Troj/Mdrop-EOO

Category: Viruses and Spyware Protection available since:12 Oct 2012 11:13:35 (GMT)
Type: Trojan Last Updated:12 Oct 2012 11:13:35 (GMT)
Prevalence: Small Number of Reports

Download Download our free Virus Removal Tool - Find and remove threats your antivirus missed

Troj/Mdrop-EOO exhibits the following characteristics:

File Information

Size
291K
SHA-1
4f0719f07711e45fab38f605f6f7c5b07c64eb59
MD5
e0fc9877bec76cafdd70d32bd1ed08c4
CRC-32
2fe35191
File type
Windows executable
First seen
2012-10-12

Other vendor detection

Avira
TR/Dldr.VB.wps
Kaspersky
Virus.Win32.Sality.Gen

Runtime Analysis

Dropped Files
  • F:/autorun.inf
    Size
    316
    SHA-1
    0464b1436f075b19a50850d2fe25f6febf5d0412
    MD5
    d779ac8683fbb507ced7bf6c3831b68c
    CRC-32
    5a837d28
    File type
    Configuration Data File (generic)
    First seen
    2012-10-12
  • F:/gqef.exe
    Size
    101K
    SHA-1
    a9fdf7aba14aa185fbaf665a8462be12b0c0386f
    MD5
    f93d0c47dc8a651597b3d966f8dc9b29
    CRC-32
    1dd90ef5
    File type
    Windows executable
    First seen
    2012-10-12
Modified Files
  • %WINDOWS%\system.ini
    • Changed the file contents
  • %PROGRAM FILES%\Messenger\msmsgs.exe
    • Changed the file contents
  • %PROGRAM FILES%\Vim\vim70\gvim.exe
    • Changed the file contents
Registry Keys Created
  • HKCU\Software\Aryltuv
    s4_563
    0x47524be9
  • HKLM\SOFTWARE\Microsoft\Security Center\Svc
    UacDisableNotify
    0x00000001
  • HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
    c:\test_item.exe
    c:\test_item.exe:*:Enabled:ipsec
  • HKCU\Software\Aryltuv\-2105228631
    320026149
    06A8BB1AD2BF41C19C957B4CFBEDFF1EF2E3DBE4DA4CD047EAD75E66990059CCABC859A6F25DCE12C46ACFD1231BE43A44AD47CB2CB3B9B6631773B6B0B554211CAC18062A3268B25D9944460116DE02E91BDD350C12D825D2A50CC8D8C43714ED90C6C665B92D768DAC66752F17E51E8C3DDE8BAFA8C6BE3B1DD99913135E28
  • HKLM\SYSTEM\CurrentControlSet\Services\amsint32
    DisplayName
    amsint32
  • HKLM\SOFTWARE\Microsoft\Security Center
    UacDisableNotify
    0x00000001
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings
    GlobalUserOffline
    0x00000000
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
    EnableLUA
    0x00000000
  • HKLM\SYSTEM\CurrentControlSet\Services\amsint32\Security
    Security
    □□□@□□□□□□□□□□□□□□@□□□□□□□□□□□ □□□□□□□□□□□ □□@□□□□□□□□□□□□□□□□□□□□□□□□□□ □□□□□@□□□□□□□□@□□□□□ □□□□□□□□□□□□□□ □□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□@□□□□□ □□□□□□□□□□□□□□□□□□□□□□□□□□□□□ □□□□□□□□□□□□□□□□□□□□0□□□□□□□□□□□□□□□□□ □□□□□□□□□□□□□□□□□ □□□□□
  • HKLM\SYSTEM\CurrentControlSet\Services\amsint32\Enum
    NextInstance
    0x00000001
Registry Keys Modified
  • HKLM\SYSTEM\CurrentControlSet\Services\wscsvc
    Start
    0x00000004
  • HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile
    DoNotAllowExceptions
    0x00000000
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
    Hidden
    0x00000002
  • HKLM\SOFTWARE\Microsoft\Security Center
    FirewallOverride
    0x00000001
Processes Created
  • c:\program files\sophos\sophos anti-virus\savadminservice.exe
HTTP Requests
  • http://173.193.19.14/logo.gif
  • http://724hizmetgrup.com/images/logosa.gif
  • http://cdn.dsultra.com/images/image_redirect/shopwiki.com.gif
  • http://cevatpasa.com/images/logos.gif
  • http://chicostara.com/logof.gif
  • http://dewpoint-eg.com/images/logosa.gif
  • http://pelcpawel.fm.interia.pl/logos.gif
  • http://suewyllie.com/images/logos.gif
  • http://www.bluecubecreatives.com/logos.gif
  • http://www.ceylanogullari.com/logof.gif
  • http://yavuztuncil.ya.funpic.de/images/logos.gif
IP Connections
  • 173.193.19.14:80
DNS Requests
  • 724hizmetgrup.com
  • cdn.dsultra.com
  • cevatpasa.com
  • chicostara.com
  • dewpoint-eg.com
  • pelcpawel.fm.interia.pl
  • suewyllie.com
  • www.bluecubecreatives.com
  • www.ceylanogullari.com
  • yavuztuncil.ya.funpic.de

download Try Sophos products for free
Download now