Mal/RootKit-A

Category: Viruses and Spyware Protection available since:16 Mar 2007 00:00:00 (GMT)
Type: Malicious behavior Last Updated:15 Mar 2011 15:06:07 (GMT)
Prevalence: No Reports

Download Download our free Virus Removal Tool - Find and remove threats your antivirus missed

Examples of Mal/RootKit-A include:

Example 1

File Information

Size
1.5M
SHA-1
243468ec4f3babfe43245cad8751e97f29f974a7
MD5
c13c9559ffb38ded74b437ac5ab10794
CRC-32
b831db41
File type
application/x-ms-dos-executable
First seen
2010-10-22

Runtime Analysis

Dropped Files
  • C:\Program Files\myAC Anti-Ban\myac.dll
  • C:\Program Files\myAC Anti-Ban\myAC\generate.bat
    Size
    24
    SHA-1
    edfa8e0b80fcfc1fb2fc51b1a8ff8a77b3688aa3
    MD5
    0e0b30a3ba7b7c4d624f50edee008851
    CRC-32
    d75d3774
    File type
    application/octet-stream
    First seen
    2010-10-22
  • C:\Program Files\myAC Anti-Ban\myAC\ssleay32.dll
  • C:\Program Files\myAC Anti-Ban\loader.exe
  • C:\Program Files\myAC Anti-Ban\myAC\myAC Anti-Ban 1.0.exe
    Size
    514K
    SHA-1
    fc86c55b8012c1d3187889e220a146ae338ca797
    MD5
    1f0a2bfac1880ef6f4815dad052996c6
    CRC-32
    5ad02499
    File type
    application/x-ms-dos-executable
    First seen
    2010-10-22
  • C:\Program Files\myAC Anti-Ban\myAC\startmyac.bat
    Size
    22
    SHA-1
    894bcf32d669e5bd83e86c3546eaf79c3f23fb1b
    MD5
    26b36a64c280ecbf58d4afbebddf466e
    CRC-32
    e6537873
    File type
    application/octet-stream
    First seen
    2010-10-22
  • C:\Program Files\myAC Anti-Ban\generate.exe
    Size
    372K
    SHA-1
    bc87ac2802ad3b4cfa80cf0f44c4e8dc3fdd1941
    MD5
    ae092b4a93087c6cd883ffb54cf0889d
    CRC-32
    e27fbae6
    File type
    application/x-ms-dos-executable
    First seen
    2010-10-22
  • C:\Program Files\myAC Anti-Ban\myAC\acdev.sys
  • C:\Program Files\myAC Anti-Ban\config.ini
    Size
    98
    SHA-1
    42ef0bbce681b3a7f9c4c9aadeaf690b8a2a2d64
    MD5
    b95081f441efd4a4c79e47c9b7b658c4
    CRC-32
    e4ce6c9a
    File type
    application/octet-stream
    First seen
    2010-10-22
  • C:\Program Files\myAC Anti-Ban\myAC\libssl32.dll
  • C:\Program Files\myAC Anti-Ban\myAC\config.ini
    Size
    73
    SHA-1
    bea862b8e96186a6fbe13ecf404bf599688ce317
    MD5
    9582dede7b9945d76b8b64352ec1d6de
    CRC-32
    c45b240e
    File type
    application/octet-stream
    First seen
    2010-10-22
  • C:\Program Files\myAC Anti-Ban\myAC\myAC.exe
  • c:\Documents and Settings\test user\Desktop\myAC Anti-Ban 1.0.lnk
    Size
    875
    SHA-1
    84796c7c156f4e9f4c25c79285d71edc01cab900
    MD5
    e030836858c8b776f34cf6f8a1113db5
    CRC-32
    fe73a568
    File type
    application/octet-stream
    First seen
    2010-10-22

Example 2

File Information

Size
21K
SHA-1
6c533768aac06069358a0c27fc09638b9a99458d
MD5
1377bf227b12e7b171dc913bf5ac7926
CRC-32
7ba4d4e0
File type
application/x-ms-dos-executable
First seen
2011-03-15

Example 3

File Information

Size
44K
SHA-1
7de47bd9ddc9da73e0f6d4f042c8c43c72369546
MD5
56a2247d0415b0c1911b4985ed96c3e7
CRC-32
83d8ca57
File type
application/x-ms-dos-executable
First seen
2011-02-01

Runtime Analysis

Dropped Files
  • C:\WINDOWS\inf\oem11.inf
  • C:\Program Files\ATI\amdk8.inf
  • C:\Program Files\ATI\amdk8.sys
  • C:\WINDOWS\inf\oem11.PNF
    Size
    9.6K
    SHA-1
    ee9a277790c3e5f065694e6aed3c8f14ae3d48db
    MD5
    144db756d067bccce4f99b68b0a40eff
    CRC-32
    839c5daf
    File type
    application/octet-stream
    First seen
    2011-02-01
Modified Files
  • %SYSTEM%\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\TimeStamp
Registry Keys Created
  • HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNegotiationPolicy{bb49233d-e2d7-4692-b64c-bd1dd4ebe6ab}
    ipsecNegotiationPolicyAction
    {8a171dd3-77e3-11d1-8659-a04f00000000}
  • HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecFilter{BABF371B-18D4-4494-B750-7765CFAEEE81}
    ClassName
    ipsecFilter
  • HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecFilter{f2fd0bda-3962-428d-9d06-34c2b19568bb}
    ipsecDataType
    0x00000100
  • HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNegotiationPolicy{7ee82b44-9189-4c7c-908e-9c5eca3164c3}
    ipsecNegotiationPolicyType
    {62f49e13-6c37-11d1-864c-14a300000000}
  • HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{da5fbf85-77f7-4ecf-815e-a88eaddf7113}
    ipsecData
    00 ac bb 11 8d 49 d1 11 86 39 00 a0 24 8d 30 21 2a 00 00 00 01 00 00 00 05 00 00 00 02 00 00 00 00 00 fd ff ff ff 02 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 00 00 00 00 00 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 00 00 00 05 00 00 00 00 00 00 00 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 02 01 00 00 00 00 00 00 00 00
  • HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{b2c1fc63-73b3-4eb3-944d-4dbf0da3c2d6}
    ipsecNegotiationPolicyReference
    SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNegotiationPolicy{7238523b-70fa-11d1-864c-14a300000000}
  • HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{f6050147-987a-4592-8d14-e8aee7e77bd4}
    ipsecID
    {f6050147-987a-4592-8d14-e8aee7e77bd4}
  • HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNegotiationPolicy{56093cf4-1dd4-4ed9-b0f8-e9f83f4ae82f}
    ipsecDataType
    0x00000100
  • HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{ace3923f-9ce6-42ab-87a6-0d993cd59503}
    ipsecID
    {ace3923f-9ce6-42ab-87a6-0d993cd59503}
  • HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{029c5db3-fbc7-4efa-898d-232b78cdf552}
    ipsecDataType
    0x00000100
  • HKLM\SYSTEM\LastKnownGoodRecovery\LastGood
    INF/oem11.PNF
    0x00000001
  • HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local
    ActivePolicy
    SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecPolicy{786FD457-8656-46e8-B360-47F8714289F1}
  • HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecISAKMPPolicy{c37d0b66-13e0-4bf0-a103-e09908ece1b7}
    ClassName
    ipsecISAKMPPolicy
  • HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{77d93b21-350c-4649-b8fd-3b5428af7b8d}
    ipsecDataType
    0x00000100
  • HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{b7a55239-7a53-400b-8706-a1fe6619b9b3}
    ipsecNegotiationPolicyReference
    SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNegotiationPolicy{7ee82b44-9189-4c7c-908e-9c5eca3164c3}
  • HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{61a60364-0aa8-43a7-ab2b-e1252b72b844}
    name
    ipsecNFA{61a60364-0aa8-43a7-ab2b-e1252b72b844}
  • HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecPolicy{786FD457-8656-46e8-B360-47F8714289F1}
    ipsecData
    63 21 20 22 4c 4f d1 11 86 3b 00 a0 24 8d 30 21 04 00 00 00 30 2a 00 00 00
Registry Keys Modified
  • HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecFilter{72385235-70fa-11d1-864c-14a300000000}
    ipsecOwnersReference
    SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{ace3923f-9ce6-42ab-87a6-0d993cd59503} SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{b2c1fc63-73b3-4eb3-944d-4dbf0da3c2d6}
  • HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecISAKMPPolicy{72385237-70fa-11d1-864c-14a300000000}
    whenChanged
    0x4b97984c
  • HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecPolicy{72385236-70fa-11d1-864c-14a300000000}
    ipsecName
    ??? (???)
  • HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecISAKMPPolicy{72385234-70fa-11d1-864c-14a300000000}
    whenChanged
    0x46ee3dce
  • HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecFilter{7238523a-70fa-11d1-864c-14a300000000}
    description
    ??????????????????? ICMP ?,????????Kerberos?RSVP ? ISAKMP (IKE)?
  • HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNegotiationPolicy{7238523f-70fa-11d1-864c-14a300000000}
    ipsecName
    ????
  • HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecPolicy{72385230-70fa-11d1-864c-14a300000000}
    ipsecNFAReference
    SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{da5fbf85-77f7-4ecf-815e-a88eaddf7113} SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{b2c1fc63-73b3-4eb3-944d-4dbf0da3c2d6} SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{b7a55239-7a53-400b-8706-a1fe6619b9b3}
  • HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecISAKMPPolicy{72385231-70fa-11d1-864c-14a300000000}
    whenChanged
    0x4b97984c
  • HKLM\SYSTEM\CurrentControlSet\Services\PolicyAgent
    Start
    0x00000002
  • HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecPolicy{7238523c-70fa-11d1-864c-14a300000000}
    ipsecNFAReference
    SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{190a5a1d-db97-48a6-abb8-fc78dafadd38} SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{ace3923f-9ce6-42ab-87a6-0d993cd59503} SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{61a60364-0aa8-43a7-ab2b-e1252b72b844}
  • HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNegotiationPolicy{7238523b-70fa-11d1-864c-14a300000000}
    ipsecName
    ??
  • HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecISAKMPPolicy{7238523d-70fa-11d1-864c-14a300000000}
    whenChanged
    0x4b97984d
  • HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNegotiationPolicy{72385233-70fa-11d1-864c-14a300000000}
    ipsecName
    ???? (??)
Processes Created
  • c:\windows\system32\sc.exe

download Try Sophos products for free
Download now

© 1997 - 2012 Sophos Ltd. All rights reserved. Legal Privacy