis

Copies Itself To
  • C:\WINDOWS\system32\servises.exe
Dropped Files
  • C:\WINDOWS\system32\_id.dat
Registry Keys Created
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
    servises
    C:\WINDOWS\system32\servises.exe
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    servises
    C:\WINDOWS\system32\servises.exe
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
    servises
    C:\WINDOWS\system32\servises.exe
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Run
    servises
    C:\WINDOWS\system32\servises.exe
HTTP Requests
  • http://91.207.7.234/spm/get_id.php
  • http://91.207.7.234/spm/page.php
IP Connections
  • 91.207.7.234:80

download Try Sophos products for free
Download now

© 1997 - 2012 Sophos Ltd. All rights reserved. Legal Privacy