ThreatExpert Report: Win32.SuspectCrc

Visit ThreatExpert web site

Close Report

Submission Summary:

Submission details:

Submission received: 15 September 2012, 09:26:34
Processing time: 8 min 40 sec
Submitted sample:

File MD5: 0x11A0123176A06296949112344573ECF5
File SHA-1: 0xFAAF16150143B1B73546876E312837F86054F6CC
Filesize: 1,951,232 bytes
Alias: Win32.SuspectCrc [Ikarus]

Technical Details:

The new window was created, as shown below:

NOTICE: The content shown in the above window is captured automatically and is not controlled or endorsed by ThreatExpert.
Please contact us on this link should any material be offensive or inappropriate and we will ensure any such content is blocked from future viewers of the report.

File System Modifications

The following files were created in the system:

#	Filename(s)	File Size	File Hash	Alias
1	%CommonPrograms%\GapCalc\GapCalc.LNK	694 bytes	MD5: 0x4C5E24639A04F99B218A8C5ED363CFC4 SHA-1: 0x02973B3C573C0902ED1B564CC8257B7E29875170	(not available)
2	%ProgramFiles%\GapCalc\ferscsrs.jpg	38,579 bytes	MD5: 0x5BFD21300447C2FB060CBB331DA70BC4 SHA-1: 0x27365BF578CAF8FFDB2D2824D280A3848E9049B9	(not available)
3	%ProgramFiles%\GapCalc\GapCalc.exe	147,456 bytes	MD5: 0x1A33BAD7EB72E43B810A4F3981D498EA SHA-1: 0x82155CCABBFFB568FAA063A265DDB19BA5DA1C26	Win32.SuspectCrc [Ikarus]
4	%ProgramFiles%\GapCalc\help.htm	3,235 bytes	MD5: 0x8CD4F9E543B736EC8181ED0D1064BEBE SHA-1: 0x170C7C8A1028030E6F8C5B2B064D990B62A373BB	(not available)
5	%ProgramFiles%\GapCalc\input.jpg	81,233 bytes	MD5: 0x876E37455FEF2F3AB146BB1551409BB4 SHA-1: 0x453DC89C59B97013E4DD32786D7EF34040742086	(not available)
6	%ProgramFiles%\GapCalc\ST6UNST.LOG	2,850 bytes	MD5: 0x87EA128F6B177C65942531165392729B SHA-1: 0xB138F91E8EDAEBCD4CE6327879B9267ABA0C8994	(not available)
7	%ProgramFiles%\GapCalc\start.jpg	50,533 bytes	MD5: 0xF01CB8FC7F22AEC6EA269218F75F1226 SHA-1: 0xA1B0314504B20E0CDDBD8A3DB56DF33D5C80CD4D	(not available)
8	%Windir%\Setup1.exe	249,856 bytes	MD5: 0xC6264B17629F6F9F0BD2BA7671CEFF69 SHA-1: 0x67A6B419740C1D6B780789BFFCFCC83129E36D1B	(not available)
9	%Windir%\ST6UNST.EXE	73,216 bytes	MD5: 0xEA4E2BA0D35EEADEE23B0C1397C71367 SHA-1: 0xE715DDF7C568A745E7990534F06460556E20B3ED	(not available)
10	[file and pathname of the sample #1]	1,951,232 bytes	MD5: 0x11A0123176A06296949112344573ECF5 SHA-1: 0xFAAF16150143B1B73546876E312837F86054F6CC	Win32.SuspectCrc [Ikarus]
11	%System%\VB6STKIT.DLL	101,888 bytes	MD5: 0xCFF867572B44212B01B711C1FA009537 SHA-1: 0x3978C9F7A3D77C0BDFF4353949E2143757EEBC79	(not available)

Notes:

%CommonPrograms% is a variable that refers to the file system directory that contains the directories for the common program groups that appear on the Start menu for all users. A typical path is C:\Documents and Settings\All Users\Start Menu\Programs (Windows NT/2000/XP).
%ProgramFiles% is a variable that refers to the Program Files folder. A typical path is C:\Program Files.
%Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows or C:\Winnt.
%System% is a variable that refers to the System folder. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

The following file was modified:

%System%\MSCOMCT2.OCX

The following directories were created:

%CommonPrograms%\GapCalc
%ProgramFiles%\GapCalc

Memory Modifications

There were new processes created in the system:

Process Name	Process Filename	Main Module Size
st6unst.exe	%Windir%\st6unst.exe	90,112 bytes
setup1.exe	%Windir%\setup1.exe	270,336 bytes
[filename of the sample #1]	[file and pathname of the sample #1]	1,966,080 bytes
setup.exe	%Temp%\WZSE0.TMP\setup.exe	180,224 bytes

Notes:

%Temp% is a variable that refers to the temporary folder in the short path form. By default, this is C:\Documents and Settings\[UserName]\Local Settings\Temp\ (Windows NT/2000/XP).

Registry Modifications

The following Registry Key was created:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ST6UNST #1

The newly created Registry Values are:

[[pathname with a string SHARE]\SharedDlls]

%System%\VB6STKIT.DLL = 0x00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ST6UNST #1]

ApplicationName = "GapCalc.exe"
DisplayName = "FedCalc.com Retirement GAP Analysis Tool"
UninstallString = "%Windir%\st6unst.exe -n "%ProgramFiles%\GapCalc\ST6UNST.LOG" "
AppToUninstall = "GapCalc.exe"

[HKEY_CURRENT_USER\Software\Classes\CLSID\{0000002F-0000-0000-C000-000000000046}\InprocServer32]

(Default) = "oleaut32.dll"

[HKEY_CURRENT_USER\Software\Classes\CLSID\{00020420-0000-0000-C000-000000000046}\InprocServer32]

(Default) = "oleaut32.dll"

[HKEY_CURRENT_USER\Software\Classes\CLSID\{00020421-0000-0000-C000-000000000046}\InprocServer32]

(Default) = "oleaut32.dll"

[HKEY_CURRENT_USER\Software\Classes\CLSID\{00020422-0000-0000-C000-000000000046}\InprocServer32]

(Default) = "oleaut32.dll"

[HKEY_CURRENT_USER\Software\Classes\CLSID\{00020423-0000-0000-C000-000000000046}\InprocServer32]

(Default) = "oleaut32.dll"

[HKEY_CURRENT_USER\Software\Classes\CLSID\{00020424-0000-0000-C000-000000000046}\InprocServer32]

(Default) = "oleaut32.dll"

[HKEY_CURRENT_USER\Software\Classes\CLSID\{00020425-0000-0000-C000-000000000046}\InprocServer32]

(Default) = "oleaut32.dll"

[HKEY_CURRENT_USER\Software\Classes\CLSID\{0BE35203-8F91-11CE-9DE3-00AA004BB851}\InprocServer32]

(Default) = "oleaut32.dll"

[HKEY_CURRENT_USER\Software\Classes\CLSID\{0BE35204-8F91-11CE-9DE3-00AA004BB851}\InprocServer32]

(Default) = "oleaut32.dll"

[HKEY_CURRENT_USER\Software\Classes\CLSID\{46763EE0-CAB2-11CE-8C20-00AA0051E5D4}\InprocServer32]

(Default) = "oleaut32.dll"

[HKEY_CURRENT_USER\Software\Classes\CLSID\{B196B286-BAB4-101A-B69C-00AA00341D07}\InprocServer32]

(Default) = "oleaut32.dll"

The following Registry Values were modified:

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20DD1B9E-87C4-11D1-8BE3-0000F8754DA1}]

(Default) =

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{232E456A-87C3-11D1-8BE3-0000F8754DA1}]

(Default) =

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{603C7E80-87C2-11D1-8BE3-0000F8754DA1}]

(Default) =

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B09DE715-87C1-11D1-8BE3-0000F8754DA1}]

(Default) =

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D5DE8D20-5BB8-11D1-A1E3-00A0C90F2731}\InProcServer32]

(Default) =

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{FE38753A-44A3-11D1-B5B7-0000C09000C4}]

(Default) =

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{2334D2B1-713E-11CF-8AE5-00AA00C00905}\TypeLib]

(Default) =
Version =

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{2334D2B3-713E-11CF-8AE5-00AA00C00905}\TypeLib]

(Default) =
Version =

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MSComCtl2.Animation]

(Default) =

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MSComCtl2.Animation.2]

(Default) =

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MSComCtl2.DTPicker]

(Default) =

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MSComCtl2.DTPicker.2]

(Default) =

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MSComCtl2.FlatScrollBar]

(Default) =

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MSComCtl2.FlatScrollBar.2]

(Default) =

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MSComCtl2.MonthView]

(Default) =

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MSComCtl2.MonthView.2]

(Default) =

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MSComCtl2.UpDown]

(Default) =

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MSComCtl2.UpDown.2]

(Default) =

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{000204EF-0000-0000-C000-000000000046}\6.0\9\win32]

(Default) =

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{86CF1D34-0C5F-11D2-A9FC-0000F8754DA1}\2.0]

(Default) =

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{86CF1D34-0C5F-11D2-A9FC-0000F8754DA1}\2.0\HELPDIR]

(Default) =

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{EA544A21-C82D-11D1-A3E4-00A0C90AEA82}\6.0\9\win32]

(Default) =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDlls]

C:\WINDOWS\system32\comcat.dll =
C:\WINDOWS\system32\olepro32.dll =
C:\WINDOWS\system32\stdole2.tlb =
C:\WINDOWS\system32\oleaut32.dll =
C:\WINDOWS\system32\asycfilt.dll =
C:\WINDOWS\system32\MSCOMCT2.OCX =
C:\WINDOWS\system32\msvbvm60.dll =

Other details

There was application-defined hook procedure installed into the hook chain (e.g. to monitor keystrokes). The installed hook is handled by the following module:

%System%\MSVBVM60.DLL

All content ("Information") contained in this report is the copyrighted work of Threat Expert Ltd and its associated companies ("ThreatExpert") and may not be copied without the express permission of ThreatExpert.

The Information is provided on an "as is" basis. ThreatExpert disclaims all warranties, whether express or implied, to the maximum extent permitted by law, including the implied warranties that the Information is merchantable, of satisfactory quality, accurate, fit for a particular purpose or need, or non-infringing, unless such implied warranties are legally incapable of exclusion. Further, ThreatExpert does not warrant or make any representations regarding the use or the results of the use of the Information in terms of their correctness, accuracy, reliability, or otherwise.