Mal/EncPk-NR

Category:	Viruses and Spyware	Protection available since:	09 Feb 2010 00:16:36 (GMT)
Type:	Malicious behavior	Last Updated:	09 Feb 2010 00:16:36 (GMT)
Prevalence:

Download our free Virus Removal Tool - Find and remove threats your antivirus missed

Examples of Mal/EncPk-NR include:

Example 1

File Information

Size: 269K
SHA-1: 1f9eaba18f84415dc81ec22aca65d2910e0ca2b1
MD5: e46e35a3d0de69e6421db3b93b390a83
CRC-32: 132a8453
File type: application/x-ms-dos-executable
First seen: 2011-01-27

Example 2

Runtime Analysis

Copies Itself To

c:\Documents and Settings\test user\Local Settings\Temp\winupd64x.exe

Registry Keys Created

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
winupd64x.exe
C:\DOCUME~1\support\LOCALS~1\Temp\winupd64x.exe
HKCU\Software
fcb39e92-5c9b-4f6f-9765-77b959568acb

Registry Keys Modified

HKLM\SYSTEM\CurrentControlSet\Services\wscsvc
Start
0x00000004

Processes Created

c:\windows\system32\net.exe
c:\windows\system32\net1.exe
c:\windows\system32\sc.exe

HTTP Requests

http://70.38.11.165/admin/cgi-bin/check_update.php

IP Connections

70.38.11.165:80

Example 3

Other vendor detection

Avira: TR/Crypt.XPACK.Gen
Kaspersky: Trojan-Downloader.Win32.Onestage.any

Runtime Analysis

Copies Itself To

c:\Documents and Settings\test user\Local Settings\Temp\grdkopkhgykrtpo

Processes Created

c:\windows\system32\regsvr32.exe

HTTP Requests

http://70.38.11.165/admin/cgi-bin/check_update.php
http://strong-av.info/collection.php

IP Connections

70.38.11.165:80

DNS Requests

strong-av.info

Try Sophos products for free
Download now