Troj/Dloadr-DQW

Category: Viruses and Spyware Protection available since:03 Jan 2013 20:32:34 (GMT)
Type: Trojan Last Updated:03 Jan 2013 20:32:34 (GMT)
Prevalence: Small Number of Reports

Download Download our free Virus Removal Tool - Find and remove threats your antivirus missed

Troj/Dloadr-DQW exhibits the following characteristics:

File Information

Size
60K
SHA-1
64a27df8a18d950eda3c50cded5c2784c01c272a
MD5
30aa0f336676d4ed9e9787046393e7a4
CRC-32
1f214ebc
File type
Windows executable
First seen
2013-01-01

Runtime Analysis

Dropped Files
  • c:\Documents and Settings\test user\Local Settings\Temp\GuardMailRu.exe
    Size
    2.2M
    SHA-1
    921ec9e6a40e1d53bde65fd95728896226e76602
    MD5
    5e1555f00a1f93b3c2748bd42d4720bb
    CRC-32
    1e40cb9a
    File type
    Windows executable
    First seen
    2012-10-30
  • c:\Documents and Settings\test user\Application Data\Microsoft\Internet Explorer\Quick Launch\Mail.Ru.lnk
    Size
    1.8K
    SHA-1
    db4176081a67f4bcf33a63e29e07c90be3f617cb
    MD5
    dff53b9a061524b7d06cfe5478cb639c
    CRC-32
    6e10bc0c
    File type
    application/octet-stream
    First seen
    2013-01-03
  • C:\Program Files\Mail.Ru\Sputnik\SputnikFlashPlayer.exe
    Size
    582K
    SHA-1
    9c809656571806145e8ac94111ab84fc3f367b9d
    MD5
    8d2e41b2b917b361c50b74db271d31b9
    CRC-32
    e0bc0264
    File type
    Windows executable
    First seen
    2012-10-30
  • c:\Documents and Settings\test user\Local Settings\Application Data\Mail.Ru\Sputnik\MailRu.ico
    Size
    25K
    SHA-1
    ecf132289a6428ccdfa97cf1ac316dd36b8c9e07
    MD5
    6686266728fa1dd286d097fec1a0ca5b
    CRC-32
    bfc229ef
    File type
    Unspecified binary - probably data
    First seen
    2011-02-12
  • C:\Program Files\Mail.Ru\Sputnik\MailRuSputnik.dll
    Size
    1.8M
    SHA-1
    369d920cb822f0b4d7231fd6f4ec00b59b05deaf
    MD5
    b8922d1f13333e8cd3555d35b81fb57f
    CRC-32
    66958c90
    File type
    Windows executable
    First seen
    2012-10-30
  • C:\Program Files\Mail.Ru\Guard\GuardMailRu.exe
    Size
    2.2M
    SHA-1
    921ec9e6a40e1d53bde65fd95728896226e76602
    MD5
    5e1555f00a1f93b3c2748bd42d4720bb
    CRC-32
    1e40cb9a
    File type
    Windows executable
    First seen
    2012-10-30
  • c:\Documents and Settings\test user\Local Settings\Temp\Internet.exe.xdl!
    Size
    16M
    SHA-1
    89042e115f74b4f7f0ef905136ce46023a92e86d
    MD5
    5983fa796b3d57299c6d67a6e540026c
    CRC-32
    d8dd4133
    File type
    Windows executable
    First seen
    2012-11-16
  • c:\Documents and Settings\test user\Local Settings\Application Data\Mail.Ru\GoMailRu.ico
    Size
    122K
    SHA-1
    b0920e159bc1eca47d7dd9e950b65c03e61b42c3
    MD5
    678737d36baabc4d152e6d5af7115c10
    CRC-32
    bcf59632
    File type
    Icon for 32-bit Windows
    First seen
    2011-09-24
  • c:\Documents and Settings\test user\Local Settings\Temp\ie.reg
    Size
    336
    SHA-1
    48ca64c27bd52fcd2d5953a10aedc28bcca7ef6d
    MD5
    eade9dbd92d81933aa3b2c3d03505a5b
    CRC-32
    ab896da3
    File type
    Windows regedit file (.reg)
    First seen
    2012-10-10
  • C:\Documents and Settings\All Users\Favorites\Mail.Ru.url
    Size
    152
    SHA-1
    76f691e383ec8bf1f554abe0f91ceadba62af3b3
    MD5
    c48288674af90ab27b68ecb1f025a6a5
    CRC-32
    5b1e5424
    File type
    Configuration Data File (generic)
    First seen
    2012-10-10
  • C:\Program Files\Mail.Ru\Sputnik\mailrusputnik.exe
    Size
    4.5M
    SHA-1
    f57d036135dc27bd0388915f4103036e83d8d7ca
    MD5
    7215345d63652dc8e750a5d40088284e
    CRC-32
    229e204a
    File type
    Windows executable
    First seen
    2012-10-30
Registry Keys Created
  • HKCR\CLSID\{09900DE8-1DCA-443F-9243-26FF581438AF}
    (Default)
    ???????@Mail.Ru
  • HKLM\SYSTEM\CurrentControlSet\Services\Guard.Mail.ru\Enum
    NextInstance
    0x00000001
  • HKCR\CLSID\{8984B388-A5BB-4DF7-B274-77B879E179DB}
    (Default)
    MailRuBHO Class
  • HKCU\Software\Mail.Ru\IE_Bar
    LiteMode
    0x00000000
  • HKCU\Software\Microsoft\Internet Explorer\SearchScopes
    DefaultScope
    {FFEBBF0A-C22C-4172-89FF-45215A135AC7}
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8984B388-A5BB-4DF7-B274-77B879E179DB}
    (Default)
    ???????@Mail.Ru
  • HKCR\MailRuSputnik.MailRuBHO.1\CLSID
    (Default)
    {8984B388-A5BB-4DF7-B274-77B879E179DB}
  • HKCR\MailRuSputnik.MailRuBHO\CurVer
    (Default)
    MailRuSputnik.MailRuBHO.1
  • HKCU\Software\Microsoft\Internet Explorer\Approved Extensions
    {8984B388-A5BB-4DF7-B274-77B879E179DB}
    Qf□□l□□□□□□□□□□□□□□□□□□□p}□P□□□□□□□□
  • HKLM\SOFTWARE\Mail.Ru\Guard
    UserGUID
    {866DDFB8-9E9C-4432-9F98-750425A9DC80}
  • HKCR\MailRu.MailRuSputnikObj
    (Default)
    ???????@Mail.Ru
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MailRuSputnik
    VersionMinor
    0x00000004
  • HKCR\MailRu.MailRuSputnikObj.1\CLSID
    (Default)
    {09900DE8-1DCA-443F-9243-26FF581438AF}
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Guard.Mail.ru
    UninstallString
    "C:\Program Files\Mail.Ru\Guard\GuardMailRu.exe" /uninstall
  • HKCR\CLSID\{09900DE8-1DCA-443F-9243-26FF581438AF}\ProgID
    (Default)
    MailRu.MailRuSputnikObj.1
  • HKCR\CLSID\{09900DE8-1DCA-443F-9243-26FF581438AF}\VersionIndependentProgID
    (Default)
    MailRu.MailRuSputnikObj
  • HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks
    {09900DE8-1DCA-443F-9243-26FF581438AF}
    ???????@Mail.Ru
  • HKCR\MailRuSputnik.MailRuBHO\CLSID
    (Default)
    {8984B388-A5BB-4DF7-B274-77B879E179DB}
  • HKCR\MailRu.MailRuSputnikObj\CurVer
    (Default)
    MailRu.MailRuSputnikObj.1
  • HKLM\SYSTEM\CurrentControlSet\Services\Guard.Mail.ru\Security
    Security
    □□□@□□□□□□□□□□□□□□@□□□□□□□□□□□ □□□□□□□□□□□ □□@□□□□□□□□□□□□□□□□□□□□□□□□□□ □□□□□@□□□□□□□□@□□□□□ □□□□□□□□□□□□□□ □□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□@□□□□□ □□□□□□□□□□□□□□□□□□□□□□□□□□□□□ □□□□□□□□□□□□□□□□□□□□0□□□□□□□□□□□□□□□□□ □□□□□□□□□□□□□□□□□ □□□□□
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform
    MRSPUTNIK 2, 4, 1, 110
  • HKCR\MailRu.MailRuSputnikObj.1
    (Default)
    ???????@Mail.Ru
  • HKCR\MailRuSputnik.MailRuBHO
    (Default)
    MailRuBHO Class
  • HKCU\Software\Mail.Ru\IE_Bar\Recovery\ie
    DefaultScope
  • HKLM\SYSTEM\CurrentControlSet\Services\Guard.Mail.ru
    Description
    ???????????? ?????? ???????? ????????? ?? ???????????????????? ????????? (version 1.0.0.453)
  • HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{FFEBBF0A-C22C-4172-89FF-45215A135AC7}
    SuggestionsURL
    http://suggests.go.mail.ru/ie8?q={SearchTerms}
  • HKCR\MailRu.MailRuSputnikObj\CLSID
    (Default)
    {09900DE8-1DCA-443F-9243-26FF581438AF}
  • HKCU\Software\Mail.Ru\IE_Bar\Settings
    AppendOnNavigateError
    0x00000001
  • HKCR\MailRuSputnik.MailRuBHO.1
    (Default)
    MailRuBHO Class
  • HKCR\CLSID\{09900DE8-1DCA-443F-9243-26FF581438AF}\InprocServer32
    ThreadingModel
    Apartment
  • HKCR\CLSID\{8984B388-A5BB-4DF7-B274-77B879E179DB}\VersionIndependentProgID
    (Default)
    MailRuSputnik.MailRuBHO
  • HKLM\SOFTWARE\Mail.Ru
    GuardNEW
    0x00000001
  • HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar
    {09900DE8-1DCA-443F-9243-26FF581438AF}
    ???????@Mail.Ru
  • HKCR\CLSID\{8984B388-A5BB-4DF7-B274-77B879E179DB}\InprocServer32
    ThreadingModel
    Apartment
  • HKCR\CLSID\{8984B388-A5BB-4DF7-B274-77B879E179DB}\ProgID
    (Default)
    MailRuSputnik.MailRuBHO.1
  • HKCR\CLSID\{09900DE8-1DCA-443F-9243-26FF581438AF}\TypeLib
    (Default)
    {D9396DCA-81B4-4C62-8C48-619573A3C4E6}
  • HKCR\CLSID\{8984B388-A5BB-4DF7-B274-77B879E179DB}\TypeLib
    (Default)
    {D9396DCA-81B4-4C62-8C48-619573A3C4E6}
Registry Keys Modified
  • HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
    ITBarLayout
    11 00 00 00 4c 00 00 00 00 00 00 00 34 00 00 00 1f 00 00 00 00 00 00 00 01 00 00 00 20 07 00 00 a0 0f 00 00 05 00 00 00 62 05 00 00 26 00 00 00 02 00 00 00 21 07 00 00 a0 0f 00 00 04 00 00 00 21 01 00 00 a0 0f 00 00 03 00 00 00 20 03 00 00 00 00 00 00 06 00 00 00 21 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 0d 90 09 ca 1d 3f 44 92 43 26 ff 58 14 38 af 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  • HKCU\Software\Microsoft\Internet Explorer\Main
    Start Page
    http://www.mail.ru/cnt/9516
  • HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
    Local AppData
    C:\Documents and Settings\LocalService\Local Settings\Application Data
  • HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
    Local AppData
    C:\Documents and Settings\LocalService\Local Settings\Application Data
HTTP Requests
  • http://binupdate.mail.ru/dwnld/url
  • http://exe.agent.mail.ru/sputnik/mailrusputnik.exe
  • http://mrb.mail.ru/update/2/version.txt
  • http://r.mail.ru/cln5491/exe.agent.mail.ru/sputnik/mailrusputnik.exe
  • http://to-load.ru/get_xml
DNS Requests
  • binupdate.mail.ru
  • exe.agent.mail.ru
  • internetmailru.cdnmail.ru
  • mrb.mail.ru
  • r.mail.ru
  • to-load.ru

download Try Sophos products for free
Download now