Troj/Agent-ORC

Category:	Viruses and Spyware	Protection available since:	10 Sep 2010 10:15:06 (GMT)
Type:	Trojan	Last Updated:	10 Sep 2010 10:15:06 (GMT)
Prevalence:

Download our free Virus Removal Tool - Find and remove threats your antivirus missed

Examples of Troj/Agent-ORC include:

Example 1

File Information

Size: 124K
SHA-1: 5dcd815888d0763ee790605cf68168f6ecb0a938
MD5: 3ef00e638fcd1932eed3a039ebd97c1b
CRC-32: 30131b97
File type: application/x-ms-dos-executable
First seen: 2010-09-10

Other vendor detection

Avira: TR/Agent.ALAO.18244
Kaspersky: not-a-virus:AdWare.Win32.BHO.nrz
Trend: PAK_Generic.001

Example 2

File Information

Size: 226K
SHA-1: f647c42849aa43c63408f69a4824bfcde0901087
MD5: 56608e556bb6b257d605b200c8811c3e
CRC-32: 2161541f
File type: application/x-ms-dos-executable
First seen: 2010-09-10

Other vendor detection

Avira: TR/Crypt.CFI.Gen

Example 3

File Information

Size: 408K
SHA-1: f981100ac8357281a0f342713753ae3793a62857
MD5: a6f7c3cf9f31d4922dd5c87967b51989
CRC-32: 738bbffd
File type: application/x-ms-dos-executable
First seen: 2010-09-09

Other vendor detection

Avira: TR/Drop.Agent.ahk
Kaspersky: Trojan-Dropper.Win32.Agent.czer

Runtime Analysis

Dropped Files

C:\WINDOWS\system32\9bee.dll
Size
258K
SHA-1
675b1718777d3cec3207fac69a733ca48773ba8c
MD5
a660d453918563e4c8e4d702ba6e34be
CRC-32
7c5c3610
File type
application/x-ms-dos-executable
First seen
2010-09-10
C:\WINDOWS\system32\70-29-6012
C:\WINDOWS\91bd.exe
Size
87K
SHA-1
5b38586094a7443b5b78c819178d3eeaea722d5d
MD5
37baf8221ce75d4e575001e6ffa860df
CRC-32
932d9c29
File type
application/x-ms-dos-executable
First seen
2010-09-10
C:\Documents and Settings\All Users\Application Data\t\r1452.dat
Size
3.2K
SHA-1
b754d507505f912c7e8883dc9c9d955c3f49524f
MD5
7a0a45909e96648656046b7905855ac1
CRC-32
37b39ace
File type
application/octet-stream
First seen
2010-09-10
C:\Documents and Settings\All Users\Application Data\t\a1452.dat
Size
281
SHA-1
77f0eaf3fda6cc9e47335c190a334d8d2800dc60
MD5
24d261fe03dc9b31d2f4234f8e62477a
CRC-32
0a06a04d
File type
application/octet-stream
First seen
2010-09-10
C:\Documents and Settings\All Users\Application Data\t\b1452.dat
C:\WINDOWS\system32\799d.exe
Size
52K
SHA-1
4019ee95dd5e7702bf41348b3e1f2cf72ce7ad8f
MD5
11dcbda97e183f4d88f21eac0907c5d0
CRC-32
a7af29ad
File type
application/x-ms-dos-executable
First seen
2010-09-10
C:\WINDOWS\f91d.flv
Size
52K
SHA-1
4019ee95dd5e7702bf41348b3e1f2cf72ce7ad8f
MD5
11dcbda97e183f4d88f21eac0907c5d0
CRC-32
a7af29ad
File type
application/x-ms-dos-executable
First seen
2010-09-10
C:\WINDOWS\1b6u.bmp
Size
258K
SHA-1
675b1718777d3cec3207fac69a733ca48773ba8c
MD5
a660d453918563e4c8e4d702ba6e34be
CRC-32
7c5c3610
File type
application/x-ms-dos-executable
First seen
2010-09-10
C:\WINDOWS\system32\977o.dll
Size
87K
SHA-1
5b38586094a7443b5b78c819178d3eeaea722d5d
MD5
37baf8221ce75d4e575001e6ffa860df
CRC-32
932d9c29
File type
application/x-ms-dos-executable
First seen
2010-09-10
C:\WINDOWS\Temp\cml2.tmp
Size
416K
SHA-1
8e53d3864e51597bc2ca23c1d8ff0256802e8529
MD5
b0403939626c6008b94935a441bed577
CRC-32
ea076a7b
File type
application/x-ms-dos-executable
First seen
2010-09-10
C:\Documents and Settings\All Users\Application Data\t\k1452.dat
Size
2.4K
SHA-1
4a9cc441b98e769417d350d4a2b73f8b290240ed
MD5
77662cf132c18b0b706837e00554f23c
CRC-32
367a89c3
File type
application/octet-stream
First seen
2010-09-10
C:\WINDOWS\Tasks\ms.job
Size
248
SHA-1
90e235c442a424863bf1e12421fe4addf3ba90fc
MD5
2a33b408b24197ba51793fbfada44edc
CRC-32
0219b4ff
File type
application/data
First seen
2010-09-10
C:\Documents and Settings\All Users\Application Data\t\p1452.dat
Size
35K
SHA-1
ee2a4eb91423a128ee24818541732de9c47a1ecd
MD5
c9b35ed6da1d78209ae8bee761f83a29
CRC-32
6f14cec8
File type
application/octet-stream
First seen
2010-09-10

Modified Files

C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files
- Set the hidden and system flags
C:\Documents and Settings\LocalService\Local Settings\History
- Set the hidden and system flags

Registry Keys Created

HKCR\BHO.FunPlayer.1\CLSID
(Default)
{84C4A916-2F38-41C4-99BD-C4E8FA05EA54}
HKCR\CLSID\{84C4A916-2F38-41C4-99BD-C4E8FA05EA54}\ProgID
(Default)
BHO.FunPlayer.1
HKCR\Interface\{7D8644A6-61C5-4641-A655-31C637BD560C}
(Default)
IFunPlayer
HKCR\TypeLib\{9A5E127F-4EB8-4E6C-92EA-5C8631054C7D}\1.0\0\win32
(Default)
C:\WINDOWS\system32\977o.dll
HKCR\Interface\{7D8644A6-61C5-4641-A655-31C637BD560C}\ProxyStubClsid
(Default)
{00020424-0000-0000-C000-000000000046}
HKCR\BHO.FunPlayer\CLSID
(Default)
{84C4A916-2F38-41C4-99BD-C4E8FA05EA54}
HKCR\Interface\{7D8644A6-61C5-4641-A655-31C637BD560C}\TypeLib
(Default)
{9A5E127F-4EB8-4E6C-92EA-5C8631054C7D}
HKLM\SYSTEM\CurrentControlSet\Services\Mdlea\Enum
NextInstance
0x00000001
HKCR\BHO.FunPlayer
(Default)
CFunPlayer Object
HKCR\CLSID\{84C4A916-2F38-41C4-99BD-C4E8FA05EA54}\InprocServer32
(Default)
C:\WINDOWS\system32\977o.dll
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{84C4A916-2F38-41C4-99BD-C4E8FA05EA54}
(Default)
winhome
HKLM\SYSTEM\CurrentControlSet\Services\Mdlea
Start
0x00000002
HKCR\BHO.FunPlayer\CurVer
(Default)
BHO.FunPlayer.1
HKCR\TypeLib\{9A5E127F-4EB8-4E6C-92EA-5C8631054C7D}\1.0\FLAGS
(Default)
0
HKLM\SYSTEM\CurrentControlSet\Services\Mdlea\Security
Security
01 00 14 80 90 00 00 00 9c 00 00 00 14 00 00 00 30 00 00 00 02 00 1c 00 01 00 00 00 02 80 14 00 ff 01 0f 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 fd 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 ff 01 0f 00 01 02 00 00 00 00 00 05 20 00 00 00 20 02 00 00 00 00 14 00 8d 01 02 00 01 01 00 00 00 00 00 05 0b 00 00 00 00 00 18 00 fd 01 02 00 01 02 00 00 00 00 00 05 20 00 00 00 23 02 00 00 01 01 00 00 00 00 00 05 12 00 00 00 01 01 00 00 00 00 00 05 12 00 00 00
HKCR\TypeLib\{9A5E127F-4EB8-4E6C-92EA-5C8631054C7D}\1.0
(Default)
BHO 1.0 Type Library

Registry Keys Modified

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1
CachePath
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache1
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
History
C:\Documents and Settings\LocalService\Local Settings\History
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths
Directory
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3
CachePath
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache3
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2
CachePath
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache2
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4
CachePath
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache4
HKLM\SYSTEM\CurrentControlSet\Services\Schedule
Start
0x00000002

Processes Created

c:\windows\system32\799d.exe
c:\windows\system32\regsvr32.exe
c:\windows\system32\rundll32.exe
c:\windows\temp\cml2.tmp

HTTP Requests

http://343.boolans.com/list/2010-09-10/ALL.y
http://343.boolans.com/list/2010-09-10/ut_ALL.y
http://343.boolans.com/list/bl.y
http://qd.netkill.com.cn/db1.exe

DNS Requests

110.770304123.cn
122.770304123.cn
343.boolans.com
qd.netkill.com.cn
yahoo.com.cn

Try Sophos products for free
Download now

Troj/Agent-ORC

Example 1

File Information

Other vendor detection

Example 2

File Information

Other vendor detection

Example 3

File Information

Other vendor detection

Runtime Analysis

Dropped Files

Modified Files

Registry Keys Created

Registry Keys Modified

Processes Created

HTTP Requests

DNS Requests

Free Mac Anti-Virus

Popular topics