Troj/Agent-AEQH

Category: Viruses and Spyware Protection available since:09 Nov 2013 06:46:19 (GMT)
Type: Trojan Last Updated:09 Nov 2013 06:46:19 (GMT)
Prevalence: Small Number of Reports

Download Download our free Virus Removal Tool - Find and remove threats your antivirus missed

Troj/Agent-AEQH exhibits the following characteristics:

File Information

Size
684K
SHA-1
e2bd3b6ce77bb6de367fb3e70db13670ae8360d5
MD5
504beaa3730a60f65a4c55c5d0fd0f8d
CRC-32
2d373fea
File type
Windows executable
First seen
2013-11-08

Runtime Analysis

Copies Itself To
  • c:\Documents and Settings\test user\Local Settings\Application Data\Kedinjdwvypfrv.exe
Modified Files
  • %MY_DOCUMENTS%\GOAT6.XLS
    • Changed the file contents
  • %MY_DOCUMENTS%\sample1.ppt
    • Changed the file contents
  • C:\Documents and Settings\Default User\Templates\powerpnt.ppt
    • Changed the file contents
  • %MY_DOCUMENTS%\GOAT5.XLS
    • Changed the file contents
  • %MY_DOCUMENTS%\GOAT8.XLS
    • Changed the file contents
  • %MY_DOCUMENTS%\sample1.doc
    • Changed the file contents
  • %MY_DOCUMENTS%\GOAT2.XLS
    • Changed the file contents
  • C:\Documents and Settings\Default User\Templates\quattro.wb2
    • Changed the file contents
  • %MY_DOCUMENTS%\GOAT1.XLS
    • Changed the file contents
  • %MY_DOCUMENTS%\GOAT7.XLS
    • Changed the file contents
  • C:\Documents and Settings\Default User\Templates\excel4.xls
    • Changed the file contents
  • C:\TrueCrypt\TrueCrypt User Guide.pdf
    • Changed the file contents
  • C:\Documents and Settings\Default User\Templates\excel.xls
    • Changed the file contents
  • %MY_DOCUMENTS%\SAMPLE1.XLS
    • Changed the file contents
  • C:\Documents and Settings\Default User\Templates\winword.doc
    • Changed the file contents
  • %MY_DOCUMENTS%\GOAT9.XLS
    • Changed the file contents
  • C:\Documents and Settings\Default User\Templates\winword2.doc
    • Changed the file contents
  • %MY_DOCUMENTS%\GOAT3.XLS
    • Changed the file contents
  • %MY_DOCUMENTS%\GOAT4.XLS
    • Changed the file contents
Registry Keys Created
  • HKCU\Software\CryptoLocker_0388
    PublicKey
    □□□□□□□□□□□□ S□□1□□□□□□□□□□□□□□7□□□□□□□□□□P□□□□□□□□`F□ □□□□□□□□@□□□a□□□□□□□p3□□□□□□□P□□0□□□□□`□□□{□□□□□+□□<□□□□□□□□S□`□□`U□□□□□□□`E□□4□□}□0V□P□□□\□□8□□□□□□□□□□□□□□□□□□□□6□□□□□O□□□□□u□□)□@□□0F□□□□`□□□l□□□□□z□□0□P□□□]□`□□□7□□L□@□□□\□□o□□□□0□□□□□0□□□□□ □□@□□□□□0□□□□□@,□□□□ □□□□□□□□□□□□□□□□□p□□p□□p□□□□□□□□□□□□-□0□□□□□`□□□□□□□□□8□`□□p□□`N□□□□pp□P□□□□□□O□ s□ □□□□□`t□@□□□2□□□□ )□p□□□□□□U□□□□□d□□@□ □□0□□□w□PS□□□□□□□□□□
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Run
    CryptoLocker
    "c:\Documents and Settings\test user\Local Settings\Application Data\Kedinjdwvypfrv.exe"
  • HKCU\Software\CryptoLocker_0388\Files
    C:?TrueCrypt?TrueCrypt User Guide.pdf
    0x0002407a
  • HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
    *CryptoLocker
    "c:\Documents and Settings\test user\Local Settings\Application Data\Kedinjdwvypfrv.exe"
Processes Created
  • c:\Documents and Settings\test user\local settings\application data\kedinjdwvypfrv.exe
DNS Requests
  • stmdjbsbhojxp.net

download Try Sophos products for free
Download now