Troj/Agent-ZMC

Category:	Viruses and Spyware	Protection available since:	30 Dec 2012 12:08:42 (GMT)
Type:	Trojan	Last Updated:	31 Dec 2012 17:39:02 (GMT)
Prevalence:

Download our free Virus Removal Tool - Find and remove threats your antivirus missed

Examples of Troj/Agent-ZMC include:

Example 1

File Information

Size: 498K
SHA-1: bb6ba3b8993783a9758324e1843860503e1dd46d
MD5: 9a63f72911b385a0c17427444c968ed0
CRC-32: c905817c
File type: application/x-ms-dos-executable
First seen: 2012-12-30

Other vendor detection

Kaspersky: HEUR:Trojan.Win32.Generic

Runtime Analysis

Dropped Files

C:\WINDOWS\system32\AppleService.exe
Size
76K
SHA-1
fd4790ea74ceb027bc623ba9c60d528c9fb863a5
MD5
61fe6f4cb2c54511f0804b1417ab3bd2
CRC-32
6abdad65
File type
Windows executable
First seen
2012-12-27

Modified Files

C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files
- Set the hidden and system flags
C:\Documents and Settings\LocalService\Local Settings\History
- Set the hidden and system flags

Registry Keys Created

HKLM\SYSTEM\CurrentControlSet\Services\AppleService\Security
Security
□□□@□□□□□□□□□□□□□□@□□□□□□□□□□□ □□□□□□□□□□□ □□@□□□□□□□□□□□□□□□□□□□□□□□□□□ □□□□□@□□□□□□□□@□□□□□ □□□□□□□□□□□□□□ □□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□@□□□□□ □□□□□□□□□□□□□□□□□□□□□□□□□□□□□ □□□□□□□□□□□□□□□□□□□□0□□□□□□□□□□□□□□□□□ □□□□□□□□□□□□□□□□□ □□□□□
HKLM\SYSTEM\CurrentControlSet\Services\AppleService\Enum
NextInstance
0x00000001
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
DefaultConnectionSettings
<□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□@□□□□□□□□□□□□□□ □□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□
HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
DefaultConnectionSettings
<□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□@□□□□□□□□□□□□□□ □□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□
HKLM\SYSTEM\CurrentControlSet\Services\AppleService
Description
Apple Application Service.

Registry Keys Modified

HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
History
C:\Documents and Settings\LocalService\Local Settings\History
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
History
C:\Documents and Settings\LocalService\Local Settings\History
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
SavedLegacySettings
3c 00 00 00 03 00 00 00 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3
CachePath
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache3
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4
CachePath
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache4
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1
CachePath
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache1
HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
SavedLegacySettings
3c 00 00 00 03 00 00 00 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths
Directory
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2
CachePath
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache2

Processes Created

c:\windows\system32\appleservice.exe
c:\windows\system32\cmd.exe
c:\windows\system32\net.exe
c:\windows\system32\net1.exe
c:\windows\system32\ping.exe

HTTP Requests

http://web.vipreclod.com/photo/cp.jpg
http://web.vipreclod.com/viewphoto.asp

DNS Requests

web.vipreclod.com

Example 2

File Information

Size: 498K
SHA-1: 27516d91174de87b7fbaf85f38a65980375ab80a
MD5: 5bca1a86c15816f3fc61db1ae807bdca
CRC-32: 5b6ce603
File type: Windows executable
First seen: 2012-12-31

Runtime Analysis

Dropped Files

c:\Documents and Settings\test user\Local Settings\Temp\RarSFX0\NvSmartMax.dll.url
Size
111K
SHA-1
7a61645c603564914db4c7a6c20cb6089351a9c0
MD5
e8b71cabf8cc50b2f540d484c65baad5
CRC-32
eb9e038e
File type
Unspecified binary - probably data
First seen
2012-12-31
C:\Documents and Settings\All Users\SxS\Nv.exe
Size
47K
SHA-1
6474d0369f97e72e01e4971128d1062f5c2b3656
MD5
09b8b54f78a10c435cd319070aa13c28
CRC-32
fdbdd02e
File type
Windows executable
First seen
2012-04-20
c:\Documents and Settings\test user\Local Settings\Temp\RarSFX0\NvSmartMax.dll
Size
48K
SHA-1
1261310654078d3f15e4e22fe901232b3428666e
MD5
0563db7adeda159190a97562ce6ab3a8
CRC-32
f9c24ce7
File type
Windows executable
First seen
2012-12-31
C:\Documents and Settings\All Users\SxS\NvSmartMax.dll
Size
48K
SHA-1
1261310654078d3f15e4e22fe901232b3428666e
MD5
0563db7adeda159190a97562ce6ab3a8
CRC-32
f9c24ce7
File type
Windows executable
First seen
2012-12-31
C:\Documents and Settings\All Users\SxS\NvSmartMax.dll.url
Size
111K
SHA-1
7a61645c603564914db4c7a6c20cb6089351a9c0
MD5
e8b71cabf8cc50b2f540d484c65baad5
CRC-32
eb9e038e
File type
Unspecified binary - probably data
First seen
2012-12-31

Registry Keys Created

HKLM\SYSTEM\CurrentControlSet\Services\SessionNet
Description
Remote Desktop Network Services
HKLM\SYSTEM\CurrentControlSet\Services\SessionNet\Security
Security
□□□@□□□□□□□□□□□□□□@□□□□□□□□□□□ □□□□□□□□□□□ □□@□□□□□□□□□□□□□□□□□□□□□□□□□□ □□□□□@□□□□□□□□@□□□□□ □□□□□□□□□□□□□□ □□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□@□□□□□ □□□□□□□□□□□□□□□□□□□□□□□□□□□□□ □□□□□□□□□□□□□□□□□□□□0□□□□□□□□□□□□□□□□□ □□□□□□□□□□□□□□□□□ □□□□□
HKCR\FAST
CLSID
E□□@□□□□□□□□@□□0□□0□□□□□□□□@□□@□□`□□p□□@□□□□□□□□□□□
HKLM\SYSTEM\CurrentControlSet\Services\SessionNet\Enum
NextInstance
0x00000001

Processes Created

c:\documents and settings\all users\sxs\nv.exe
c:\docume~1\support\locals~1\temp\rarsfx0\nv.exe
c:\windows\system32\svchost.exe

IP Connections

172.16.255.255:53

DNS Requests

services.darkhero.org

Example 3

File Information

Size: 498K
SHA-1: a98ad343e096e47cdacf0e9586c5014af6f223af
MD5: fef9a8fa614bd9a9d675b76c00e34ce4
CRC-32: 31b971a3
File type: application/x-ms-dos-executable
First seen: 2012-12-28

Try Sophos products for free
Download now

Security Goals

INDUSTRIES & SECTORS

COMPANY SIZE

PRODUCT FEATURES

CASE STUDIES

Company Overview

Our People

INNOVATIVE TECHNOLOGY

ALERT SERVICES

Product Features

Product Families

Complete Security

PRODUCTS BY NAME

Free Tools

Next Steps

RESOURCES

FIND AN ANSWER

Support by Product

Maintain your Product

Hire an Expert

WHAT'S POPULAR

THREAT ANALYSIS

THREAT STATISTICS

WHAT'S POPULAR

Threat Definitions

THREAT MONITORING

SECURITY HUBS

LIBRARY

Whats Popular

WHAT'S NEW

Community

IT SECURITY TRAINING

ANATOMY OF AN ATTACK

RESELLER PARTNERS

Managed Service Providers

SYSTEM INTEGRATORS

OEM and Technology

WHAT'S POPULAR

Troj/Agent-ZMC

Example 1

File Information

Other vendor detection

Runtime Analysis

Dropped Files

Modified Files

Registry Keys Created

Registry Keys Modified

Processes Created

HTTP Requests

DNS Requests

Example 2

File Information

Runtime Analysis

Dropped Files

Registry Keys Created

Processes Created

IP Connections

DNS Requests

Example 3

File Information

Free Mac Anti-Virus

Popular topics