Troj/Agent-YCV

Category: Viruses and Spyware Protection available since:07 Oct 2012 04:35:31 (GMT)
Type: Trojan Last Updated:07 Oct 2012 04:35:31 (GMT)
Prevalence: Small Number of Reports

Download Download our free Virus Removal Tool - Find and remove threats your antivirus missed

Examples of Troj/Agent-YCV include:

Example 1

File Information

Size
300K
SHA-1
d658048ba52bb59fc0ee293ce1e401b02ddf15a9
MD5
dbc3bd226fed1ae55e98064309dd8aff
CRC-32
c420a93e
File type
Windows executable
First seen
2012-10-06

Example 2

File Information

Size
300K
SHA-1
e6f5943088370a32f4129cfc3b0f2edb80b1665c
MD5
7096e6c3822d30a458ff121a92543c41
CRC-32
bd9d3181
File type
Windows executable
First seen
2012-10-06

Runtime Analysis

Dropped Files
  • c:\Documents and Settings\test user\Application Data\Pyzuu\acsat.exe
    Size
    300K
    SHA-1
    d658048ba52bb59fc0ee293ce1e401b02ddf15a9
    MD5
    dbc3bd226fed1ae55e98064309dd8aff
    CRC-32
    c420a93e
    File type
    Windows executable
    First seen
    2012-10-06
  • c:\Documents and Settings\test user\Application Data\Zaohit\luuxu.dec
    Size
    477
    SHA-1
    31108186aeb1e70c3783fb0e8f4b97c0aee6dd05
    MD5
    855c51c9b5b3c01d467bd845bd6fe1fd
    CRC-32
    20e123f8
    File type
    Unspecified binary - probably data
    First seen
    2012-10-06
Modified Files
  • %PROFILE%\Local Settings\Application Data\Identities\{E2564744-A8ED-497D-924B-A548B20CA034}\Microsoft\Outlook Express\Inbox.dbx
  • %PROFILE%\Local Settings\Application Data\Identities\{E2564744-A8ED-497D-924B-A548B20CA034}\Microsoft\Outlook Express\Offline.dbx
  • %PROFILE%\Local Settings\Application Data\Identities\{E2564744-A8ED-497D-924B-A548B20CA034}\Microsoft\Outlook Express\Folders.dbx
Registry Keys Created
  • HKCU\Software\Microsoft\Internet Explorer\Privacy
    CleanCookies
    0x00000000
  • HKCU\Identities
    Identity Login
    0x00098053
  • HKCU\Software\Microsoft\Idac
    Kevozo
    □*□□□□p□□□□□□-□0□□P<□□□□0□□□<□□□□□□□□□□P□□□□□□□□□E□P)□□□□□□□□□□P□□□□□`□□@□□`□□□□□□□□□□□□h□□s□□N□□□□□□□□j□□□□□□□ <□□□□□□□□□□□a□□□□@□□□□□pe□□□□ @□□□□□□□ e□□}□@□□P□□P□□□□□□□□`□□
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Run
    {DF50A94F-25C0-1708-1984-20E774579B2D}
    "c:\Documents and Settings\test user\Application Data\Pyzuu\acsat.exe"
Registry Keys Modified
  • HKCU\Software\Microsoft\Windows\CurrentVersion\UnreadMail\user@example.com
    TimeStamp
    26 5e 47 0d 18 a4 cd 01
  • HKCU\Identities\{E2564744-A8ED-497D-924B-A548B20CA034}\Software\Microsoft\Outlook Express\5.0
    Compact Check Count
    0x00000007
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
    1609
    0x00000000
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0
    1609
    0x00000000
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4
    1609
    0x00000000
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
    1609
    0x00000000
Processes Created
  • c:\Documents and Settings\test user\application data\pyzuu\acsat.exe
  • c:\windows\system32\cmd.exe
HTTP Requests
  • http://unqueaccess-shop.com/samuel/config.bin
  • http://www.google.bg/webhp
  • http://www.google.com/webhp
DNS Requests
  • unqueaccess-shop.com
  • www.google.bg
  • www.google.com

download Try Sophos products for free
Download now

© 1997 - 2013 Sophos Ltd. All rights reserved. Legal Privacy Cookie Information