Mal/VB-AIG

Category: Viruses and Spyware Protection available since:06 May 2013 03:51:38 (GMT)
Type: Malicious behavior Last Updated:06 May 2013 03:51:38 (GMT)
Prevalence: Small Number of Reports

Download Download our free Virus Removal Tool - Find and remove threats your antivirus missed

Examples of Mal/VB-AIG include:

Example 1

File Information

Size
252K
SHA-1
91a372e2083f1ac69ba88ffb59284976e6cbf41d
MD5
52aebf621febabb8f1ebe6b37416f26c
CRC-32
55cf13d3
File type
Windows executable
First seen
2013-05-03

Runtime Analysis

DNS Requests
  • anton124354.aiq.ru

Example 2

File Information

Size
424K
SHA-1
e25142bed03e813f96a0062497dd7f55111d35df
MD5
388e9d9429ea06a03a55f625555d6af4
CRC-32
289121c2
File type
Windows executable
First seen
2013-05-04

Runtime Analysis

Copies Itself To
  • C:\WINDOWS\system32\InstallDir\Server.exe
Modified Files
  • %PROFILE%\Local Settings\Application Data\Microsoft\Windows Media\9.0\WMSDKNS.XML
    • Changed the file contents
Registry Keys Created
  • HKCU\Software\hTqLVFqV8o
    ServerStarted
    05/05/2013 21:05:36
  • HKCU\Software\Microsoft\MediaPlayer\Preferences\ProxySettings\HTTP
    ProxyExclude
  • HKCU\Software\Microsoft\MediaPlayer\Preferences\ProxySettings\RTSP
    ProxyExclude
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    HKLM
    C:\WINDOWS\system32\InstallDir\Server.exe
  • HKCU\Software\Microsoft\Windows Media\WMSDK\General
    VolumeSerialNumber
    0x601f769f
  • HKCU\Software\Microsoft\MediaPlayer\Player\Tasks\NowPlaying
    InitFlags
    0x00000001
  • HKCU\Software\XtremeRAT
    Mutex
    hTqLVFqV8o
  • HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{S3KY22O5-PFG6-AFX0-NA48-70F0U5A7U8SG}
    StubPath
    C:\WINDOWS\system32\InstallDir\Server.exe
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Run
    Microsoft Win32
    C:\WINDOWS\system32\InstallDir\Server.exe
  • HKCU\Software\Microsoft\MediaPlayer\Preferences\ProxySettings\MMS
    ProxyExclude
Registry Keys Modified
  • HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication
    Name
    iexplore.exe
Processes Created
  • c:\windows\system32\svchost.exe
DNS Requests
  • pereira888.no-ip.org

Example 3

File Information

Size
212K
SHA-1
74f0f2cf1b0ce069b2a9c719bc41e99f723487b6
MD5
7bd2708a0369308d24d28813b7c3f9dc
CRC-32
d64c305f
File type
Windows executable
First seen
2013-05-04

Runtime Analysis

Copies Itself To
  • C:\WINDOWS\system32\InstallDir\Server.exe
Modified Files
  • %PROFILE%\Local Settings\Application Data\Microsoft\Windows Media\9.0\WMSDKNS.XML
    • Changed the file contents
Registry Keys Created
  • HKCU\Software\hTqLVFqV8o
    ServerStarted
    05/05/2013 20:08:24
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    HKLM
    C:\WINDOWS\system32\InstallDir\Server.exe
  • HKCU\Software\Microsoft\MediaPlayer\Preferences\ProxySettings\HTTP
    ProxyExclude
  • HKCU\Software\Microsoft\MediaPlayer\Preferences\ProxySettings\RTSP
    ProxyExclude
  • HKCU\Software\Microsoft\MediaPlayer\Player\Tasks\NowPlaying
    InitFlags
    0x00000001
  • HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{S3KY22O5-PFG6-AFX0-NA48-70F0U5A7U8SG}
    StubPath
    C:\WINDOWS\system32\InstallDir\Server.exe
  • HKCU\Software\Microsoft\MediaPlayer\Preferences\ProxySettings\MMS
    ProxyExclude
  • HKCU\Software\Microsoft\Windows Media\WMSDK\General
    VolumeSerialNumber
    0x601f769f
  • HKCU\Software\XtremeRAT
    Mutex
    hTqLVFqV8o
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Run
    Microsoft Win32
    C:\WINDOWS\system32\InstallDir\Server.exe
Registry Keys Modified
  • HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication
    Name
    svchost.exe
Processes Created
  • c:\windows\system32\svchost.exe
DNS Requests
  • pereira888.no-ip.org

download Try Sophos products for free
Download now