Mal/MSIL-EX

Category: Viruses and Spyware Protection available since:07 Feb 2013 21:31:17 (GMT)
Type: Malicious behavior Last Updated:22 Feb 2013 22:34:39 (GMT)
Prevalence: Small Number of Reports

Download Download our free Virus Removal Tool - Find and remove threats your antivirus missed

Examples of Mal/MSIL-EX include:

Example 1

File Information

Size
353K
SHA-1
08c48c51c1d4108a4c57056a3578f30a361d2a42
MD5
9d18c28757b522795293f28a857801ab
CRC-32
627c1143
File type
Windows executable
First seen
2007-07-24

Runtime Analysis

Copies Itself To
  • c:\Documents and Settings\test user\Local Settings\Temp\panmap.exe
Dropped Files
  • c:\Documents and Settings\test user\Application Data\supportlog.dat
  • c:\Documents and Settings\test user\Local Settings\Temp\support7
    Size
    8
    SHA-1
    b633306f8f6f419c5ab921908915a3a6f57f9274
    MD5
    4532ca73b43cdb496416161afdf54d68
    CRC-32
    ae5a37c9
    File type
    ASCII text / 8-bit Unicode Transformation Format
    First seen
    2011-01-24
  • c:\Documents and Settings\test user\Local Settings\Temp\support8
    Size
    8
    SHA-1
    44433e4b84f01737529be9973a2b3574918aa38f
    MD5
    f4fd4ad064cc09a0e3f97af9e0173533
    CRC-32
    405456e5
    File type
    ASCII text / 8-bit Unicode Transformation Format
    First seen
    2013-01-16
  • c:\Documents and Settings\test user\Templates\CertPolEng.exe
    Size
    6.5K
    SHA-1
    7590af2b69e9dfaf1cb3e814615181c710f492bc
    MD5
    928c5919d1148abb141d702b7d008e30
    CRC-32
    5686a783
    File type
    Windows executable
    First seen
    2013-01-06
  • C:\WINDOWS\system32\install\Very Bad Blagues.exe
Registry Keys Created
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
    Policies
    C:\WINDOWS\system32\install\Very Bad Blagues.exe
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    HKLM
    C:\WINDOWS\system32\install\Very Bad Blagues.exe
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
    Policies
    C:\WINDOWS\system32\install\Very Bad Blagues.exe
  • HKCU\Software\Damran
    FirstExecution
    16/01/2013 -- 17:55
  • HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{K58F3W7I-PVR5-2XXF-F13X-6EL3S65O7E16}
    StubPath
    C:\WINDOWS\system32\install\Very Bad Blagues.exe Restart
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Run
    HKCU
    C:\WINDOWS\system32\install\Very Bad Blagues.exe
Processes Created
  • c:\Documents and Settings\test user\local settings\temp\panmap.exe
  • c:\Documents and Settings\test user\templates\certpoleng.exe
  • c:\windows\microsoft.net\framework\v2.0.50727\applaunch.exe
  • c:\windows\system32\install\very bad blagues.exe
DNS Requests
  • linkin2011.zapto.org

Example 2

File Information

Size
690K
SHA-1
11638659c4aae6205ed9cd4a9f8759bd29bb064f
MD5
3ce21c446960e01df73843567b0e1663
CRC-32
eb77ea57
File type
Windows executable
First seen
2013-01-07

Runtime Analysis

Dropped Files
  • c:\Documents and Settings\test user\Local Settings\Temp\Software\_ KMS autoactivation.exe
    Size
    176K
    SHA-1
    cca4c956c0ed0afed713a868d01bb7bb67d5c0dc
    MD5
    68decad4f9cb9ef9bded0d544446b9ed
    CRC-32
    a46ba81c
    File type
    Windows executable
    First seen
    2013-01-07
Processes Created
  • c:\Documents and Settings\test user\local settings\temp\software\_ kms autoactivation.exe
  • c:\windows\microsoft.net\framework\v2.0.50727\applaunch.exe

Example 3

File Information

Size
309K
SHA-1
1177802296d44ce4baccaae3433c57bd6bf23e16
MD5
ba92bf46eff624ced082ea5c2515b2bf
CRC-32
d682b630
File type
Windows executable
First seen
2007-07-24

Runtime Analysis

Copies Itself To
  • c:\Documents and Settings\test user\Local Settings\Temp\panmap.exe
Dropped Files
  • c:\Documents and Settings\test user\Local Settings\Temp\UuU.uUu
    Size
    8
    SHA-1
    85c6e12b7e4ec07b61dc667b9c1c2e089a5567b3
    MD5
    ba90ac1c55dd342c4616ddc029585abd
    CRC-32
    0cab600c
    File type
    ASCII text / 8-bit Unicode Transformation Format
    First seen
    2012-12-22
  • c:\Documents and Settings\test user\Application Data\cglogs.dat
  • c:\Documents and Settings\test user\Templates\CertPolEng.exe
    Size
    6.5K
    SHA-1
    7590af2b69e9dfaf1cb3e814615181c710f492bc
    MD5
    928c5919d1148abb141d702b7d008e30
    CRC-32
    5686a783
    File type
    Windows executable
    First seen
    2013-01-06
  • c:\Documents and Settings\test user\Local Settings\Temp\XxX.xXx
    Size
    8
    SHA-1
    21f3b7451b3754985d325a3dea4b0cbd23b553cc
    MD5
    c0a9d4f16af58c827be5bf9fe207419a
    CRC-32
    9c147d9d
    File type
    application/octet-stream
    First seen
    2011-07-11
Registry Keys Created
  • HKCU\Software\nassino02
    NewGroup
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Run
    Certificate Policy Engine
    c:\Documents and Settings\test user\Templates\CertPolEng.exe
Processes Created
  • c:\Documents and Settings\test user\local settings\temp\panmap.exe
  • c:\Documents and Settings\test user\templates\certpoleng.exe
  • c:\windows\microsoft.net\framework\v2.0.50727\applaunch.exe
DNS Requests
  • nassino02.no-ip.biz

download Try Sophos products for free
Download now

© 1997 - 2013 Sophos Ltd. All rights reserved. Legal Privacy Cookie Information