Stay protected from the "Wanna DecryptOr" ransomware outbreak.     Learn More

Troj/Rerol-A

Category: Viruses and Spyware Protection available since:29 Apr 2014 11:53:56 (GMT)
Type: Trojan Last Updated:17 Jul 2014 01:46:03 (GMT)
Prevalence: Small Number of Reports

Download Download our free Virus Removal Tool - Find and remove threats your antivirus missed

Examples of Troj/Rerol-A include:

Example 1

File Information

Size
16K
SHA-1
53fbfb28413b16a3dfc69798560fb24c3a0c58dc
MD5
5e2360a8c4a0cce1ae22919d8bff49fd
CRC-32
3e962ad1
File type
Windows executable
First seen
2014-04-28

Runtime Analysis

Copies Itself To
  • c:\Documents and Settings\test user\Application Data\test_item.exe
Dropped Files
  • C:\WINDOWS\system32\mfidmdi.dll
  • c:\Documents and Settings\test user\Local Settings\Temp\explorer.exe
    Size
    77K
    SHA-1
    2a2390f5280c8c2499eecdef7ea77620ca961c67
    MD5
    e7dc3bbe8b38b7ee0e797a0e27635cfa
    CRC-32
    bb928f2c
    File type
    Windows executable
    First seen
    2014-04-16
  • C:\WINDOWS\system32\khuvaxu.exe
    Size
    77K
    SHA-1
    2a2390f5280c8c2499eecdef7ea77620ca961c67
    MD5
    e7dc3bbe8b38b7ee0e797a0e27635cfa
    CRC-32
    bb928f2c
    File type
    Windows executable
    First seen
    2014-04-16
Registry Keys Created
  • HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows
    load
    c:\windows\system32\khuvaxu.exe
Registry Keys Modified
  • HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
    Shell
    Explorer.exe,C:\DOCUME~1\support\APPLIC~1\test_item.exe,
Processes Created
  • c:\docume~1\support\locals~1\temp\explorer.exe
  • c:\windows\system32\cmd.exe
DNS Requests
  • sop.avstore.com.tw
  • sophos.skypetm.com.tw

Example 2

File Information

File type
Windows executable

Runtime Analysis

Copies Itself To
  • c:\Documents and Settings\test user\Application Data\test_item.exe
Registry Keys Modified
  • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
    Userinit
    C:\WINDOWS\system32\userinit.exe,C:\DOCUME~1\support\APPLIC~1\test_item.exe,
Processes Created
  • c:\windows\system32\cmd.exe
DNS Requests
  • www.test.com

Example 3

File Information

File type
Windows executable

Runtime Analysis

Copies Itself To
  • c:\Documents and Settings\test user\Start Menu\Programs\Startup\KAVUpdate.exe
Processes Created
  • c:\windows\system32\cmd.exe
IP Connections
  • 113.10.221.196:8080

download Try Sophos products for free
Download now