Troj/MSIL-QO

Category: Viruses and SpywareProtection available since:21 Apr 2014 20:51:39 (GMT)
Type: TrojanLast Updated:21 Apr 2014 20:51:39 (GMT)
Prevalence: Small Number of Reports

Download Download our free Virus Removal Tool - Find and remove threats your antivirus missed

Examples of Troj/MSIL-QO include:

Example 1

File Information

Size
328K
SHA-1
01c61cfc4293e058131bd86a66262347be580e5c
MD5
09fe0ec0fd66e5f71db6ccbc8f602b54
CRC-32
e0d1f202
File type
Windows executable
First seen
2014-04-15

Runtime Analysis

Copies Itself To
  • C:\WINDOWS\system32\Microsoft.com
  • c:\Documents and Settings\test user\Local Settings\Temp\5117
Registry Keys Created
  • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AvastSvc.exe
    Debugger
    C:\WINDOWS\system32\Microsoft.com
  • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgui.exe
    Debugger
    C:\WINDOWS\system32\Microsoft.com
  • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe
    Debugger
    C:\WINDOWS\system32\Microsoft.com
  • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avscan.exe
    Debugger
    C:\WINDOWS\system32\Microsoft.com
  • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe
    Debugger
    C:\WINDOWS\system32\Microsoft.com
  • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ccuac.exe
    Debugger
    C:\WINDOWS\system32\Microsoft.com
  • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AvastUI.exe
    Debugger
    C:\WINDOWS\system32\Microsoft.com
  • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgwdsvc.exe
    Debugger
    C:\WINDOWS\system32\Microsoft.com
  • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\keyscrambler.exe
    Debugger
    C:\WINDOWS\system32\Microsoft.com
  • HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
    WindowsUpdate
    "C:\Program Files\Windows Manager\winmgr.exe"
  • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SCFManager.exe
    Debugger
    C:\WINDOWS\system32\Microsoft.com
  • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbamgui.exe
    Debugger
    C:\WINDOWS\system32\Microsoft.com
  • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SCFService.exe
    Debugger
    C:\WINDOWS\system32\Microsoft.com
  • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msseces.exe
    Debugger
    C:\WINDOWS\system32\Microsoft.com
  • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSASCui.exe
    Debugger
    C:\WINDOWS\system32\Microsoft.com
  • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\swc_service.exe
    Debugger
    C:\WINDOWS\system32\Microsoft.com
  • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avcenter.exe
    Debugger
    C:\WINDOWS\system32\Microsoft.com
  • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgrsx.exe
    Debugger
    C:\WINDOWS\system32\Microsoft.com
  • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winmgr.exe
    DisableExceptionChainValidation
  • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbampt.exe
    Debugger
    C:\WINDOWS\system32\Microsoft.com
  • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbamservice.exe
    Debugger
    C:\WINDOWS\system32\Microsoft.com
  • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avconfig.exe
    Debugger
    C:\WINDOWS\system32\Microsoft.com
  • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbamscheduler.exe
    Debugger
    C:\WINDOWS\system32\Microsoft.com
  • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgnt.exe
    Debugger
    C:\WINDOWS\system32\Microsoft.com
  • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgcsrvx.exe
    Debugger
    C:\WINDOWS\system32\Microsoft.com
  • HKCU\Software\VB and VBA Program Settings\Microsoft\Sysinternals
    3243
    C:\Program Files\Windows Manager\winmgr.exe
  • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.exe
    Debugger
    C:\WINDOWS\system32\Microsoft.com
  • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\hijackthis.exe
    Debugger
    C:\WINDOWS\system32\Microsoft.com
  • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbam.exe
    Debugger
    C:\WINDOWS\system32\Microsoft.com
  • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spybotsd.exe
    Debugger
    C:\WINDOWS\system32\Microsoft.com
  • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bdagent.exe
    Debugger
    C:\WINDOWS\system32\Microsoft.com
  • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgidsagent.exe
    Debugger
    C:\WINDOWS\system32\Microsoft.com
  • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ComboFix.exe
    Debugger
    C:\WINDOWS\system32\Microsoft.com
  • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SavService.exe
    Debugger
    C:\WINDOWS\system32\Microsoft.com
  • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wireshark.exe
    Debugger
    C:\WINDOWS\system32\Microsoft.com
  • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\instup.exe
    Debugger
    C:\WINDOWS\system32\Microsoft.com
  • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\egui.exe
    Debugger
    C:\WINDOWS\system32\Microsoft.com
  • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SAVAdminService.exe
    Debugger
    C:\WINDOWS\system32\Microsoft.com
  • HKCU\Software\Microsoft\Windows\CurrentVersion\IME
    WindowsUpdate
    "C:\Program Files\Windows Manager\winmgr.exe"
  • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avguard.exe
    Debugger
    C:\WINDOWS\system32\Microsoft.com
  • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe
    Debugger
    C:\WINDOWS\system32\Microsoft.com
  • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\zlclient.exe
    Debugger
    C:\WINDOWS\system32\Microsoft.com
  • HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows
    Load
    C:\WINDOWS\system32\Microsoft.com
Processes Created
  • c:\program files\windows manager\winmgr.exe
DNS Requests
  • crackitshop.com

Example 2

File Information

Size
324K
SHA-1
4cc8469efe12f8dbf01223f90060996a6b653194
MD5
35b34abf16db3a9e2b294a2027f597de
CRC-32
b1d35c7c
File type
Windows executable
First seen
2014-03-25

Runtime Analysis

Copies Itself To
  • c:\Documents and Settings\test user\Application Data\Microsoft FxCop\SamSs.exe
Dropped Files
  • c:\Documents and Settings\test user\Local Settings\Temp\PowerAutobuyer.exe
  • c:\Documents and Settings\test user\Local Settings\Temp\Error Log
    Size
    103
    SHA-1
    55d860e9a795304e6df999b1c06f9b942d445392
    MD5
    9ba00b5191a0ae9a9c9df723a21e5c53
    CRC-32
    e4c9a9db
    File type
    application/octet-stream
    First seen
    2014-03-25
  • c:\Documents and Settings\test user\Application Data\Microsoft FxCop\wmiApSrv.exe
Registry Keys Created
  • HKCU\Software\VB and VBA Program Settings\INSTALL\DATE
    AXS5WRMYJR
    March 25, 2014
  • HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
    C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
    C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe:*:Enabled:Windows Messanger
  • HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
    WMI Performance Adapter
    c:\Documents and Settings\test user\Application Data\Microsoft FxCop\wmiApSrv.exe
  • HKCU\Software\VB and VBA Program Settings\SrvID\ID
    AXS5WRMYJR
    PowerAutobuyer
Registry Keys Modified
  • HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile
    DoNotAllowExceptions
    0x00000000
Processes Created
  • c:\Documents and Settings\test user\application data\microsoft fxcop\samss.exe
  • c:\Documents and Settings\test user\application data\microsoft fxcop\wmiapsrv.exe
  • c:\windows\microsoft.net\framework\v2.0.50727\applaunch.exe
  • c:\windows\system32\cmd.exe
  • c:\windows\system32\reg.exe
DNS Requests
  • 11mathieucg.no-ip.biz
  • 1mathieucg.no-ip.biz
  • 21mathieucg.no-ip.biz
  • 31mathieucg.no-ip.biz
  • 41mathieucg.no-ip.biz
  • 51mathieucg.no-ip.biz
  • 61mathieucg.no-ip.biz
  • 71mathieucg.no-ip.biz
  • 81mathieucg.no-ip.biz

Example 3

File Information

Size
514K
SHA-1
53bff93b231ad4c2ab4e7063de0362832b2bbf82
MD5
c0dd915cb65b134e3e4c68482d96782f
CRC-32
fa484be5
File type
Windows executable
First seen
2014-03-25

Runtime Analysis

Copies Itself To
  • c:\Documents and Settings\test user\Application Data\Microsoft FxCop\SamSs.exe
Dropped Files
  • c:\Documents and Settings\test user\My Documents\MSDCSC\msdcsc.exe
  • c:\Documents and Settings\test user\Application Data\Microsoft FxCop\wmiApSrv.exe
Modified Files
  • %WINDOWS%\Microsoft.NET\Framework\v2.0.50727
    • Set the hidden and system flags
Registry Keys Created
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Run
    MicroUpdate
    c:\Documents and Settings\test user\My Documents\MSDCSC\msdcsc.exe
  • HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
    WMI Performance Adapter
    c:\Documents and Settings\test user\Application Data\Microsoft FxCop\wmiApSrv.exe
Registry Keys Modified
  • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
    Userinit
    C:\WINDOWS\system32\userinit.exe,c:\Documents and Settings\test user\My Documents\MSDCSC\msdcsc.exe
Processes Created
  • c:\Documents and Settings\test user\application data\microsoft fxcop\samss.exe
  • c:\Documents and Settings\test user\application data\microsoft fxcop\wmiapsrv.exe
  • c:\Documents and Settings\test user\my documents\msdcsc\msdcsc.exe
  • c:\windows\microsoft.net\framework\v2.0.50727\applaunch.exe
  • c:\windows\system32\attrib.exe
  • c:\windows\system32\cmd.exe
  • c:\windows\system32\notepad.exe
DNS Requests
  • sales03.no-ip.biz