Mal/Bredo-K

Category: Viruses and SpywareProtection available since:15 Mar 2011 11:00:05 (GMT)
Type: Malicious behaviorLast Updated:17 Apr 2012 18:58:18 (GMT)
Prevalence: Small Number of Reports

Download Download our free Virus Removal Tool - Find and remove threats your antivirus missed

Examples of Mal/Bredo-K include:

Example 1

File Information

Size
15K
SHA-1
086867cdd07c8b8e6383be120c108e1edc33d995
MD5
348a280e1dc843839056a982c5bf713d
CRC-32
3c9e9901
File type
Windows executable
First seen
2011-04-20

Runtime Analysis

Dropped Files
  • c:\Documents and Settings\test user\Templates\2w8x10neg0y7vplrh8k3kj66
    Size
    5.0K
    SHA-1
    8c7a69c5d659abfd69a6543f4b6a2ef07a091e68
    MD5
    d1de6655ebf6c2fc44f5b3943bc325eb
    CRC-32
    f4197373
    File type
    Unspecified binary - probably data
    First seen
    2011-04-20
  • c:\Documents and Settings\test user\Local Settings\Application Data\2w8x10neg0y7vplrh8k3kj66
    Size
    5.0K
    SHA-1
    8c7a69c5d659abfd69a6543f4b6a2ef07a091e68
    MD5
    d1de6655ebf6c2fc44f5b3943bc325eb
    CRC-32
    f4197373
    File type
    Unspecified binary - probably data
    First seen
    2011-04-20
  • c:\Documents and Settings\test user\Local Settings\Temp\2w8x10neg0y7vplrh8k3kj66
    Size
    5.0K
    SHA-1
    8c7a69c5d659abfd69a6543f4b6a2ef07a091e68
    MD5
    d1de6655ebf6c2fc44f5b3943bc325eb
    CRC-32
    f4197373
    File type
    Unspecified binary - probably data
    First seen
    2011-04-20
  • c:\Documents and Settings\test user\Local Settings\Application Data\ybh.exe
    Size
    332K
    SHA-1
    bf9f633011d212f38e6f81d7659a0628d14fb6fd
    MD5
    a3c7e8847ce35a4b79bf8d60438f9922
    CRC-32
    89133343
    File type
    Windows executable
    First seen
    2011-04-20
  • C:\Documents and Settings\All Users\Application Data\2w8x10neg0y7vplrh8k3kj66
    Size
    5.0K
    SHA-1
    8c7a69c5d659abfd69a6543f4b6a2ef07a091e68
    MD5
    d1de6655ebf6c2fc44f5b3943bc325eb
    CRC-32
    f4197373
    File type
    Unspecified binary - probably data
    First seen
    2011-04-20
Modified Files
  • %PROFILE%\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
    • Changed the file contents
Registry Keys Created
  • HKCU\Software\Classes\exefile
    (Default)
    Application
  • HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile
    DisableNotifications
    0x00000001
  • HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile
    DisableNotifications
    0x00000001
  • HKCU_Classes\.exe
    (Default)
    exefile
  • HKCU\Software\Classes\.exe\DefaultIcon
    (Default)
    %1
  • HKCU_Classes\exefile\DefaultIcon
    (Default)
    %1
  • HKCU_Classes\.exe\shell\runas\command
    IsolatedCommand
    "%1" %*
  • HKCU_Classes\exefile\shell\open\command
    (Default)
    "c:\Documents and Settings\test user\Local Settings\Application Data\ybh.exe" -a "%1" %*
  • HKCU\Software\Classes\.exe\shell\open\command
    IsolatedCommand
    "%1" %*
  • HKCU_Classes\exefile
    Content Type
    application/x-msdownload
  • HKCU_Classes\exefile\shell\runas\command
    (Default)
    "%1" %*
  • HKCU\Software\Classes\exefile\shell\open\command
    IsolatedCommand
    "%1" %*
  • HKCU\Software\Microsoft\Windows
    Identity
    0xbc6c627d
  • HKCU_Classes\.exe\shell\open\command
    (Default)
    "c:\Documents and Settings\test user\Local Settings\Application Data\ybh.exe" -a "%1" %*
  • HKCU\Software\Classes\.exe
    (Default)
    exefile
  • HKCU\Software\Classes\.exe\shell\runas\command
    IsolatedCommand
    "%1" %*
  • HKCU\Software\Classes\exefile\shell\runas\command
    IsolatedCommand
    "%1" %*
Registry Keys Modified
  • HKLM\SOFTWARE\Microsoft\Security Center
    FirewallOverride
    0x00000001
  • HKLM\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command
    (Default)
    "C:\Documents and Settings\support\Local Settings\Application Data\ybh.exe" -a "C:\Program Files\Intern
Processes Created
  • c:\Documents and Settings\test user\local settings\application data\ybh.exe
  • c:\docume~1\support\locals~1\temp\pusk3.exe
  • c:\windows\system32\svchost.exe
HTTP Requests
  • http://caserdddt.com/pusk3.exe
  • http://vososyjumuj.com/1017000213
DNS Requests
  • basinobof.com
  • baxyzasagisoq.com
  • bybyvysugot.com
  • caserdddt.com
  • cubyzawawezy.com
  • dojewoboji.com
  • dygydypinynyx.com
  • foficyguwow.com
  • gurydivadu.com
  • jocemufeb.com
  • kizikocidorek.com
  • komeriqoxuri.com
  • kujaqiqaje.com
  • kumebyduwuvoc.com
  • lixuhejaroquw.com
  • lixumokyfo.com
  • lylimeqokivo.com
  • mobosijeb.com
  • najelijywar.com
  • nezutepazew.com
  • nitodocyri.com
  • pepabahaturap.com
  • qodikowyfiv.com
  • quwecanocowi.com
  • rokyhepym.com
  • rorylexyzabihy.com
  • rywoxekomecig.com
  • sozodikuqulec.com
  • veqilakazujago.com
  • vojocokipy.com
  • vososyjumuj.com
  • wepiminymu.com

Example 2

File Information

Size
13K
SHA-1
0c47948133618a602698502b6d887f3f823afb3e
MD5
9d329adec608c5df4220a8dc23fcbc9e
CRC-32
21cb1bcf
File type
Windows executable
First seen
2011-04-08

Runtime Analysis

Dropped Files
  • c:\Documents and Settings\test user\Local Settings\Temp\pusk2.exe
    Size
    492
    SHA-1
    69f741f8a057e33e4b632d15a6d17ea380b5a364
    MD5
    03db58313da8c14a3039d30755ae83a9
    CRC-32
    f6605fa2
    File type
    Hypertext Markup Language
    First seen
    2011-04-11
Processes Created
  • c:\windows\system32\svchost.exe
HTTP Requests
  • http://bigzalupen.ru/pusk2.exe
DNS Requests
  • bigzalupen.ru

Example 3

File Information

Size
15K
SHA-1
1fbd8d3b0a3479274d8f09543452bf724bcb245c
MD5
5085794e6c283ebcfa3878805b9e7be7
CRC-32
16882bf6
File type
Windows executable
First seen
2011-04-12

Other vendor detection

Kaspersky
Trojan.Win32.Sasfis.bgzv

Runtime Analysis

Dropped Files
  • c:\Documents and Settings\test user\Local Settings\Temp\pusk.exe
    Size
    332K
    SHA-1
    c56b7ab2123dbd49902446ffcc0cf59d6a865857
    MD5
    a50a91176b5aeb96b8b77b99d587c485
    CRC-32
    40452636
    File type
    Windows executable
    First seen
    2011-04-12
Processes Created
  • c:\windows\system32\svchost.exe
HTTP Requests
  • http://hdjfskh.net/pusk.exe
DNS Requests
  • hdjfskh.net