Examples of Mal/FakeAV-DO include:
Example 1
File Information
- Size
- 972K
- SHA-1
- 00037b23a02d0050af0dfde92b8fa9e2d5b7b96c
- MD5
- c46ede970923374c6e161b7c2bc6812e
- CRC-32
- 949f191c
- File type
- application/x-ms-dos-executable
- First seen
- 2010-10-26
Runtime Analysis
Copies Itself To
- c:\Documents and Settings\test user\Local Settings\Application Data\2719499369.exe
Dropped Files
- c:\Documents and Settings\test user\Start Menu\Programs\Security Tool.lnk
- Size
- 846
- SHA-1
- 0d9237eeebf664a5d57b9fa78ce66d1e92147b73
- MD5
- e7d6416987820ae89fd5c88402a217fb
- CRC-32
- d9eaea6c
- File type
- application/octet-stream
- First seen
- 2010-10-26
Registry Keys Created
- HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
- 2719499369
- "C:\DOCUME~1\support\LOCALS~1\APPLIC~1\2719499369.exe" 0 40
Processes Created
- c:\docume~1\support\locals~1\applic~1\2719499369.exe
- c:\windows\system32\cmd.exe
- c:\windows\system32\reg.exe
HTTP Requests
- http://194.28.113.245/cb_soft.php
IP Connections
Example 2
File Information
- Size
- 175K
- SHA-1
- 0005218f5af709d7de1d53c45bb6be3935c091c5
- MD5
- 5aa58cdb2276142c8fc46877245d89bb
- CRC-32
- 5a48aa5e
- File type
- application/x-ms-dos-executable
- First seen
- 2011-02-04
Runtime Analysis
Copies Itself To
- c:\Documents and Settings\test user\Local Settings\Temp\csrss.exe
Dropped Files
- c:\Documents and Settings\test user\Application Data\337E.A1A
- Size
- 1.2K
- SHA-1
- 7a2e78b077087a770f7171614a063280d3b1a60d
- MD5
- 8b5e3cd5fac11988989804bfe351e926
- CRC-32
- 38058176
- File type
- application/octet-stream
- First seen
- 2011-02-04
Registry Keys Created
- HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings
- ProxyServer
- http=127.0.0.1:59939
- HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
- conhost
- c:\Documents and Settings\test user\Application Data\Microsoft\conhost.exe
Registry Keys Modified
- HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows
- load
- C:\DOCUME~1\support\LOCALS~1\Temp\csrss.exe
- HKLM\SYSTEM\CurrentControlSet\Hardware Profiles\Current\Software\Microsoft\windows\CurrentVersion\Internet Settings
- ProxyEnable
- 0x00000001
- HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings
- ProxyEnable
- 0x00000001
- HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
- DefaultConnectionSettings
- 3c 00 00 00 03 00 00 00 03 00 00 00 14 00 00 00 68 74 74 70 3d 31 32 37 2e 30 2e 30 2e 31 3a 35 39 39 33 39 00 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 80 88 73 da f3 98 ca 01 01 00 00 00 ac 10 00 06 00 00 00 00 00 00 00 00
- HKLM\SYSTEM\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings
- ProxyEnable
- 0x00000001
Processes Created
- c:\docume~1\support\locals~1\temp\2.exe
HTTP Requests
- http://bigblueonline.com/images/i13.jpg
- http://protoolreviews.com/images/111.jpg
- http://thebestpageintheuniverse.net/d.cgi
- http://zonere.com/images/im133.jpg
- http://zonetk.com/images/im133.jpg
DNS Requests
- bigblueonline.com
- offlineservermonitoring.com
- protoolreviews.com
- thebestpageintheuniverse.net
- zonere.com
- zonetf.com
- zonetk.com
Example 3
File Information
- Size
- 181K
- SHA-1
- 0017ee025e2e50cbc24878693df0c79e2404a7de
- MD5
- 688f41859bf88f0d8f5b751cdc5d78aa
- CRC-32
- aff76141
- File type
- application/x-ms-dos-executable
- First seen
- 2011-01-22
Runtime Analysis
Copies Itself To
- c:\Documents and Settings\test user\Application Data\dwm.exe
Dropped Files
- c:\Documents and Settings\test user\Application Data\337E.A1A
- Size
- 900
- SHA-1
- 65d8e85673de77d84fd624af0bd856585b7642e7
- MD5
- 044d88ad4b3b0e848da445a4121f24c1
- CRC-32
- f1ed8bee
- File type
- application/octet-stream
- First seen
- 2011-01-22
Registry Keys Created
- HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
- conhost
- c:\Documents and Settings\test user\Application Data\Microsoft\conhost.exe
- HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
- Shell
- explorer.exe,c:\Documents and Settings\test user\Application Data\dwm.exe
- HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings
- ProxyServer
- http=127.0.0.1:57980
Registry Keys Modified
- HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
- DefaultConnectionSettings
- 3c 00 00 00 03 00 00 00 03 00 00 00 14 00 00 00 68 74 74 70 3d 31 32 37 2e 30 2e 30 2e 31 3a 35 37 39 38 30 00 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 80 88 73 da f3 98 ca 01 01 00 00 00 ac 10 00 06 00 00 00 00 00 00 00 00
- HKLM\SYSTEM\CurrentControlSet\Hardware Profiles\Current\Software\Microsoft\windows\CurrentVersion\Internet Settings
- ProxyEnable
- 0x00000001
- HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings
- ProxyEnable
- 0x00000001
- HKLM\SYSTEM\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings
- ProxyEnable
- 0x00000001
- HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows
- load
- C:\DOCUME~1\support\LOCALS~1\Temp\csrss.exe
Processes Created
- c:\documents and settings\support\application data\microsoft\conhost.exe
- c:\docume~1\support\locals~1\temp\2.exe
- c:\docume~1\support\locals~1\temp\3.exe
HTTP Requests
- http://136136.com/LB5000/CGI-BIN/s.cgi
- http://sharewareconnection.com/im/s.cgi
- http://zonedg.com/images/im133.jpg
- http://zoneij.com/images/im133.jpg
DNS Requests
- 136136.com
- sharewareconnection.com
- zonedg.com
- zoneij.com
- zonetf.com