Troj/MDrop-ESH

Category:	Viruses and Spyware	Protection available since:	29 Dec 2012 05:46:49 (GMT)
Type:	Trojan	Last Updated:	29 Dec 2012 05:46:49 (GMT)
Prevalence:

Download our free Virus Removal Tool - Find and remove threats your antivirus missed

Troj/MDrop-ESH exhibits the following characteristics:

File Information

Size: 255K
SHA-1: da63a6b4737652ca0e89f888405ea9dd25406471
MD5: 097e4f4bc7b36e97ced5ae556f891245
CRC-32: be57caff
File type: Windows executable
First seen: 2012-12-16

Other vendor detection

Avira: TR/Dropper.Gen

Runtime Analysis

Dropped Files

c:\Documents and Settings\test user\Local Settings\Temp\Install.bat
Size
1.3K
SHA-1
4c938bb098fd55e716a8dfe7e7aeb0a9af66598c
MD5
65575651cf6ddc4efa69b80f588daa34
CRC-32
27de0a62
File type
ASCII text / 8-bit Unicode Transformation Format
First seen
2012-11-29
c:\Documents and Settings\test user\Local Settings\Temp\pic.ico
C:\WINDOWS\system32\drivers\etc\hosts
Size
161
SHA-1
f4b304182d75682921ce07fcd705360f9d298ce5
MD5
f569c1ec3576e308cff707b239683e36
CRC-32
d59af48b
File type
ASCII text / 8-bit Unicode Transformation Format
First seen
2012-11-29
c:\Documents and Settings\test user\Local Settings\Temp\do.exe
Size
16K
SHA-1
c465ecdf745f272b4876492beef2abae0f093e2d
MD5
43932d0c6fa84f48e648c71f6eb97a5c
CRC-32
39d31b03
File type
Windows executable
First seen
2012-11-27

Modified Files

%SYSTEM%\drivers\etc\hosts
- Changed the file contents

Registry Keys Created

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012012121720121224
CacheRepair
0x00000000
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012012122820121229
CacheRepair
0x00000000

Registry Keys Modified

HKCR\SystemFileAssociations\.dot\shellex\{BB2E617C-0920-11d1-9A0B-00C04FC2D6C1}
(Default)
7b 39 44 42 44 32 43 35 30 2d 36 32 41 44 2d 31 31 64 30 2d 42 38 30 36 2d 30 30 43 30 34 46 44 37 30 36 45 43 7d 00 00 55 6e 52 65 67 44 6c 6c 00 00 00 00 2c 52 b0 5c 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 5e af
HKCR\SystemFileAssociations\.ppt\shellex\{BB2E617C-0920-11d1-9A0B-00C04FC2D6C1}
(Default)
7b 39 44 42 44 32 43 35 30 2d 36 32 41 44 2d 31 31 64 30 2d 42 38 30 36 2d 30 30 43 30 34 46 44 37 30 36 45 43 7d 00 00 55 6e 52 65 67 44 6c 6c 00 00 00 00 2c 52 b0 5c 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 5e af
HKCR\SystemFileAssociations\.xlt\shellex\{BB2E617C-0920-11d1-9A0B-00C04FC2D6C1}
(Default)
7b 39 44 42 44 32 43 35 30 2d 36 32 41 44 2d 31 31 64 30 2d 42 38 30 36 2d 30 30 43 30 34 46 44 37 30 36 45 43 7d 00 00 55 6e 52 65 67 44 6c 6c 00 00 00 00 2c 52 b0 5c 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 5e af
HKCR\SystemFileAssociations\.obd\shellex\{BB2E617C-0920-11d1-9A0B-00C04FC2D6C1}
(Default)
7b 39 44 42 44 32 43 35 30 2d 36 32 41 44 2d 31 31 64 30 2d 42 38 30 36 2d 30 30 43 30 34 46 44 37 30 36 45 43 7d 00 00 55 6e 52 65 67 44 6c 6c 00 00 00 00 2c 52 b0 5c 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 5e af
HKCR\SystemFileAssociations\.xls\shellex\{BB2E617C-0920-11d1-9A0B-00C04FC2D6C1}
(Default)
7b 39 44 42 44 32 43 35 30 2d 36 32 41 44 2d 31 31 64 30 2d 42 38 30 36 2d 30 30 43 30 34 46 44 37 30 36 45 43 7d 00 00 55 6e 52 65 67 44 6c 6c 00 00 00 00 2c 52 b0 5c 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 5e af
HKCR\SystemFileAssociations\.mic\shellex\{BB2E617C-0920-11d1-9A0B-00C04FC2D6C1}
(Default)
7b 39 44 42 44 32 43 35 30 2d 36 32 41 44 2d 31 31 64 30 2d 42 38 30 36 2d 30 30 43 30 34 46 44 37 30 36 45 43 7d 00 00 55 6e 52 65 67 44 6c 6c 00 00 00 00 2c 52 b0 5c 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 5e af
HKCR\SystemFileAssociations\.mix\shellex\{BB2E617C-0920-11d1-9A0B-00C04FC2D6C1}
(Default)
7b 39 44 42 44 32 43 35 30 2d 36 32 41 44 2d 31 31 64 30 2d 42 38 30 36 2d 30 30 43 30 34 46 44 37 30 36 45 43 7d 00 00 55 6e 52 65 67 44 6c 6c 00 00 00 00 2c 52 b0 5c 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 5e af
HKCR\SystemFileAssociations\.doc\shellex\{BB2E617C-0920-11d1-9A0B-00C04FC2D6C1}
(Default)
7b 39 44 42 44 32 43 35 30 2d 36 32 41 44 2d 31 31 64 30 2d 42 38 30 36 2d 30 30 43 30 34 46 44 37 30 36 45 43 7d 00 00 55 6e 52 65 67 44 6c 6c 00 00 00 00 2c 52 b0 5c 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 5e af
HKCR\SystemFileAssociations\.mpp\shellex\{BB2E617C-0920-11d1-9A0B-00C04FC2D6C1}
(Default)
7b 39 44 42 44 32 43 35 30 2d 36 32 41 44 2d 31 31 64 30 2d 42 38 30 36 2d 30 30 43 30 34 46 44 37 30 36 45 43 7d 00 00 55 6e 52 65 67 44 6c 6c 00 00 00 00 2c 52 b0 5c 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 5e af
HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication
Name
iexplore.exe
HKCR\SystemFileAssociations\.obt\shellex\{BB2E617C-0920-11d1-9A0B-00C04FC2D6C1}
(Default)
7b 39 44 42 44 32 43 35 30 2d 36 32 41 44 2d 31 31 64 30 2d 42 38 30 36 2d 30 30 43 30 34 46 44 37 30 36 45 43 7d 00 00 55 6e 52 65 67 44 6c 6c 00 00 00 00 2c 52 b0 5c 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 5e af
HKCR\SystemFileAssociations\.pot\shellex\{BB2E617C-0920-11d1-9A0B-00C04FC2D6C1}
(Default)
7b 39 44 42 44 32 43 35 30 2d 36 32 41 44 2d 31 31 64 30 2d 42 38 30 36 2d 30 30 43 30 34 46 44 37 30 36 45 43 7d 00 00 55 6e 52 65 67 44 6c 6c 00 00 00 00 2c 52 b0 5c 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 5e af
HKCR\SystemFileAssociations\.fpx\shellex\{BB2E617C-0920-11d1-9A0B-00C04FC2D6C1}
(Default)
7b 39 44 42 44 32 43 35 30 2d 36 32 41 44 2d 31 31 64 30 2d 42 38 30 36 2d 30 30 43 30 34 46 44 37 30 36 45 43 7d 00 00 55 6e 52 65 67 44 6c 6c 00 00 00 00 2c 52 b0 5c 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 5e af

Processes Created

c:\docume~1\support\locals~1\temp\do.exe
c:\windows\system32\chcp.com
c:\windows\system32\cmd.exe
c:\windows\system32\regsvr32.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\taskkill.exe

HTTP Requests

http://ac3.msn.com/de.ashx
http://adsyndication.msn.com/delivery/getads.js
http://images.adsyndication.msn.com/ImageShare/c7adc83d919340289809e7a974305416.png
http://shell.windows.com/fileassoc/0409/PageTemplate.xsl
http://shell.windows.com/fileassoc/0409/fileassoc.css
http://shell.windows.com/fileassoc/0409/xml/redir.asp
http://shell.windows.com/fileassoc/HeaderSlice.jpg
http://shell.windows.com/fileassoc/Win_FileAssoc_Header.jpg

DNS Requests

ac3.msn.com
adsyndication.msn.com
images.adsyndication.msn.com
shell.windows.com

Try Sophos products for free
Download now

Security Goals

INDUSTRIES & SECTORS

COMPANY SIZE

PRODUCT FEATURES

CASE STUDIES

Company Overview

Our People

INNOVATIVE TECHNOLOGY

ALERT SERVICES

Product Features

Product Families

Complete Security

PRODUCTS BY NAME

Free Tools

Next Steps

RESOURCES

FIND AN ANSWER

Support by Product

Maintain your Product

Hire an Expert

WHAT'S POPULAR

THREAT ANALYSIS

THREAT STATISTICS

WHAT'S POPULAR

Threat Definitions

THREAT MONITORING

SECURITY HUBS

LIBRARY

Whats Popular

WHAT'S NEW

Community

IT SECURITY TRAINING

ANATOMY OF AN ATTACK

RESELLER PARTNERS

Managed Service Providers

SYSTEM INTEGRATORS

OEM and Technology

WHAT'S POPULAR

Troj/MDrop-ESH

File Information

Other vendor detection

Runtime Analysis

Dropped Files

Modified Files

Registry Keys Created

Registry Keys Modified

Processes Created

HTTP Requests

DNS Requests

Free Mac Anti-Virus

Popular topics