Troj/Mdrop-EOO exhibits the following characteristics:
File Information
- Size
- 291K
- SHA-1
- 4f0719f07711e45fab38f605f6f7c5b07c64eb59
- MD5
- e0fc9877bec76cafdd70d32bd1ed08c4
- CRC-32
- 2fe35191
- File type
- Windows executable
- First seen
- 2012-10-12
Other vendor detection
- Avira
- TR/Dldr.VB.wps
- Kaspersky
- Virus.Win32.Sality.Gen
Runtime Analysis
Dropped Files
- F:/autorun.inf
- Size
- 316
- SHA-1
- 0464b1436f075b19a50850d2fe25f6febf5d0412
- MD5
- d779ac8683fbb507ced7bf6c3831b68c
- CRC-32
- 5a837d28
- File type
- Configuration Data File (generic)
- First seen
- 2012-10-12
- F:/gqef.exe
- Size
- 101K
- SHA-1
- a9fdf7aba14aa185fbaf665a8462be12b0c0386f
- MD5
- f93d0c47dc8a651597b3d966f8dc9b29
- CRC-32
- 1dd90ef5
- File type
- Windows executable
- First seen
- 2012-10-12
Modified Files
- %WINDOWS%\system.ini
- Changed the file contents
- %PROGRAM FILES%\Messenger\msmsgs.exe
- Changed the file contents
- %PROGRAM FILES%\Vim\vim70\gvim.exe
- Changed the file contents
Registry Keys Created
- HKCU\Software\Aryltuv
- s4_563
- 0x47524be9
- HKLM\SOFTWARE\Microsoft\Security Center\Svc
- UacDisableNotify
- 0x00000001
- HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
- c:\test_item.exe
- c:\test_item.exe:*:Enabled:ipsec
- HKCU\Software\Aryltuv\-2105228631
- 320026149
- 06A8BB1AD2BF41C19C957B4CFBEDFF1EF2E3DBE4DA4CD047EAD75E66990059CCABC859A6F25DCE12C46ACFD1231BE43A44AD47CB2CB3B9B6631773B6B0B554211CAC18062A3268B25D9944460116DE02E91BDD350C12D825D2A50CC8D8C43714ED90C6C665B92D768DAC66752F17E51E8C3DDE8BAFA8C6BE3B1DD99913135E28
- HKLM\SYSTEM\CurrentControlSet\Services\amsint32
- DisplayName
- amsint32
- HKLM\SOFTWARE\Microsoft\Security Center
- UacDisableNotify
- 0x00000001
- HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings
- GlobalUserOffline
- 0x00000000
- HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
- EnableLUA
- 0x00000000
- HKLM\SYSTEM\CurrentControlSet\Services\amsint32\Security
- Security
- □□□@□□□□□□□□□□□□□□@□□□□□□□□□□□ □□□□□□□□□□□ □□@□□□□□□□□□□□□□□□□□□□□□□□□□□ □□□□□@□□□□□□□□@□□□□□ □□□□□□□□□□□□□□ □□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□@□□□□□ □□□□□□□□□□□□□□□□□□□□□□□□□□□□□ □□□□□□□□□□□□□□□□□□□□0□□□□□□□□□□□□□□□□□ □□□□□□□□□□□□□□□□□ □□□□□
- HKLM\SYSTEM\CurrentControlSet\Services\amsint32\Enum
- NextInstance
- 0x00000001
Registry Keys Modified
- HKLM\SYSTEM\CurrentControlSet\Services\wscsvc
- Start
- 0x00000004
- HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile
- DoNotAllowExceptions
- 0x00000000
- HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
- Hidden
- 0x00000002
- HKLM\SOFTWARE\Microsoft\Security Center
- FirewallOverride
- 0x00000001
Processes Created
- c:\program files\sophos\sophos anti-virus\savadminservice.exe
HTTP Requests
- http://173.193.19.14/logo.gif
- http://724hizmetgrup.com/images/logosa.gif
- http://cdn.dsultra.com/images/image_redirect/shopwiki.com.gif
- http://cevatpasa.com/images/logos.gif
- http://chicostara.com/logof.gif
- http://dewpoint-eg.com/images/logosa.gif
- http://pelcpawel.fm.interia.pl/logos.gif
- http://suewyllie.com/images/logos.gif
- http://www.bluecubecreatives.com/logos.gif
- http://www.ceylanogullari.com/logof.gif
- http://yavuztuncil.ya.funpic.de/images/logos.gif
IP Connections
DNS Requests
- 724hizmetgrup.com
- cdn.dsultra.com
- cevatpasa.com
- chicostara.com
- dewpoint-eg.com
- pelcpawel.fm.interia.pl
- suewyllie.com
- www.bluecubecreatives.com
- www.ceylanogullari.com
- yavuztuncil.ya.funpic.de