Troj/VB-GJZ exhibits the following characteristics:
File Information
- Size
- 52K
- SHA-1
- 8955322575215e14fde9191f484079d6497838b0
- MD5
- 1c4d6d1c7124864c8feead6947f981ea
- CRC-32
- 59d7e4ea
- File type
- Windows executable
- First seen
- 2013-01-31
Runtime Analysis
Copies Itself To
- c:\Documents and Settings\test user\Application Data\Nugkknnzz\pyyddhvbvmu.exe
Registry Keys Created
- HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
- DefaultConnectionSettings
- <□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□@□□□□□□□□□□□□p□0□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□
- HKCU\Software\Microsoft\Windows\CurrentVersion\Run
- vjkubvmu
- c:\Documents and Settings\test user\Application Data\Nugkknnzz\pyyddhvbvmu.exe
- HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings
- GlobalUserOffline
- 0x00000000
- HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\5C9ED9D1
- 1819
- 0x00000000
- HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\userinit.exe
- Debugger
- hlpf.exe
- HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
- DefaultConnectionSettings
- <□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□@□□□□□□□□□□□□p□0□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□
- HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings
- GlobalUserOffline
- 0x00000000
- HKCU\Identities
- Identity Login
- 0x00098053
Registry Keys Modified
- HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
- SavedLegacySettings
- 3c 00 00 00 04 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 a0 70 43 b4 69 ff cd 01 01 00 00 00 ac 10 00 01 00 00 00 00 00 00 00 00
- HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
- History
- C:\WINDOWS\system32\config\systemprofile\Local Settings\History
- HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1
- CachePath
- C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\Cache1
- HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths
- Directory
- C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5
- HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
- SavedLegacySettings
- 3c 00 00 00 04 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 a0 70 43 b4 69 ff cd 01 01 00 00 00 ac 10 00 01 00 00 00 00 00 00 00 00
- HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
- History
- C:\WINDOWS\system32\config\systemprofile\Local Settings\History
- HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2
- CachePath
- C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\Cache2
- HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4
- CachePath
- C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\Cache4
- HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3
- CachePath
- C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\Cache3
Processes Created
- c:\docume~1\support\locals~1\temp\zuurppjjll.pre
- c:\windows\system32\ctfmon.exe
- c:\windows\system32\svchost.exe
HTTP Requests
- http://google.com/
- http://kcrio-oum.com/typo3.php
DNS Requests
- cyaldibet.mrbasic.com
- dnogrunvrein.sytes.net
- gellax.com
- google.com
- gundireun.servegame.com
- hediem.net
- idore.net
- kcrio-oum.com