W32/MSIL-FQ

Category: Viruses and Spyware Protection available since:11 Sep 2013 14:40:13 (GMT)
Type: Win32 worm Last Updated:24 Jan 2014 16:01:26 (GMT)
Prevalence: Small Number of Reports

Download Download our free Virus Removal Tool - Find and remove threats your antivirus missed

Examples of W32/MSIL-FQ include:

Example 1

File Information

Size
508K
SHA-1
00086c2f7ccbe0e8b95dfb4efce6a9940b7f7b19
MD5
c9eada99b57297cbaf475980d4f0fda8
CRC-32
2cb310c4
File type
Windows executable
First seen
2013-09-03

Runtime Analysis

Copies Itself To
  • c:\Documents and Settings\test user\Application Data\FacbookUpdate.exe
Dropped Files
  • c:\Documents and Settings\test user\Local Settings\Temp\local.exe
  • c:\Documents and Settings\test user\Local Settings\Temp\m2eicfba.dll
  • c:\Documents and Settings\test user\Local Settings\Temp\AppLaunch\Service.exe
  • c:\Documents and Settings\test user\Local Settings\Temp\i4i
Registry Keys Created
  • HKCU\Software\VB and VBA Program Settings\INSTALL\DATE
    PHMG2457ES
    January 24, 2014
  • HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
    C:\DOCUME~1\support\LOCALS~1\Temp\local.exe
    C:\DOCUME~1\support\LOCALS~1\Temp\local.exe:*:Enabled:Windows Messanger
  • HKCU\Software\VB and VBA Program Settings\SrvID\ID
    PHMG2457ES
    0903
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Run
    FacbookUpdate
    c:\Documents and Settings\test user\Application Data\FacbookUpdate.exe
Registry Keys Modified
  • HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile
    DoNotAllowExceptions
    0x00000000
Processes Created
  • c:\Documents and Settings\test user\local settings\temp\applaunch\service.exe
  • c:\windows\microsoft.net\framework\v2.0.50727\cvtres.exe
  • c:\windows\microsoft.net\framework\v2.0.50727\vbc.exe
  • c:\windows\system32\cmd.exe
  • c:\windows\system32\reg.exe
DNS Requests
  • 1serverstatus11.no-ip.org
  • 2serverstatus11.no-ip.org
  • 3serverstatus11.no-ip.org
  • 4serverstatus11.no-ip.org
  • 5serverstatus11.no-ip.org
  • 6serverstatus11.no-ip.org
  • serverstatus11.no-ip.org

Example 2

File Information

Size
508K
SHA-1
0856cc998b0fc76f4f1cc3c74d308eec232daeaa
MD5
6eedc1cabc214cb40c688166ba6523ab
CRC-32
0943d269
File type
Windows executable
First seen
2013-09-04

Runtime Analysis

Copies Itself To
  • c:\Documents and Settings\test user\Application Data\FacbookUpdate.exe
Dropped Files
  • c:\Documents and Settings\test user\Local Settings\Temp\AppLaunch\Service.exe
  • c:\Documents and Settings\test user\Local Settings\Temp\local.exe
  • c:\Documents and Settings\test user\Local Settings\Temp\1f-t5aww.dll
  • c:\Documents and Settings\test user\Local Settings\Temp\i4i
Registry Keys Created
  • HKCU\Software\VB and VBA Program Settings\INSTALL\DATE
    PHMG2457ES
    September 9, 2013
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Run
    FacbookUpdate
    c:\Documents and Settings\test user\Application Data\FacbookUpdate.exe
  • HKCU\Software\VB and VBA Program Settings\SrvID\ID
    PHMG2457ES
    0903
  • HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
    C:\DOCUME~1\support\LOCALS~1\Temp\local.exe
    C:\DOCUME~1\support\LOCALS~1\Temp\local.exe:*:Enabled:Windows Messanger
Registry Keys Modified
  • HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile
    DoNotAllowExceptions
    0x00000000
Processes Created
  • c:\Documents and Settings\test user\local settings\temp\applaunch\service.exe
  • c:\windows\microsoft.net\framework\v2.0.50727\cvtres.exe
  • c:\windows\microsoft.net\framework\v2.0.50727\vbc.exe
  • c:\windows\system32\cmd.exe
  • c:\windows\system32\reg.exe
DNS Requests
  • 1serverstatus11.no-ip.org
  • 2serverstatus11.no-ip.org
  • 3serverstatus11.no-ip.org
  • 4serverstatus11.no-ip.org
  • 5serverstatus11.no-ip.org
  • 6serverstatus11.no-ip.org
  • serverstatus11.no-ip.org

Example 3

File Information

Size
508K
SHA-1
0a1380d8008a3df0ee6de88936299242348b9dc4
MD5
4cf1abf81b9728f1cc1f8f01a81e336d
CRC-32
3f8ea243
File type
Windows executable
First seen
2013-09-04

Runtime Analysis

Copies Itself To
  • c:\Documents and Settings\test user\Application Data\FacbookUpdate.exe
Dropped Files
  • c:\Documents and Settings\test user\Local Settings\Temp\local.exe
  • c:\Documents and Settings\test user\Local Settings\Temp\lihuazmm.dll
  • c:\Documents and Settings\test user\Local Settings\Temp\AppLaunch\Service.exe
  • c:\Documents and Settings\test user\Local Settings\Temp\i4i
Registry Keys Created
  • HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
    C:\DOCUME~1\support\LOCALS~1\Temp\local.exe
    C:\DOCUME~1\support\LOCALS~1\Temp\local.exe:*:Enabled:Windows Messanger
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Run
    FacbookUpdate
    c:\Documents and Settings\test user\Application Data\FacbookUpdate.exe
  • HKCU\Software\VB and VBA Program Settings\SrvID\ID
    PHMG2457ES
    0903
  • HKCU\Software\VB and VBA Program Settings\INSTALL\DATE
    PHMG2457ES
    September 6, 2013
Registry Keys Modified
  • HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile
    DoNotAllowExceptions
    0x00000000
Processes Created
  • c:\Documents and Settings\test user\local settings\temp\applaunch\service.exe
  • c:\windows\microsoft.net\framework\v2.0.50727\cvtres.exe
  • c:\windows\microsoft.net\framework\v2.0.50727\vbc.exe
  • c:\windows\system32\cmd.exe
  • c:\windows\system32\reg.exe
DNS Requests
  • 1serverstatus11.no-ip.org
  • 2serverstatus11.no-ip.org
  • 3serverstatus11.no-ip.org
  • 4serverstatus11.no-ip.org
  • 5serverstatus11.no-ip.org
  • 6serverstatus11.no-ip.org
  • serverstatus11.no-ip.org

download Try Sophos products for free
Download now