Troj/Agent-ZMC

Category: Viruses and Spyware Protection available since:30 Dec 2012 12:08:42 (GMT)
Type: Trojan Last Updated:31 Dec 2012 17:39:02 (GMT)
Prevalence: Small Number of Reports

Download Download our free Virus Removal Tool - Find and remove threats your antivirus missed

Examples of Troj/Agent-ZMC include:

Example 1

File Information

Size
498K
SHA-1
bb6ba3b8993783a9758324e1843860503e1dd46d
MD5
9a63f72911b385a0c17427444c968ed0
CRC-32
c905817c
File type
application/x-ms-dos-executable
First seen
2012-12-30

Other vendor detection

Kaspersky
HEUR:Trojan.Win32.Generic

Runtime Analysis

Dropped Files
  • C:\WINDOWS\system32\AppleService.exe
    Size
    76K
    SHA-1
    fd4790ea74ceb027bc623ba9c60d528c9fb863a5
    MD5
    61fe6f4cb2c54511f0804b1417ab3bd2
    CRC-32
    6abdad65
    File type
    Windows executable
    First seen
    2012-12-27
Modified Files
  • C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files
    • Set the hidden and system flags
  • C:\Documents and Settings\LocalService\Local Settings\History
    • Set the hidden and system flags
Registry Keys Created
  • HKLM\SYSTEM\CurrentControlSet\Services\AppleService\Security
    Security
    □□□@□□□□□□□□□□□□□□@□□□□□□□□□□□ □□□□□□□□□□□ □□@□□□□□□□□□□□□□□□□□□□□□□□□□□ □□□□□@□□□□□□□□@□□□□□ □□□□□□□□□□□□□□ □□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□@□□□□□ □□□□□□□□□□□□□□□□□□□□□□□□□□□□□ □□□□□□□□□□□□□□□□□□□□0□□□□□□□□□□□□□□□□□ □□□□□□□□□□□□□□□□□ □□□□□
  • HKLM\SYSTEM\CurrentControlSet\Services\AppleService\Enum
    NextInstance
    0x00000001
  • HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
    DefaultConnectionSettings
    <□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□@□□□□□□□□□□□□□□ □□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□
  • HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
    DefaultConnectionSettings
    <□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□@□□□□□□□□□□□□□□ □□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□
  • HKLM\SYSTEM\CurrentControlSet\Services\AppleService
    Description
    Apple Application Service.
Registry Keys Modified
  • HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
    History
    C:\Documents and Settings\LocalService\Local Settings\History
  • HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
    History
    C:\Documents and Settings\LocalService\Local Settings\History
  • HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
    SavedLegacySettings
    3c 00 00 00 03 00 00 00 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3
    CachePath
    C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache3
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4
    CachePath
    C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache4
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1
    CachePath
    C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache1
  • HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
    SavedLegacySettings
    3c 00 00 00 03 00 00 00 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths
    Directory
    C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2
    CachePath
    C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache2
Processes Created
  • c:\windows\system32\appleservice.exe
  • c:\windows\system32\cmd.exe
  • c:\windows\system32\net.exe
  • c:\windows\system32\net1.exe
  • c:\windows\system32\ping.exe
HTTP Requests
  • http://web.vipreclod.com/photo/cp.jpg
  • http://web.vipreclod.com/viewphoto.asp
DNS Requests
  • web.vipreclod.com

Example 2

File Information

Size
498K
SHA-1
27516d91174de87b7fbaf85f38a65980375ab80a
MD5
5bca1a86c15816f3fc61db1ae807bdca
CRC-32
5b6ce603
File type
Windows executable
First seen
2012-12-31

Runtime Analysis

Dropped Files
  • c:\Documents and Settings\test user\Local Settings\Temp\RarSFX0\NvSmartMax.dll.url
    Size
    111K
    SHA-1
    7a61645c603564914db4c7a6c20cb6089351a9c0
    MD5
    e8b71cabf8cc50b2f540d484c65baad5
    CRC-32
    eb9e038e
    File type
    Unspecified binary - probably data
    First seen
    2012-12-31
  • C:\Documents and Settings\All Users\SxS\Nv.exe
    Size
    47K
    SHA-1
    6474d0369f97e72e01e4971128d1062f5c2b3656
    MD5
    09b8b54f78a10c435cd319070aa13c28
    CRC-32
    fdbdd02e
    File type
    Windows executable
    First seen
    2012-04-20
  • c:\Documents and Settings\test user\Local Settings\Temp\RarSFX0\NvSmartMax.dll
    Size
    48K
    SHA-1
    1261310654078d3f15e4e22fe901232b3428666e
    MD5
    0563db7adeda159190a97562ce6ab3a8
    CRC-32
    f9c24ce7
    File type
    Windows executable
    First seen
    2012-12-31
  • C:\Documents and Settings\All Users\SxS\NvSmartMax.dll
    Size
    48K
    SHA-1
    1261310654078d3f15e4e22fe901232b3428666e
    MD5
    0563db7adeda159190a97562ce6ab3a8
    CRC-32
    f9c24ce7
    File type
    Windows executable
    First seen
    2012-12-31
  • C:\Documents and Settings\All Users\SxS\NvSmartMax.dll.url
    Size
    111K
    SHA-1
    7a61645c603564914db4c7a6c20cb6089351a9c0
    MD5
    e8b71cabf8cc50b2f540d484c65baad5
    CRC-32
    eb9e038e
    File type
    Unspecified binary - probably data
    First seen
    2012-12-31
Registry Keys Created
  • HKLM\SYSTEM\CurrentControlSet\Services\SessionNet
    Description
    Remote Desktop Network Services
  • HKLM\SYSTEM\CurrentControlSet\Services\SessionNet\Security
    Security
    □□□@□□□□□□□□□□□□□□@□□□□□□□□□□□ □□□□□□□□□□□ □□@□□□□□□□□□□□□□□□□□□□□□□□□□□ □□□□□@□□□□□□□□@□□□□□ □□□□□□□□□□□□□□ □□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□@□□□□□ □□□□□□□□□□□□□□□□□□□□□□□□□□□□□ □□□□□□□□□□□□□□□□□□□□0□□□□□□□□□□□□□□□□□ □□□□□□□□□□□□□□□□□ □□□□□
  • HKCR\FAST
    CLSID
    E□□@□□□□□□□□@□□0□□0□□□□□□□□@□□@□□`□□p□□@□□□□□□□□□□□
  • HKLM\SYSTEM\CurrentControlSet\Services\SessionNet\Enum
    NextInstance
    0x00000001
Processes Created
  • c:\documents and settings\all users\sxs\nv.exe
  • c:\docume~1\support\locals~1\temp\rarsfx0\nv.exe
  • c:\windows\system32\svchost.exe
IP Connections
  • 172.16.255.255:53
DNS Requests
  • services.darkhero.org

Example 3

File Information

Size
498K
SHA-1
a98ad343e096e47cdacf0e9586c5014af6f223af
MD5
fef9a8fa614bd9a9d675b76c00e34ce4
CRC-32
31b971a3
File type
application/x-ms-dos-executable
First seen
2012-12-28

download Try Sophos products for free
Download now