HPsus/FakeAV-G

Catégorie: Comportements et fichiers suspects Protection disponible depuis:10 mai 2011 16:33:22 (GMT)
Type: Suspicious file Dernière mise à jour :10 mai 2011 16:33:22 (GMT)

Download Téléchargez notre outil gratuit de suppression des virus - Découvrez ce que votre antivirus actuel n'a pas su détecter

HPsus/FakeAV-G exhibits the following characteristics:

File Information

Size
232K
SHA-1
4febcc17e55a1268109b0154dcc7353a68aaf055
MD5
bf8618e17b4c465a90bc07701905d052
CRC-32
d957b5cf
File type
application/x-ms-dos-executable
First seen
2011-05-09

Other vendor detection

Kaspersky
Trojan.Win32.FakeAV.cxqh

Runtime Analysis

Copies Itself To
  • c:\Documents and Settings\test user\Local Settings\Application Data\xdq.exe
Dropped Files
  • c:\Documents and Settings\test user\Local Settings\Temp\es0v8xboo748v041hxju0phbb8ut5ykw2fm58
    Size
    3.6K
    SHA-1
    7323ae1adb31bc511f01757d6181c53d238df557
    MD5
    eaf12b30f8e626b3c24beb7921663d72
    CRC-32
    e9e68b12
    File type
    application/octet-stream
    First seen
    2011-05-11
  • c:\Documents and Settings\test user\Local Settings\Application Data\es0v8xboo748v041hxju0phbb8ut5ykw2fm58
    Size
    3.6K
    SHA-1
    7323ae1adb31bc511f01757d6181c53d238df557
    MD5
    eaf12b30f8e626b3c24beb7921663d72
    CRC-32
    e9e68b12
    File type
    application/octet-stream
    First seen
    2011-05-11
  • c:\Documents and Settings\test user\Templates\es0v8xboo748v041hxju0phbb8ut5ykw2fm58
    Size
    3.6K
    SHA-1
    7323ae1adb31bc511f01757d6181c53d238df557
    MD5
    eaf12b30f8e626b3c24beb7921663d72
    CRC-32
    e9e68b12
    File type
    application/octet-stream
    First seen
    2011-05-11
  • C:\Documents and Settings\All Users\Application Data\es0v8xboo748v041hxju0phbb8ut5ykw2fm58
    Size
    3.6K
    SHA-1
    7323ae1adb31bc511f01757d6181c53d238df557
    MD5
    eaf12b30f8e626b3c24beb7921663d72
    CRC-32
    e9e68b12
    File type
    application/octet-stream
    First seen
    2011-05-11
Modified Files
  • %PROFILE%\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
    • Changed the file contents
Registry Keys Created
  • HKCU_Classes\exefile\shell\runas\command
    (Default)
    "%1" %*
  • HKCU_Classes\exefile\shell\open\command
    (Default)
    "c:\test_item.exe" -a "%1" %*
  • HKCU_Classes\exefile
    Content Type
    application/x-msdownload
  • HKCU\Software\Classes\exefile
    (Default)
    Application
  • HKCU\Software\Classes\exefile\shell\open\command
    IsolatedCommand
    "%1" %*
  • HKCU\Software\Classes\.exe\DefaultIcon
    (Default)
    %1
  • HKCU_Classes\.exe\shell\open\command
    (Default)
    "c:\test_item.exe" -a "%1" %*
  • HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile
    DisableNotifications
    0x00000001
  • HKCU\Software\Microsoft\Windows
    Identity
    0x3cd16d78
  • HKCU\Software\Classes\exefile\shell\runas\command
    IsolatedCommand
    "%1" %*
  • HKCU\Software\Classes\.exe\shell\open\command
    IsolatedCommand
    "%1" %*
  • HKCU_Classes\exefile\DefaultIcon
    (Default)
    %1
  • HKCU\Software\Classes\.exe\shell\runas\command
    IsolatedCommand
    "%1" %*
  • HKCU_Classes\.exe\shell\runas\command
    IsolatedCommand
    "%1" %*
  • HKCU_Classes\.exe
    (Default)
    exefile
  • HKCU\Software\Classes\.exe
    (Default)
    exefile
  • HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile
    DisableNotifications
    0x00000001
Registry Keys Modified
  • HKLM\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command
    (Default)
    "c:\sample.exe" -a "C:\Program Files\Intern
  • HKLM\SOFTWARE\Microsoft\Security Center
    FirewallOverride
    0x00000001
HTTP Requests
  • http://jidizakecuho.com/1007000313
  • http://lenefexejagoka.com/1007000313
  • http://varolowuqiz.com/1007000313
DNS Requests
  • benypatubeqil.com
  • bujycuvoh.com
  • byruloqoxybed.com
  • cukumoqurehuj.com
  • dopifoqetucol.com
  • dugecafajibox.com
  • fakukabucom.com
  • firosafemone.com
  • gubebyzosibec.com
  • hafapuqyse.com
  • hazovagugaze.com
  • hejyrabovafy.com
  • hiqalotajadyfa.com
  • hovucytoc.com
  • jidizakecuho.com
  • jimelyrigupita.com
  • kecupegirekak.com
  • kyrisapizopu.com
  • lenefexejagoka.com
  • mowecysowo.com
  • nekehibyfahuf.com
  • pogavoliqamyb.com
  • pojizocimovi.com
  • qisupikux.com
  • takewijejex.com
  • varolowuqiz.com
  • vilohezejybyz.com
  • wakuxyvofa.com
  • wenisekybe.com
  • wurokalawysusa.com
  • wywenybazyxyq.com
  • xepomumab.com
  • xijifilunaq.com
  • zuzusutity.com

download Essayez les produits Sophos gratuitement
Téléchargez maintenant