Troj/Autoit-XQ

Category: Viruses and Spyware Protection available since:16 Sep 2013 04:50:02 (GMT)
Type: Trojan Last Updated:16 Sep 2013 10:07:51 (GMT)
Prevalence: Small Number of Reports

Download Download our free Virus Removal Tool - Find and remove threats your antivirus missed

Examples of Troj/Autoit-XQ include:

Example 1

File Information

Size
2.0M
SHA-1
420cc1d95ef0b436c47df6741103f2734e1407cc
MD5
fdcf4e6a33f3f217e927def0d0c05821
CRC-32
b8ae1efc
File type
Windows executable
First seen
2013-09-15

Other vendor detection

Avira
DR/AutoIt.Gen2

Runtime Analysis

Dropped Files
  • c:\Documents and Settings\test user\Local Settings\Temp\INV_1000_mton.pdf
    Size
    453K
    SHA-1
    7c21511e66cd152684fc4befd41a6f273a88b689
    MD5
    837f208cd9f5c6a691ffb043400d9b48
    CRC-32
    4bcc1952
    File type
    Adobe Portable Document Format (PDF)
    First seen
    2013-09-15
  • c:\Documents and Settings\test user\Application Data\Noyd\mahe.exe
    Size
    2.0M
    SHA-1
    cef2b97b1444527bbf2c930de58d64725ea55c67
    MD5
    68d59a5c0391ecb3ca675791c22b6568
    CRC-32
    79a2228f
    File type
    Windows executable
    First seen
    2013-09-15
  • c:\Documents and Settings\test user\Application Data\Peilen\uqdoe.ylq
    Size
    477
    SHA-1
    6c5e27bf15f76d44576dfb2cfeeddd6cd4890280
    MD5
    b37234a4d6450745e210d4b8916d31f9
    CRC-32
    efebad7d
    File type
    Unspecified binary - probably data
    First seen
    2013-09-15
Modified Files
  • %PROFILE%\Local Settings\Application Data\Identities\{E2564744-A8ED-497D-924B-A548B20CA034}\Microsoft\Outlook Express\Inbox.dbx
  • %PROFILE%\Local Settings\Application Data\Identities\{E2564744-A8ED-497D-924B-A548B20CA034}\Microsoft\Outlook Express\Folders.dbx
  • %PROFILE%\Local Settings\Application Data\Identities\{E2564744-A8ED-497D-924B-A548B20CA034}\Microsoft\Outlook Express\Offline.dbx
Registry Keys Created
  • HKCU\Software\Microsoft\Kiasw
    Emkara
    R:□□□□@J□□□□0H□□□□□=□`□□□□□□[□ J□□M□@□□□□□□□□□□□□>□0□□□□□`p□□□□□h□`□□@□□□□□□p□P□□□□□□□□0□□□□□□□□□>□ □□□□□□□□ □□□□□□5□□$□0'□□p□□□□□2□02□□□□□Q□□□□`□□□\□p4□`□□0□□p#□pc□□□□□□□□<□
  • HKCU\Software\Microsoft\Internet Explorer\Privacy
    CleanCookies
    0x00000000
  • HKCU\Identities
    Identity Login
    0x00098053
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Run
    {6963B866-C696-D64B-728A-4E976E2393F0}
    "c:\Documents and Settings\test user\Application Data\Noyd\mahe.exe"
Registry Keys Modified
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0
    1609
    0x00000000
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
    1609
    0x00000000
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4
    1609
    0x00000000
  • HKCU\Identities\{E2564744-A8ED-497D-924B-A548B20CA034}\Software\Microsoft\Outlook Express\5.0
    Compact Check Count
    0x00000008
  • HKCU\Software\Microsoft\Windows\CurrentVersion\UnreadMail\user@example.com
    TimeStamp
    78 b7 f0 83 65 b2 ce 01
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
    1609
    0x00000000
Processes Created
  • c:\Documents and Settings\test user\application data\noyd\mahe.exe
  • c:\program files\adobe\reader 8.0\reader\acrord32.exe
  • c:\windows\system32\cmd.exe
  • c:\windows\system32\netsh.exe
HTTP Requests
  • http://igwekeleb.ig.ohost.de/cheewah/config.bin
  • http://www.google.bg/webhp
  • http://www.google.com/webhp
DNS Requests
  • igwekeleb.ig.ohost.de
  • www.google.bg
  • www.google.com

Example 2

File Information

Size
2.0M
SHA-1
60cc5cf4fc167d73554cd98a4abe06d488842b9e
MD5
bf8e79dd60da3ebb70995fd311f599ce
CRC-32
474e6a94
File type
Windows executable
First seen
2013-09-15

Example 3

File Information

Size
1.1M
SHA-1
70b1527b3590506b5e4e803541a770516e1142dd
MD5
a7bb1d59eb5a2ad7cccafeb2c9d29879
CRC-32
061a0f9e
File type
PK ZIP archive
First seen
2013-09-15

Other vendor detection

Avira
DR/AutoIt.Gen2

download Try Sophos products for free
Download now