Mal/DotNetRes-A

Category: Viruses and Spyware Protection available since:09 Feb 2013 04:37:09 (GMT)
Type: Malicious behavior Last Updated:09 Feb 2013 04:37:09 (GMT)
Prevalence: Small Number of Reports

Download Download our free Virus Removal Tool - Find and remove threats your antivirus missed

Examples of Mal/DotNetRes-A include:

Example 1

File Information

Size
779K
SHA-1
18b770641601d7a97fd360e7c5a03ec9db3a804e
MD5
542e7e8660577dbcefdc6ff8f7178cc6
CRC-32
27ded300
File type
Windows executable
First seen
2012-08-05

Other vendor detection

Avira
TR/Dropper.Gen

Runtime Analysis

Dropped Files
  • c:\Documents and Settings\test user\Local Settings\Temp\UuU.uUu
    Size
    8
    SHA-1
    31f7c02116739f43c787e8d8e13c8fc0dd751fb2
    MD5
    e1cc0fc308779fd0833d3978d2b70460
    CRC-32
    2eefee07
    File type
    ASCII text / 8-bit Unicode Transformation Format
    First seen
    2013-02-08
  • c:\Documents and Settings\test user\Local Settings\Temp\XxX.xXx
    Size
    8
    SHA-1
    e0ed4d1268e1683a34b0a3a9e21c802573b23cee
    MD5
    229b9b03cc044940264ad4f37fd07d82
    CRC-32
    59e8de91
    File type
    ASCII text / 8-bit Unicode Transformation Format
    First seen
    2012-08-16
  • c:\Documents and Settings\test user\Application Data\logs.dat
    Size
    271
    SHA-1
    808ec0f493388b0a402250b3c231525f8068be58
    MD5
    145c2e2b39c452b68dac106a87415fb6
    CRC-32
    e375ab9f
    File type
    ASCII text / 8-bit Unicode Transformation Format
    First seen
    2013-02-08
  • c:\Documents and Settings\test user\Application Data\hd crack.txt
    Size
    452
    SHA-1
    4ab98fdbea950931db3ab7edc8a858fb607cb9e6
    MD5
    a8f6a8f88788f2f2742ec2d571cb2d37
    CRC-32
    6d5ffeeb
    File type
    ASCII text / 8-bit Unicode Transformation Format
    First seen
    2012-08-05
Modified Files
  • %SYSTEM%
    • Set the readonly, hidden and system flags
Registry Keys Created
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
    Services
    C:\WINDOWS\system32\win32.exe
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
    Services
    C:\WINDOWS\system32\win32.exe
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    Win32
    C:\WINDOWS\system32\win32.exe
  • HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{B70210F1-H134-UR8L-3QY2-7VP53FW8PH7W}
    StubPath
    C:\WINDOWS\system32\win32.exe
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Run
    Win32
    C:\WINDOWS\system32\win32.exe
  • HKCU\Software\norival
    FirstExecution
    08/02/2013 -- 19:23
Processes Created
  • c:\windows\microsoft.net\framework\v2.0.50727\cvtres.exe
  • c:\windows\microsoft.net\framework\v2.0.50727\vbc.exe
  • c:\windows\system32\notepad.exe
  • c:\windows\system32\win32.exe
DNS Requests
  • norival.no-ip.biz

Example 2

File Information

Size
696K
SHA-1
60c6ccb09880a3b8ab3a79707258c4f734a8937e
MD5
2d3848f6951911417d2e509502fd9ebf
CRC-32
25d075de
File type
Windows executable
First seen
2012-08-05

Runtime Analysis

Dropped Files
  • c:\Documents and Settings\test user\Local Settings\Temp\IMAG1055.JPG
    Size
    101K
    SHA-1
    e5e52b5ab0fdeeeabed47212eaa3a66098199220
    MD5
    e31332b174fd76111d8917c64460fb49
    CRC-32
    54dee44b
    File type
    JPEG Interchange Format
    First seen
    2012-08-06
Modified Files
  • %WINDOWS%
    • Set the hidden and system flags
Registry Keys Created
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Run
    Svost
    C:\WINDOWS\Svost.exe
Registry Keys Modified
  • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
    Userinit
    C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\Svost.exe
Processes Created
  • c:\windows\microsoft.net\framework\v2.0.50727\cvtres.exe
  • c:\windows\microsoft.net\framework\v2.0.50727\vbc.exe
  • c:\windows\svost.exe
  • c:\windows\system32\attrib.exe
  • c:\windows\system32\cmd.exe
  • c:\windows\system32\rundll32.exe

Example 3

File Information

Size
2.1M
SHA-1
836c782f2d4f1b8953e6cd5aa3623548eae13949
MD5
235b44f197dfae0dd13aa715ec6cf5f8
CRC-32
37c76d8f
File type
Windows executable
First seen
2012-08-05

Runtime Analysis

Copies Itself To
  • c:\Documents and Settings\test user\Application Data\javalk.exe
Dropped Files
  • c:\Documents and Settings\test user\Local Settings\Temp\jusched.log
    Size
    53
    SHA-1
    7a7be37c177d9881490f88d7fda8e1845a1895cf
    MD5
    b033b27509c60af794f5fa8a3e99dd2d
    CRC-32
    34dbe512
    File type
    ASCII text / 8-bit Unicode Transformation Format
    First seen
    2012-08-06
  • c:\Documents and Settings\test user\Application Data\javalk.exe_ADS_AlternateDataStream_Found_zone.identifier
    Size
    28
    SHA-1
    660144ed130e034d738d8fcfacf9a3716447013a
    MD5
    52266075b9cadf4377b74118cb899548
    CRC-32
    44a25efe
    File type
    Configuration Data File (generic)
    First seen
    2011-03-26
  • c:\Documents and Settings\test user\Application Data\fp.txt
    Size
    29
    SHA-1
    cd17007016116a412c21049e58093856b2829a12
    MD5
    234baee1606d7db3c8a330578cee8723
    CRC-32
    edd3ef23
    File type
    ASCII text / 8-bit Unicode Transformation Format
    First seen
    2012-08-06
  • c:\Documents and Settings\test user\Local Settings\Temp\jx.exe
    Size
    872K
    SHA-1
    c8d1a4b74fd774718ad5d2210e5db1a8c57f931c
    MD5
    f6167efc4d1ef0d0e2739a521f6c87d0
    CRC-32
    f96beff4
    File type
    Windows executable
    First seen
    2012-05-28
Registry Keys Created
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Run
    javams
    c:\Documents and Settings\test user\Application Data\javalk.exe
Processes Created
  • c:\Documents and Settings\test user\local settings\temp\jx.exe
  • c:\windows\microsoft.net\framework\v2.0.50727\cvtres.exe
  • c:\windows\microsoft.net\framework\v2.0.50727\vbc.exe
  • c:\windows\system32\cmd.exe
DNS Requests
  • essstzttztz.zapto.org
  • javadl-esd.sun.com

download Try Sophos products for free
Download now

© 1997 - 2013 Sophos Ltd. All rights reserved. Legal Privacy Cookie Information