Troj/Mdrop-ETJ

Category: Viruses and Spyware Protection available since:11 Jan 2013 23:19:13 (GMT)
Type: Trojan Last Updated:12 Jan 2013 04:08:40 (GMT)
Prevalence: Small Number of Reports

Download Download our free Virus Removal Tool - Find and remove threats your antivirus missed

Examples of Troj/Mdrop-ETJ include:

Example 1

File Information

Size
173K
SHA-1
25d17c5a948903b333dff5a26126093e3a76b365
MD5
b59790f247c858a41e191973d347ebc1
CRC-32
be6f4414
File type
Windows executable
First seen
2012-12-01

Example 2

File Information

Size
164K
SHA-1
2945a652652a56050e9f411cd5770a32bd15e85b
MD5
9a66a1cf8cbf733a28a83db4727e70d0
CRC-32
7604a13c
File type
Windows executable
First seen
2012-12-05

Example 3

File Information

Size
173K
SHA-1
2e6aef9d214922730641eeb90dc9591eb47b837a
MD5
822d74dcd50fc0dad486cfb6eae5ddc3
CRC-32
27fc4d42
File type
Windows executable
First seen
2012-11-27

Runtime Analysis

Dropped Files
  • C:\Program Files\_arh1\_arh1\no111111111ri.vbs
    Size
    1.7K
    SHA-1
    21f924fbcb59ad57284bae1e72919ba8ac5783d8
    MD5
    d822a34e2bf34de05e78aba67511edb4
    CRC-32
    65162140
    File type
    Visual Basic Script
    First seen
    2012-11-27
  • c:\Documents and Settings\test user\Recent\no111111111ri.vbs.lnk
    Size
    774
    SHA-1
    010456d73272c5f70517449c6db6a38eb846cf80
    MD5
    c02f1bf4701cf99c57b749c415d11ab8
    CRC-32
    0303af86
    File type
    Windows Shortcut file (.LNK)
    First seen
    2013-01-12
  • c:\Documents and Settings\test user\Recent\_arh1.lnk
  • C:\Program Files\_arh1\_arh1\na1111111111111ki.bat
    Size
    6.6K
    SHA-1
    16edbc870f13ca00034e4a832d2a75cdb23a12c7
    MD5
    fc29fbfea70565f4eb1d777e4db0789e
    CRC-32
    f6d48114
    File type
    ASCII text / 8-bit Unicode Transformation Format
    First seen
    2012-11-29
  • C:\WINDOWS\system32\drivers\etc\hosts
    Size
    1.1K
    SHA-1
    85b4fe5284f1a3c0c313f89ae2535dd0a3accd5b
    MD5
    1bd676f9c06097aa1a81f4c19407dc98
    CRC-32
    18436563
    File type
    ASCII text / 8-bit Unicode Transformation Format
    First seen
    2013-01-12
  • C:\Program Files\_arh1\_arh1\kust.txt
  • C:\Program Files\_arh1\_arh1\kokolok.txt
    Size
    1
    SHA-1
    77ac341feebeb7c0a7ff8f9c6540531500693bac
    MD5
    fc1262746424402278e88f6c1f02f581
    CRC-32
    95b020f2
    File type
    application/octet-stream
    First seen
    2011-07-24
Modified Files
  • %SYSTEM%\drivers\etc\hosts
    • Changed the file contents
Registry Keys Created
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs
    7
    _□□□□□ □□□□□□□□□□□ □□ □□□□□□□□□□□□□□□□□□a□ h□□.□□n□□□□□□□0□□@□□□□□□□□□□□□□□□□□@□□□□□□□□□□□ □□□□□□□□□□□□□□□□□□□□□□□□□□□□□
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\.vbs
    MRUListEx
    □□□□□□□□□□□□
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.vbs\OpenWithList
    MRUList
    a
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012013011220130113
    CacheRepair
    0x00000000
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\Folder
    3
    _□□□□□ □□□□□□□□□□□ □□ □□□□□□□□□□□□□□□□□□a□ h□□.□□n□□□□□□□0□□@□□□□□□□□□□□□□□□□□@□□□□□□□□□□□ □□□□□□□□□□□□□□□□□□□□□□□□□□□□□
Registry Keys Modified
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs
    MRUListEx
    07 00 00 00 06 00 00 00 05 00 00 00 04 00 00 00 03 00 00 00 02 00 00 00 01 00 00 00 00 00 00 00 ff ff ff ff
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\Folder
    MRUListEx
    03 00 00 00 02 00 00 00 01 00 00 00 00 00 00 00 ff ff ff ff
Processes Created
  • c:\windows\system32\cmd.exe
  • c:\windows\system32\wscript.exe
IP Connections
  • 94.249.188.143:9007

download Try Sophos products for free
Download now

© 1997 - 2013 Sophos Ltd. All rights reserved. Legal Privacy Cookie Information