Troj/Tiotua-DQ

Category: Viruses and Spyware Protection available since:30 Apr 2013 09:27:14 (GMT)
Type: Trojan Last Updated:30 Apr 2013 09:27:14 (GMT)
Prevalence: Small Number of Reports

Download Download our free Virus Removal Tool - Find and remove threats your antivirus missed

Troj/Tiotua-DQ exhibits the following characteristics:

File Information

Size
538K
SHA-1
77c1d5af099009544dd9b98bbd517741124a7c9d
MD5
d5441bda40d2f07e6184cdc7ad54708d
CRC-32
0863a69a
File type
Windows executable
First seen
2013-04-29

Runtime Analysis

Copies Itself To
  • C:\WINDOWS\system32\Ssan.exe
Dropped Files
  • C:\WINDOWS\system32\Ssam.exe
    Size
    36K
    SHA-1
    00cc931ced2884612600c8c896ac898b9ab4375f
    MD5
    ae6306ef4728eaf3d3078cd4fee579e9
    CRC-32
    865abbac
    File type
    application/x-ms-dos-executable
    First seen
    2013-04-29
Modified Files
  • C:\Documents and Settings\LocalService\Local Settings\History
    • Set the hidden and system flags
  • C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files
    • Set the hidden and system flags
Registry Keys Created
  • HKLM\SYSTEM\CurrentControlSet\Services\SampleService\Security
    Security
    □□□@□□□□□□□□□□□□□□@□□□□□□□□□□□ □□□□□□□□□□□ □□@□□□□□□□□□□□□□□□□□□□□□□□□□□ □□□□□@□□□□□□□□@□□□□□ □□□□□□□□□□□□□□ □□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□@□□□□□ □□□□□□□□□□□□□□□□□□□□□□□□□□□□□ □□□□□□□□□□□□□□□□□□□□0□□□□□□□□□□□□□□□□□ □□□□□□□□□□□□□□□□□ □□□□□
  • HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
    DefaultConnectionSettings
    <□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□@□□□□□□□□□□□□□□□□□ E□□□□□□□□□□□□□□□□□□□□□□□□□□□□
  • HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
    DefaultConnectionSettings
    <□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□@□□□□□□□□□□□□□□□□□ E□□□□□□□□□□□□□□□□□□□□□□□□□□□□
  • HKLM\SYSTEM\CurrentControlSet\Services\SampleService
    Description
    Service program written Software.
  • HKLM\SYSTEM\CurrentControlSet\Services\SampleService\Enum
    NextInstance
    0x00000001
Registry Keys Modified
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2
    CachePath
    C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache2
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3
    CachePath
    C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache3
  • HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
    History
    C:\Documents and Settings\LocalService\Local Settings\History
  • HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
    History
    C:\Documents and Settings\LocalService\Local Settings\History
  • HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
    SavedLegacySettings
    3c 00 00 00 03 00 00 00 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  • HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
    SavedLegacySettings
    3c 00 00 00 03 00 00 00 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths
    Directory
    C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4
    CachePath
    C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache4
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1
    CachePath
    C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache1
Processes Created
  • c:\windows\system32\ssam.exe
  • c:\windows\system32\ssan.exe
DNS Requests
  • s3-ap-southeast-2.amazonaws.com

download Try Sophos products for free
Download now