HPsus/Poison-A

Catégorie: Comportements et fichiers suspects Protection disponible depuis:08 nov. 2011 15:07:25 (GMT)
Type: Suspicious file Dernière mise à jour :08 nov. 2011 15:07:25 (GMT)

Download Téléchargez notre outil gratuit de suppression des virus - Découvrez ce que votre antivirus actuel n'a pas su détecter

HPsus/Poison-A is run-time detection of the Poison Ivy Remote Administration Trojan

Examples of HPsus/Poison-A include:

Example 1

File Information

Size
152K
SHA-1
5dc751444c1fe96055047fd867eed7b3608847b7
MD5
76000c77ea9a214f5b2ae8cc387809db
CRC-32
93bf51bc
File type
Windows executable
First seen
2011-05-21

Runtime Analysis

Dropped Files
  • c:\Documents and Settings\test user\Local Settings\Temp\love.exe
    Size
    109K
    SHA-1
    3bb82621471033010e9074bd07ecd67040cf57a0
    MD5
    fa9d2f203635a25c82423d26a6bf0749
    CRC-32
    59ed0621
    File type
    Windows executable
    First seen
    2011-05-21
  • c:\Documents and Settings\test user\Local Settings\Temp\dick.txt
    Size
    7.3K
    SHA-1
    b11580777ce9c6fe36c77714dd8cf5fd01d1c149
    MD5
    a7b18cb7ce6b88541d516dd363c3bd33
    CRC-32
    2d4f64b5
    File type
    Unspecified binary - probably data
    First seen
    2011-05-18

Example 2

File Information

Size
139K
SHA-1
66401cb0dfdcb9b26de9bf086bc855fe4e0ec7f3
MD5
5d075e9536c5494745135c1176981c96
CRC-32
fcdb7c43
File type
Windows executable
First seen
2011-06-10

Other vendor detection

Kaspersky
Trojan.Win32.Agent2.dokd

Runtime Analysis

Dropped Files
  • c:\Documents and Settings\test user\Local Settings\Temp\Kool.txt
    Size
    7.3K
    SHA-1
    d5ecc3ba367d0cb7958d2e94db60fed8df5cf6f2
    MD5
    85836c667877f85a6171553dc23be408
    CRC-32
    6987efdb
    File type
    Unspecified binary - probably data
    First seen
    2011-05-30
  • C:\Program Files\Common Files\ODBC.dat
    Size
    7.3K
    SHA-1
    d5ecc3ba367d0cb7958d2e94db60fed8df5cf6f2
    MD5
    85836c667877f85a6171553dc23be408
    CRC-32
    6987efdb
    File type
    Unspecified binary - probably data
    First seen
    2011-05-30
  • c:\Documents and Settings\test user\Local Settings\Temp\t1.exe
    Size
    76K
    SHA-1
    4ebc449441e5b51a76c4dc43bb7cdeaa58370762
    MD5
    4e001249715db5943def9d4d1a9a8006
    CRC-32
    95724b6c
    File type
    Windows executable
    First seen
    2011-06-10
  • C:\WINDOWS\system32_ADS_AlternateDataStream_Found_adobe.exe
    Size
    77K
    SHA-1
    f67682eca91515c6fab69af80be98a90fc361304
    MD5
    f185d83442743101e138003d25c99c69
    CRC-32
    a7efad3b
    File type
    MS-DOS executable
    First seen
    2011-06-10
  • C:\WINDOWS\java\classes\JDE.cer
    Size
    7.3K
    SHA-1
    d5ecc3ba367d0cb7958d2e94db60fed8df5cf6f2
    MD5
    85836c667877f85a6171553dc23be408
    CRC-32
    6987efdb
    File type
    Unspecified binary - probably data
    First seen
    2011-05-30
Modified Files
  • %SYSTEM%
    • Set the archive flag
Registry Keys Created
  • HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{AD2B5BBB-7B05-98C5-DAC8-19AC466D0C3C}
    StubPath
    C:□□W□□N□@O□pS□□s□□s□@e□□3□ :□□d□□b□P.□Px□P□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□
  • HKCU\Software\WinRAR SFX
    C%%DOCUME~1%support%LOCALS~1%Temp
    C:\DOCUME~1\support\LOCALS~1\Temp
Processes Created
  • c:\docume~1\support\locals~1\temp\t1.exe
HTTP Requests
  • http://-+e\xa5\x87#\x85\xb8t\x0c
  • http://-\x94\xbee\xb7\xdc\xa5\x8aK\x8e\xe4\xff\xa7\v;\xb0\xee\x8a\xe1\x89\x1b!\xd3\xb3\x14\xa3\xcf/\x86)Y\x07DJ\xdaT\x04
IP Connections
  • 204.74.215.58:80

Example 3

File Information

Size
150K
SHA-1
e67d5866635878953cc93e210a3af2905ad452df
MD5
a98d2c90b9494fc885c7cd35d43666ea
CRC-32
16d086f3
File type
Windows executable
First seen
2011-05-09

Runtime Analysis

Dropped Files
  • c:\Documents and Settings\test user\Local Settings\Temp\loo.txt
    Size
    7.3K
    SHA-1
    b11580777ce9c6fe36c77714dd8cf5fd01d1c149
    MD5
    a7b18cb7ce6b88541d516dd363c3bd33
    CRC-32
    2d4f64b5
    File type
    Unspecified binary - probably data
    First seen
    2011-05-18
  • c:\Documents and Settings\test user\Local Settings\Temp\winword.doc
  • c:\Documents and Settings\test user\Local Settings\Temp\ie.exe
    Size
    62K
    SHA-1
    87f1c9c768f4befa440a64f428c9bfe6e6615ec8
    MD5
    abe980ea68db4742da7672c9934f0c99
    CRC-32
    5bd727ea
    File type
    Windows executable
    First seen
    2011-05-11
Registry Keys Created
  • HKCU\Software\WinRAR SFX
    C%%DOCUME~1%support%LOCALS~1%Temp
    C:\DOCUME~1\support\LOCALS~1\Temp
Processes Created
  • c:\program files\windows nt\accessories\wordpad.exe

download Essayez les produits Sophos gratuitement
Téléchargez maintenant