Mal/Resdro-A

Category: Viruses and Spyware Protection available since:09 Mar 2010 07:48:59 (GMT)
Type: Malicious behavior Last Updated:21 Sep 2010 14:12:52 (GMT)
Prevalence: Small Number of Reports

Download Download our free Virus Removal Tool - Find and remove threats your antivirus missed

Summary

Files detected as Mal/Resdro-A have been generically identified as malware.

Detailed analysis

Example behaviors of Mal/Resdro-A follow:

Example 1

Other vendor detection

Avira
TR/Dldr.Agent.dadz
Kaspersky
Trojan-Downloader.Win32.Agent.dadz

Runtime Analysis

Copies Itself To
  • C:\WINDOWS\system32\incognito.exe
Dropped Files
  • C:\Documents and Settings\support\Local Settings\Temp\2.tmp
Processes Created
  • c:\windows\system32\drwtsn32.exe
  • c:\windows\system32\dwwin.exe
  • c:\windows\system32\incognito.exe

Example 2

Other vendor detection

Avira
TR/Spy.ZBot.adwp
Kaspersky
Trojan-Spy.Win32.Zbot.adwp

Runtime Analysis

Copies Itself To
  • C:\Documents and Settings\support\Local Settings\Temp\incognito.exe
Dropped Files
  • C:\WINDOWS\system32\sdra64.exe
    Size
    572K
    SHA-1
    b48893389d1c20ca0232feb263f3783ebcb3019b
    MD5
    9e6f92901cfe6fb74654fa1c21da7e4b
    CRC-32
    8e07b45a
    File type
    application/x-ms-dos-executable
    First seen
    2010-09-21
Modified Files
  • C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files
    • Set the hidden and system flags
  • C:\Documents and Settings\LocalService\Local Settings\History
    • Set the hidden and system flags
Registry Keys Created
  • HKEY_USERS\S-1-5-19\Software\Microsoft\Windows NT\CurrentVersion\Network
    UID
    PC_000247FC
  • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network
    UID
    PC_00024339
  • HKEY_USERS\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\Network
    UID
    PC_00024694
  • HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
    DefaultConnectionSettings
    3c 00 00 00 01 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 50 c1 c7 4a 97 59 cb 01 01 00 00 00 ac 10 00 01 00 00 00 00 00 00 00 00
  • HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Explorer\{43BF8CD1-C5D5-2230-7BB2-98F22C2B7DC6}
    {33373039-3132-3864-6B30-303233343434}
    47 09 f2 0d
  • HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
    DefaultConnectionSettings
    3c 00 00 00 01 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 50 c1 c7 4a 97 59 cb 01 01 00 00 00 ac 10 00 01 00 00 00 00 00 00 00 00
Registry Keys Modified
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4
    CachePath
    C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache4
  • HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
    History
    C:\Documents and Settings\LocalService\Local Settings\History
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2
    CachePath
    C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache2
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths
    Directory
    C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5
  • HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
    Cache
    C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files
  • HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
    SavedLegacySettings
    3c 00 00 00 03 00 00 00 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1
    CachePath
    C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache1
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3
    CachePath
    C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache3
  • HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
    SavedLegacySettings
    3c 00 00 00 03 00 00 00 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
    Userinit
    C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\sdra64.exe,
  • HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
    AppData
Processes Created
  • c:\docume~1\support\locals~1\temp\incognito.exe
HTTP Requests
  • http://www.privatestore.biz/cfg2.bin
DNS Requests
  • www.privatestore.biz

Example 3

Other vendor detection

Avira
TR/Agent.dfcv.2
Kaspersky
Trojan.Win32.Agent.dfcv

download Try Sophos products for free
Download now

© 1997 - 2012 Sophos Ltd. All rights reserved. Legal Privacy