Troj/Farfli-Gen

Category: Viruses and Spyware Protection available since:03 Nov 2011 19:22:27 (GMT)
Type: Trojan Last Updated:03 Nov 2011 19:22:27 (GMT)
Prevalence: Small Number of Reports

Download Download our free Virus Removal Tool - Find and remove threats your antivirus missed

Examples of Troj/Farfli-Gen include:

Example 1

File Information

Size
116K
SHA-1
02c865ec56d448b33324f84354764db69977d374
MD5
fb25ac1a74a62d839c0a5cfc28b8eebe
CRC-32
df42d482
File type
application/x-ms-dos-executable
First seen
2011-02-04

Runtime Analysis

Copies Itself To
  • C:\Program Files\WinRAR.jpg
Registry Keys Created
  • HKLM\SOFTWARE\361474163\eapsvcs
    AuthenticationCapabilities
    0x00003020
  • HKLM\SOFTWARE\361474163
    netsvcs
    6to4 AppMgmt AudioSrv Browser CryptSvc DMServer DHCP ERSvc EventSystem FastUserSwitchingCompatibility HidServ Ias Iprip Irmon LanmanServer LanmanWorkstation Messenger Netman Nla Ntmssvc NWCWorkstation Nwsapagent Rasauto Rasman Remoteaccess Schedule Seclogon SENS Sharedaccess SRService Tapisrv Themes TrkWks W32Time WZCSVC Wmi WmdmPmSp winmgmt wscsvc xmlprov BITS wuauserv ShellHWDetection helpsvc WmdmPmSN napagent hkmsvc
  • HKLM\SOFTWARE\235797642\Security
    Security
    01 00 14 80 90 00 00 00 9c 00 00 00 14 00 00 00 30 00 00 00 02 00 1c 00 01 00 00 00 02 80 14 00 ff 01 0f 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 fd 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 ff 01 0f 00 01 02 00 00 00 00 00 05 20 00 00 00 20 02 00 00 00 00 14 00 8d 01 02 00 01 01 00 00 00 00 00 05 0b 00 00 00 00 00 18 00 fd 01 02 00 01 02 00 00 00 00 00 05 20 00 00 00 23 02 00 00 01 01 00 00 00 00 00 05 12 00 00 00 01 01 00 00 00 00 00 05 12 00 00 00
  • HKLM\SYSTEM\CurrentControlSet\Services\Microsoft .Net Framework COM+ Support\Parameters
    ServiceDll
    C:\Program Files\WinRAR.jpg
  • HKLM\SYSTEM\CurrentControlSet\Services\Microsoft .Net Framework COM+ Support\Security
    Security
    01 00 14 80 90 00 00 00 9c 00 00 00 14 00 00 00 30 00 00 00 02 00 1c 00 01 00 00 00 02 80 14 00 ff 01 0f 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 fd 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 ff 01 0f 00 01 02 00 00 00 00 00 05 20 00 00 00 20 02 00 00 00 00 14 00 8d 01 02 00 01 01 00 00 00 00 00 05 0b 00 00 00 00 00 18 00 fd 01 02 00 01 02 00 00 00 00 00 05 20 00 00 00 23 02 00 00 01 01 00 00 00 00 00 05 12 00 00 00 01 01 00 00 00 00 00 05 12 00 00 00
  • HKLM\SOFTWARE\235797642
    Start
    0x00000002
  • HKLM\SYSTEM\CurrentControlSet\Services\Microsoft .Net Framework COM+ Support\Enum
    NextInstance
    0x00000001
  • HKLM\SYSTEM\CurrentControlSet\Services\Microsoft .Net Framework COM+ Support
    FailureActions
    80 51 01 00 00 00 00 00 00 00 00 00 03 00 00 00 53 00 65 00 01 00 00 00 e8 03 00 00 01 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00
Registry Keys Modified
  • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost
    imgsvc
    53 74 69 53 76 63 00 4d 69 63 72 6f 73 6f 66 74 20 2e 4e 65 74 20 46 72 61 6d 65 77 6f 72 6b 20 43 4f 4d 2b 20 53 75 70 70 6f 72 74 00
Processes Created
  • c:\windows\system32\svchost.exe
DNS Requests
  • ta130.3322.org

Example 2

File Information

Size
7.2M
SHA-1
03dd7f555d1ad3cdcb857561f91c617a181f02b0
MD5
02817f2edf235ed31eccb860805937ee
CRC-32
146d29ae
File type
application/x-ms-dos-executable
First seen
2011-02-18

Runtime Analysis

Dropped Files
  • C:\Program Files\Wwei\Daelocwoa.jpg
    Size
    14M
    SHA-1
    232f9252778201ffc2c92703291a4045bb1fc139
    MD5
    9d2dc3ef350be98563d7fc12b4b27733
    CRC-32
    2779150f
    File type
    application/x-ms-dos-executable
    First seen
    2011-02-18
Registry Keys Created
  • HKLM\SOFTWARE\332230011
    imgsvc
    53 74 69 53 76 63 00 56 63 64 6e 76 20 50 64 66 63 65 70 20 55 70 66 00
  • HKLM\SYSTEM\CurrentControlSet\Services\Vcdnv Pdfcep Upf\Security
    Security
    01 00 14 80 90 00 00 00 9c 00 00 00 14 00 00 00 30 00 00 00 02 00 1c 00 01 00 00 00 02 80 14 00 ff 01 0f 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 fd 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 ff 01 0f 00 01 02 00 00 00 00 00 05 20 00 00 00 20 02 00 00 00 00 14 00 8d 01 02 00 01 01 00 00 00 00 00 05 0b 00 00 00 00 00 18 00 fd 01 02 00 01 02 00 00 00 00 00 05 20 00 00 00 23 02 00 00 01 01 00 00 00 00 00 05 12 00 00 00 01 01 00 00 00 00 00 05 12 00 00 00
  • HKLM\SYSTEM\CurrentControlSet\Services\Vcdnv Pdfcep Upf\Enum
    NextInstance
    0x00000001
  • HKLM\SOFTWARE\332230011\dot3svc
    CoInitializeSecurityParam
    0x00000001
  • HKLM\SYSTEM\CurrentControlSet\Services\Vcdnv Pdfcep Upf
    FailureActions
    80 51 01 00 00 00 00 00 00 00 00 00 03 00 00 00 53 00 65 00 01 00 00 00 e8 03 00 00 01 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00
  • HKLM\SOFTWARE\79221430\Parameters
    ServiceDll
    C:\Program Files\Wwei\Daelocwoa.jpg
  • HKLM\SOFTWARE\79221430
    Type
    0x00000110
  • HKLM\SYSTEM\CurrentControlSet\Services\Vcdnv Pdfcep Upf\Parameters
    ServiceDll
    C:\Program Files\Wwei\Daelocwoa.jpg
  • HKLM\SOFTWARE\332230011\DComLaunch
    CoInitializeSecurityParam
    0x00000001
  • HKLM\SOFTWARE\332230011\PCHealth
    AuthenticationCapabilities
    0x00000040
  • HKLM\SOFTWARE\79221430\Security
    Security
    01 00 14 80 90 00 00 00 9c 00 00 00 14 00 00 00 30 00 00 00 02 00 1c 00 01 00 00 00 02 80 14 00 ff 01 0f 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 fd 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 ff 01 0f 00 01 02 00 00 00 00 00 05 20 00 00 00 20 02 00 00 00 00 14 00 8d 01 02 00 01 01 00 00 00 00 00 05 0b 00 00 00 00 00 18 00 fd 01 02 00 01 02 00 00 00 00 00 05 20 00 00 00 23 02 00 00 01 01 00 00 00 00 00 05 12 00 00 00 01 01 00 00 00 00 00 05 12 00 00 00
Registry Keys Modified
  • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost
    imgsvc
    53 74 69 53 76 63 00 56 63 64 6e 76 20 50 64 66 63 65 70 20 55 70 66 00
Processes Created
  • c:\windows\system32\svchost.exe

Example 3

File Information

Size
223K
SHA-1
08eabf8a8aa196ae72bb4e7ea22042598728fbf8
MD5
1583b303bb62ed567ae0a7168ff1e1cf
CRC-32
43c019c8
File type
Windows executable
First seen
2011-04-22

Runtime Analysis

Dropped Files
  • C:\2735700.dll
    Size
    102K
    SHA-1
    5930dbc5815fe0165908f8aa78291b71c49cc7e2
    MD5
    0dfbeffa00a19029fa07fe8c8f0402fd
    CRC-32
    9b934dfd
    File type
    Windows executable
    First seen
    2011-04-22
  • C:\NT_Path.jpg
    Size
    28
    SHA-1
    8dbbe40ab207069d61669143475841dcb4c2633f
    MD5
    c533d8626ac4b1d4ac94fbf571b3fd46
    CRC-32
    6915ffc7
    File type
    ASCII text / 8-bit Unicode Transformation Format
    First seen
    2011-04-22
Registry Keys Created
  • HKLM\SYSTEM\CurrentControlSet\Services\RemoteAccess\Enum
    NextInstance
    0x00000001
  • HKLM\SOFTWARE\Microsoft\Tracing\Router
    ConsoleTracingMask
    0xffff0000
Registry Keys Modified
  • HKLM\SYSTEM\CurrentControlSet\Services\RemoteAccess\RouterManagers\Ip
    DLLPath
    C:\2735700.dll
  • HKLM\SYSTEM\CurrentControlSet\Services\RemoteAccess
    Type
    0x00000110
Processes Created
  • c:\windows\system32\svchost.exe

download Try Sophos products for free
Download now

© 1997 - 2012 Sophos Ltd. All rights reserved. Legal Privacy