Troj/RansmMem-A

Category: Viruses and Spyware Protection available since:04 Jan 2013 23:54:03 (GMT)
Type: Trojan Last Updated:14 Mar 2013 01:50:28 (GMT)
Prevalence: Small Number of Reports

Download Download our free Virus Removal Tool - Find and remove threats your antivirus missed

Examples of Troj/RansmMem-A include:

Example 1

File Information

Size
164K
SHA-1
54b7713d3ae70f8832fd531e18298a0d0110b6b1
MD5
d0a9455c77ed8b84912a73afeb3f09d6
CRC-32
c1cf5cd6
File type
Windows executable
First seen
2007-07-30

Other vendor detection

Avira
TR/Dropper.Gen

Runtime Analysis

Dropped Files
  • C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
    Size
    5.5K
    SHA-1
    52a701bff735e49b241a8db2685fb3c7d405fefb
    MD5
    7fea1d29dcf1d92c8416b4658bff5c43
    CRC-32
    0ec413ca
    File type
    Unspecified binary - probably data
    First seen
    2013-02-18
  • C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
    Size
    4.2K
    SHA-1
    4d104ae1f6e4690f3c13db56a15bf4435004bb52
    MD5
    1f47ffdd1df2baebcb51b3193bd580df
    CRC-32
    9266033f
    File type
    Unspecified binary - probably data
    First seen
    2013-02-18
Registry Keys Created
  • HKLM\SYSTEM\CurrentControlSet\Control\BackupRestore\FilesNotToBackup
    BITS_metadata
    C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\*
  • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\BITS\CtlGuid
    BitNames
    LogFlagInfo LogFlagWarning LogFlagError LogFlagFunction LogFlagRefCount LogFlagSerialize LogFlagDownload LogFlagTask LogFlagLock LogFlagService LogFlagDataBytes LogFlagTransferDetails
  • HKLM\SYSTEM\CurrentControlSet\Services\BITS\Enum
    NextInstance
    0x00000001
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\BITS
    StateIndex
    0x00000001
  • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\BITS
    ControlFlags
    0x00000001
Registry Keys Modified
  • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
    Shell
    Explorer.exe, C:\Documents and Settings\All Users\Application Data\luMogjcecMy
HTTP Requests
  • http://b6sfdgyushiftusghfisgjfh.org/ad4/
DNS Requests
  • b6sfdgyushiftusghfisgjfh.org

Example 2

File Information

Size
102K
SHA-1
7e9f3d62f588034f9e5a593aba46fd46937bd4f9
MD5
3b9c7cb8fad1661a837fd61ac23460ea
CRC-32
9fe56d2d
File type
Windows executable
First seen
2012-11-12

Runtime Analysis

Registry Keys Created
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\BITS
    StateIndex
    0x00000000
  • HKLM\SYSTEM\CurrentControlSet\Control\BackupRestore\FilesNotToBackup
    BITS_metadata
    C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\*
  • HKLM\SYSTEM\CurrentControlSet\Services\BITS\Enum
    NextInstance
    0x00000001
  • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\BITS\CtlGuid
    BitNames
    LogFlagInfo LogFlagWarning LogFlagError LogFlagFunction LogFlagRefCount LogFlagSerialize LogFlagDownload LogFlagTask LogFlagLock LogFlagService LogFlagDataBytes LogFlagTransferDetails
  • HKCU\Software\Microsoft\Command Processor
    AutoRun
    "c:\Documents and Settings\test user\Local Settings\Application Data\mvdqphsiojtc.exe"
  • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\BITS
    ControlFlags
    0x00000001
Registry Keys Modified
  • HKLM\SYSTEM\CurrentControlSet\Services\BITS
    Start
    0x00000002
  • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
    Shell
    Explorer.exe, C:\Documents and Settings\All Users\Application Data\mvdqphsiojtc
HTTP Requests
  • http://urlazapurla.org/ad/
DNS Requests
  • urlazapurla.org

Example 3

File Information

Size
111K
SHA-1
a5ac8eecb4a9de9c7ca3accff7aa08cdb9f8fe88
MD5
5c8120c6356f38b686e91b685748eccf
CRC-32
db1e0307
File type
Windows executable
First seen
2013-01-02

Runtime Analysis

Copies Itself To
  • C:\Documents and Settings\All Users\Application Data\_bd_uylzs.exe
  • c:\Documents and Settings\test user\Local Settings\Application Data\_bd_uylzs.exe
Dropped Files
  • c:\Documents and Settings\test user\Local Settings\Temp\3.tmp\mp.htm
    Size
    2.0K
    SHA-1
    f22dd65d03a22e3059909cd46a19772aaf85c063
    MD5
    054f759497cf251ef59d846c528e3777
    CRC-32
    ec00f23e
    File type
    Hypertext Markup Language
    First seen
    2012-12-25
  • c:\Documents and Settings\test user\Local Settings\Temp\3.tmp\img\mp.png
    Size
    34K
    SHA-1
    039e615b25879433de4a263860026a922e688bef
    MD5
    ce45087616a30c06036adbe2b82d9259
    CRC-32
    3be63d47
    File type
    PNG (Portable Network Graphics) image format
    First seen
    2012-11-26
  • c:\Documents and Settings\test user\Local Settings\Temp\3.tmp\img\bg2.jpg
    Size
    121K
    SHA-1
    a5ec7a25b32e358ec58dc571b6213331a769eda3
    MD5
    0ebf876a4efafcc00f1c02472807acd1
    CRC-32
    bcfc15bf
    File type
    JPEG Interchange Format
    First seen
    2012-11-26
  • c:\Documents and Settings\test user\Local Settings\Temp\3.tmp\img\button.png
    Size
    394
    SHA-1
    54d4b968b889f2ef50e405188e473618cf63b3e9
    MD5
    86a1ceb76b7386c250f37ebd3cf17d16
    CRC-32
    2521b1ba
    File type
    PNG (Portable Network Graphics) image format
    First seen
    2012-11-26
  • c:\Documents and Settings\test user\Local Settings\Temp\3.tmp\index.htm
    Size
    2.1K
    SHA-1
    ef3411d244636ea7a90fe043cd91bf1bdc1e801c
    MD5
    e228289a334576d9b3804d0c8ac492f4
    CRC-32
    d34236b1
    File type
    Hypertext Markup Language
    First seen
    2012-12-25
  • c:\Documents and Settings\test user\Local Settings\Temp\3.tmp\img\b3.png
    Size
    18K
    SHA-1
    5ca20b72ad0f92704cdc9f6cd56a635d34e17a92
    MD5
    51e287dc43cd17920ab9b219bcb0b59d
    CRC-32
    46651e13
    File type
    PNG (Portable Network Graphics) image format
    First seen
    2012-11-26
  • c:\Documents and Settings\test user\Local Settings\Temp\3.tmp\index2.htm
    Size
    1.3K
    SHA-1
    4b8dd8e332478be1d782985a89e3d2bf9247b35a
    MD5
    76bd0725ff24041b1e3b79527e58662e
    CRC-32
    683d8060
    File type
    Hypertext Markup Language
    First seen
    2012-12-25
  • c:\Documents and Settings\test user\Local Settings\Temp\3.tmp\img\bg.jpg
    Size
    139K
    SHA-1
    6a8769cbadc779bacc6ade271998622cac8d5760
    MD5
    b044c693a828e9bacfffef8f84b1850f
    CRC-32
    1744ffce
    File type
    JPEG Interchange Format
    First seen
    2012-11-26
  • c:\Documents and Settings\test user\Local Settings\Temp\3.tmp\img\uc.png
    Size
    17K
    SHA-1
    d17eb8478c9bb4c23ffaebdb14412a8e20a275ac
    MD5
    906fb90899d397e720ea485291a3db27
    CRC-32
    2a8d3afe
    File type
    PNG (Portable Network Graphics) image format
    First seen
    2012-11-26
  • c:\Documents and Settings\test user\Local Settings\Temp\3.tmp\uc.htm
    Size
    2.0K
    SHA-1
    bce84003dac1f9c7e62fab1df4793af727ac1c3d
    MD5
    3962b9e60c0d5efdae0b5faf15e57ca9
    CRC-32
    ab523f0e
    File type
    Hypertext Markup Language
    First seen
    2012-12-25
Modified Files
  • %PROFILE%\Application Data\Microsoft\Internet Explorer\Desktop.htt
Registry Keys Created
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012013010220130103
    CacheRepair
    0x00000000
  • HKCU\Software\Microsoft
    Pool
    '?□□?□□?□□?□□?□□?□□?□□?□□?□□?□□?□□?□□?□□?□□?□□?□□?□□?□□?□□=□□?□□?□□?□□?□□?□□?□□?□□?□□?□□?□□?□□?□□?□□?□□?□□?□□?□□?□□?□□?□□?□□?□□?□□?□□?□□?□□?□□?□□?□□?□□?□□?□□?□□?□□?□□?□□?□□?□□?□□?□□?□□?□□?□□?□□?□□?□□?□□?□□?□□?□□?□□?□□?□□?□□?□□?□□?□□?□□?□□?□□?□□?□□?□□?□□?□□?□□?□□?□□?□□?□□?□□?□□?□□?□□?□□?□□?□□?□□?□□?□□?□□?□□?□□?□□?□□?□□?□□?□□?□□?□□?□□?□□?□□?□□?□□?□□?□□?□□?□□?□□?□□?□□?□□?□□?□□?□□?□□M□□?□□?□□?□□?□□?□□?□□?□□?□□?□□?□□?□□?□□?□□?□□B□□?□□?□□?□□?□□?□□?□□?□□?□□?□□?□□?□□?□□?□□?□□?□□?□□?□□?□□?□□?□□?□□?□□?□□?□□?□□?□□?□□?□□?□□?□□?□□?□□?□□?□□?□□?□□?□□?□□?□□?□□?□□?□□?□□?□□?□□?□□?□□?□□?□□?□□?□□?□□?□□?□□?□□?□□?□□?□□H□□?□□?□□?□□?□□?□□?□□?□□?□□?□□?□□?□□?□□?□□?□□?□□?□□?□□?□□?□□?□□?□□?□□?□□?□□?□□?□□?□□?□□?□□?□□?□□?□□?□□?□□?□□?□□?□□?□□?□□?□□?□□?□□?□□?□□?□□?□□?□□?□□?□□?□□?□□?□□?□□?□ [... 35893 intervening characters ...] ?□□?□□?□□?□□?□□?□□?□□?□□_□□?□□?□□?□□?□□?□□g□□?□□?□□?□□?□□?□□?□□?□□?□□?□□?□□?□□?□□?□□?□□?□□?□□?□□?□□?□□?□□?□□?□□?□□?□□?□□?□□?□□?□□?□□?□□?□□?□□?□□?□□?□□?□□?□□?□□?□□?□□?□□?□□?□□?□□?□□?□□?□□?□□?□□
  • HKCU\Software\Microsoft\Command Processor
    AutoRun
    "c:\Documents and Settings\test user\Local Settings\Application Data\_bd_uylzs.exe"
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012012121720121224
    CacheRepair
    0x00000000
Registry Keys Modified
  • HKCU\Software\Microsoft\Internet Explorer\Desktop\Components
    GeneralFlags
    0x00000004
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
    DisableTaskMgr
    0x00000001
  • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
    Shell
    Explorer.exe, C:\Documents and Settings\All Users\Application Data\_bd_uylzs
HTTP Requests
  • http://mgeoipdomenimages.com/ad/geo/img.png
  • http://n7rhueufghe.org/ad4/
DNS Requests
  • mgeoipdomenimages.com
  • n7rhueufghe.org

download Try Sophos products for free
Download now

© 1997 - 2013 Sophos Ltd. All rights reserved. Legal Privacy Cookie Information