Mal/Jorik-F

Category: Viruses and SpywareProtection available since:20 Jun 2011 04:53:50 (GMT)
Type: Malicious behaviorLast Updated:20 Jun 2011 04:53:50 (GMT)
Prevalence: Small Number of Reports

Download Download our free Virus Removal Tool - Find and remove threats your antivirus missed

Examples of Mal/Jorik-F include:

Example 1

File Information

Size
3.6M
SHA-1
0fa2aaad4bfc1a7731bc02a7327a74ae666c8654
MD5
6f446ef46df0e3d15e909f5cac94d80a
CRC-32
8d99779f
File type
application/x-ms-dos-executable
First seen
2011-05-02

Runtime Analysis

Copies Itself To
  • C:\temp\install\crss.exe
Dropped Files
  • c:\Documents and Settings\test user\Local Settings\Temp\support7
    Size
    8
    SHA-1
    deb31a9b286608c087e41b33ad4de7b17e52d953
    MD5
    a60507118843dadfc82144397f6f5621
    CRC-32
    81463fdf
    File type
    application/octet-stream
    First seen
    2011-06-20
  • c:\Documents and Settings\test user\Local Settings\Temp\Encrypted.exe
    Size
    148K
    SHA-1
    6aaf279af42c4b81346134268e27984d2a0bb638
    MD5
    ec16e457f570efc0725366be1f169273
    CRC-32
    00a42513
    File type
    application/x-ms-dos-executable
    First seen
    2011-04-25
  • c:\Documents and Settings\test user\Local Settings\Temp\fox4.tmp\registration.exe
    Size
    567K
    SHA-1
    06dd4dd8fee4d95c01ae2eef61ab304032f7521c
    MD5
    bbb6e1c7fd30a5799bc73b4a596e279d
    CRC-32
    51b70ea4
    File type
    application/x-ms-dos-executable
    First seen
    2011-02-24
  • c:\Documents and Settings\test user\Application Data\supportlog.dat
  • c:\Documents and Settings\test user\Local Settings\Temp\fox4.tmp\FPC.exe
    Size
    299K
    SHA-1
    9e4e6f0587a4371f7d316a4836abf5ee4275e71b
    MD5
    e461a0546ccd681279749f71df24babd
    CRC-32
    69e7aef0
    File type
    application/x-ms-dos-executable
    First seen
    2011-05-02
  • c:\Documents and Settings\test user\Local Settings\Temp\fox4.tmp\fpdfcjk.bin
  • c:\Documents and Settings\test user\Local Settings\Temp\fox4.tmp\vpr_ui.dll
    Size
    2.9M
    SHA-1
    20a4c823ab4611ef7ea62aca2e3d9c2da66b76e0
    MD5
    7022245abe30c7e912f2d49ef1cfa81d
    CRC-32
    256e0e4a
    File type
    application/x-ms-dos-executable
    First seen
    2011-02-24
  • c:\Documents and Settings\test user\Local Settings\Temp\fox4.tmp\uninstall.exe
    Size
    443K
    SHA-1
    bad0cb12d869b76f76bf296a4a1f5da5375709bc
    MD5
    a5cd432aeef4024a9cb9c977e0c26b15
    CRC-32
    718f96f0
    File type
    application/x-ms-dos-executable
    First seen
    2011-02-24
  • c:\Documents and Settings\test user\Local Settings\Temp\fox4.tmp\vpr_drv.dll
    Size
    3.6M
    SHA-1
    eba2ca01ff05c78cd76816a2b69e5fc028707511
    MD5
    403f3f17f7bfe7e32d2b9855b8952131
    CRC-32
    fa2922c9
    File type
    application/x-ms-dos-executable
    First seen
    2011-02-24
  • c:\Documents and Settings\test user\Application Data\support3SQLite3.dll
  • c:\Documents and Settings\test user\Local Settings\Temp\support8
  • C:\WINDOWS\winsvchost.exe
    Size
    148K
    SHA-1
    6aaf279af42c4b81346134268e27984d2a0bb638
    MD5
    ec16e457f570efc0725366be1f169273
    CRC-32
    00a42513
    File type
    application/x-ms-dos-executable
    First seen
    2011-04-25
  • c:\Documents and Settings\test user\Local Settings\Temp\fox4.tmp\FXC_ProxyProcess.exe
    Size
    38K
    SHA-1
    4117fb7a307d9cdbd2c32a6e2a94e72f72dae276
    MD5
    73f47dbc3737140a621a21c40a9d63c6
    CRC-32
    9a392c9d
    File type
    application/x-ms-dos-executable
    First seen
    2010-09-08
  • c:\Documents and Settings\test user\Local Settings\Temp\279687.tmp
  • c:\Documents and Settings\test user\Local Settings\Temp\fox4.tmp\fpc_wordaddin.dll
    Size
    719K
    SHA-1
    22af62524db1d35626f5a96a04cc3cc79a40fcc5
    MD5
    0b539e65e9c05c1b5a9e88694bb662c6
    CRC-32
    8173f8a1
    File type
    application/x-ms-dos-executable
    First seen
    2011-02-24
Registry Keys Created
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Run
    smss.exe
    c:\temp\install\crss.exe
  • HKLM\SOFTWARE\Microsoft\umbra
    UID
    {70A0A7A3-9E2E-4D8C-9881-7697584AE628}
  • HKCU\Software\zyxell9
    FirstExecution
    20/06/2011 -- 05:55
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    smss.exe
    c:\temp\install\crss.exe
Processes Created
  • c:\docume~1\support\locals~1\temp\encrypted.exe
  • c:\docume~1\support\locals~1\temp\fox4.tmp\fpc.exe
  • c:\windows\winsvchost.exe
HTTP Requests
  • http://zyxell9.fileave.com/sqlite3.dll
DNS Requests
  • theokamphuis.nl
  • theonlineoffender.zapto.org
  • zyxell9.fileave.com

Example 2

File Information

Size
848K
SHA-1
1b7a6fec149064e34e8d6993e8517c937c6e1832
MD5
f16189524ee278a09b638e2270737137
CRC-32
c25453b6
File type
application/x-ms-dos-executable
First seen
2011-04-22

Runtime Analysis

Copies Itself To
  • C:\temp\install\alg.exe
Dropped Files
  • c:\Documents and Settings\test user\Local Settings\Temp\prjLoader.exe
    Size
    52K
    SHA-1
    501291ab2b65e27224e8fc2f79dfc567cd6d9e9d
    MD5
    64557f8760f18f0cc2c7d38aca9663e3
    CRC-32
    2bc13e07
    File type
    application/x-ms-dos-executable
    First seen
    2011-03-31
  • c:\Documents and Settings\test user\Local Settings\Temp\264921.tmp
  • c:\Documents and Settings\test user\Local Settings\Temp\support7
    Size
    8
    SHA-1
    83de0e50f98f12ab96bc7cf6deaeabd930e0ecfc
    MD5
    14589d8af13c3420ba9f3dad656e4d49
    CRC-32
    c0dc212a
    File type
    application/octet-stream
    First seen
    2011-06-20
  • c:\Documents and Settings\test user\Application Data\supportlog.dat
  • c:\Documents and Settings\test user\Local Settings\Temp\Berlin Sans FB.TTF
  • c:\Documents and Settings\test user\Local Settings\Temp\bassmod.dll
  • c:\Documents and Settings\test user\Application Data\support3SQLite3.dll
Registry Keys Created
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    smss.exe
    c:\temp\install\alg.exe
  • HKCU\Software\zyxell9
    NewGroup
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Run
    smss.exe
    c:\temp\install\alg.exe
HTTP Requests
  • http://zyxell9.fileave.com/sqlite3.dll
DNS Requests
  • zyxell9.fileave.com
  • zyxell9.zapto.org

Example 3

File Information

Size
2.5M
SHA-1
3ac05aa07d069428ece044dce207841d78b853a5
MD5
66404d25292bd71e456bd3ad605373c3
CRC-32
fc4cb56e
File type
application/x-ms-dos-executable
First seen
2011-04-28

Runtime Analysis

Copies Itself To
  • C:\temp\install\crss.exe
Dropped Files
  • c:\Documents and Settings\test user\Local Settings\Temp\Encrypted.exe
    Size
    148K
    SHA-1
    6aaf279af42c4b81346134268e27984d2a0bb638
    MD5
    ec16e457f570efc0725366be1f169273
    CRC-32
    00a42513
    File type
    application/x-ms-dos-executable
    First seen
    2011-04-25
  • c:\Documents and Settings\test user\Local Settings\Temp\257484.tmp
  • c:\Documents and Settings\test user\Application Data\supportlog.dat
  • c:\Documents and Settings\test user\Application Data\support3SQLite3.dll
  • C:\WINDOWS\winsvchost.exe
    Size
    148K
    SHA-1
    6aaf279af42c4b81346134268e27984d2a0bb638
    MD5
    ec16e457f570efc0725366be1f169273
    CRC-32
    00a42513
    File type
    application/x-ms-dos-executable
    First seen
    2011-04-25
  • c:\Documents and Settings\test user\Local Settings\Temp\support8
    Size
    8
    SHA-1
    b6cdd3e0a4f2047c3783e5c13bfd690cd6aa6c37
    MD5
    1302a3b92e9182851743ef4990f7287f
    CRC-32
    fff74362
    File type
    application/octet-stream
    First seen
    2011-06-20
  • c:\Documents and Settings\test user\Local Settings\Temp\support7
    Size
    8
    SHA-1
    b6cdd3e0a4f2047c3783e5c13bfd690cd6aa6c37
    MD5
    1302a3b92e9182851743ef4990f7287f
    CRC-32
    fff74362
    File type
    application/octet-stream
    First seen
    2011-06-20
Registry Keys Created
  • HKCU\Software\zyxell9
    FirstExecution
    20/06/2011 -- 05:55
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    smss.exe
    c:\temp\install\crss.exe
  • HKLM\SOFTWARE\Microsoft\umbra
    UID
    {D730A854-75BB-40AB-8D8C-E8C65DE6330C}
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Run
    smss.exe
    c:\temp\install\crss.exe
Processes Created
  • c:\docume~1\support\locals~1\temp\encrypted.exe
  • c:\temp\install\crss.exe
  • c:\windows\winsvchost.exe
HTTP Requests
  • http://zyxell9.fileave.com/sqlite3.dll
DNS Requests
  • theokamphuis.nl
  • theonlineoffender.zapto.org
  • zyxell9.fileave.com