Troj/Bckdr-RKX

Category: Viruses and Spyware Protection available since:28 Feb 2012 20:17:42 (GMT)
Type: Trojan Last Updated:28 Feb 2012 20:17:42 (GMT)
Prevalence: Small Number of Reports

Download Download our free Virus Removal Tool - Find and remove threats your antivirus missed

Examples of Troj/Bckdr-RKX include:

Example 1

File Information

Size
72K
SHA-1
62a291a0e884f77c1d35ffc950e7f923fe80bf05
MD5
b648dfd5dcad1eda4aa3537fa4850828
CRC-32
a96f2ea7
File type
application/x-ms-dos-executable
First seen
2012-02-28

Runtime Analysis

Registry Keys Created
  • HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{A677C0DE-0880-E7EF-A24E-3A3B830CB7CE}
    (Default)
    Microsoft VM
  • HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
    IgfxTray
    Vmnat32.exe
Registry Keys Modified
  • HKLM\SYSTEM\CurrentControlSet\Services\IpFilterDriver
    ImagePath
    System32\DRIVERS\ipfltdrv.sys
Processes Created
  • c:\windows\system32\reg.exe
HTTP Requests
  • http://140.135.11.60/search
IP Connections
  • 140.135.11.60:80

Example 2

File Information

Size
1.5M
SHA-1
7fbacf52143668b84ac182b793dece1a54198c79
MD5
e9e996ac9ead5b16a8a89fda43d5bd50
CRC-32
1c7e52b2
File type
application/x-ms-dos-executable
First seen
2012-02-28

Other vendor detection

Kaspersky
Trojan.Win32.Inject.cdup

Runtime Analysis

Copies Itself To
  • c:\Documents and Settings\test user\Local Settings\Temp\~DFFFAD.tmp
Dropped Files
  • C:\sample.scr
    Size
    1.4M
    SHA-1
    276b2ed2668c0cbc73604cc7ef42052d88bb0c00
    MD5
    c7b956d285e5aa2ee9435131a18bef1d
    CRC-32
    f5e1e689
    File type
    application/x-ms-dos-executable
    First seen
    2012-02-23
  • c:\Documents and Settings\test user\Local Settings\Temp\~DFFF90.tmp
    Size
    72K
    SHA-1
    62a291a0e884f77c1d35ffc950e7f923fe80bf05
    MD5
    b648dfd5dcad1eda4aa3537fa4850828
    CRC-32
    a96f2ea7
    File type
    application/x-ms-dos-executable
    First seen
    2012-02-28
  • C:\WINDOWS\Installer\b287ee.msi
    Size
    72K
    SHA-1
    62a291a0e884f77c1d35ffc950e7f923fe80bf05
    MD5
    b648dfd5dcad1eda4aa3537fa4850828
    CRC-32
    a96f2ea7
    File type
    application/x-ms-dos-executable
    First seen
    2012-02-28
  • C:\WINDOWS\system32\dllcache\aic77ux.sys
    Size
    72K
    SHA-1
    62a291a0e884f77c1d35ffc950e7f923fe80bf05
    MD5
    b648dfd5dcad1eda4aa3537fa4850828
    CRC-32
    a96f2ea7
    File type
    application/x-ms-dos-executable
    First seen
    2012-02-28
  • C:\WINDOWS\system32\Vmnat32.exe
    Size
    72K
    SHA-1
    62a291a0e884f77c1d35ffc950e7f923fe80bf05
    MD5
    b648dfd5dcad1eda4aa3537fa4850828
    CRC-32
    a96f2ea7
    File type
    application/x-ms-dos-executable
    First seen
    2012-02-28
Registry Keys Created
  • HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{A677C0DE-0880-E7EF-A24E-3A3B830CB7CE}
    (Default)
    Microsoft VM
  • HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
    IgfxTray
    Vmnat32.exe
Registry Keys Modified
  • HKLM\SYSTEM\CurrentControlSet\Services\IpFilterDriver
    ImagePath
    System32\DRIVERS\ipfltdrv.sys
Processes Created
  • c:\docume~1\support\locals~1\temp\sample.scr
  • c:\docume~1\support\locals~1\temp\sample.tmp
  • c:\docume~1\support\locals~1\temp\tmp2.exe
  • c:\windows\system32\reg.exe
HTTP Requests
  • http://140.135.11.60/search
  • http://somewhere.servehalflife.com/search
IP Connections
  • 140.135.11.60:80
DNS Requests
  • somewhere.servehalflife.com

download Try Sophos products for free
Download now