| Visit ThreatExpert web site | | | Close Report |
[McAfee] [Sophos] [Ikarus]| What's been found | Severity Level |
| Sets the drive to autoplay by creating autorun.inf file in its root directory. If the drive is shared across the network then other remote computers can be infected any time they try to access this share. |  |
| Creates an executable file in the fake Recycle Bin folder with the purpose of concealing its presence in the system. |  |
| Compromises SafeBoot registry key(s) in an attempt to disable the Safe Mode. |  |
| Contains characteristics of an identified security risk. |  |
 | Possible Security Risk |
| Threat Category | Description |
 |
A program that downloads files to the local computer that may represent security risk |
 | File System Modifications |
| # | Filename(s) | File Size | File Hash | Alias |
| 1 | c:\Autorun.inf | 188 bytes | MD5: 0x4B82F18982837DEED04313DE0BFF972F SHA-1: 0x4D3EC31567713E58CE951E36F975D67B245DE7D3 |
Mal/AutoInf-C [Sophos] |
| 2 |
%AllUsersProfile%\All Users.exe
%Profiles%\Default User\Default User.exe %Profiles%\Documents and Settings.exe %Profiles%\LocalService\LocalService.exe
%Profiles%\NetworkService\NetworkService.exe
%UserProfile%\%UserName%.exe c:\Inetpub\Inetpub.exe
c:\Inetpub\wwwroot\wwwroot.exe
%ProgramFiles%\Adobe\Adobe.exe
%ProgramFiles%\Common Files\Common Files.exe %ProgramFiles%\ComPlus Applications\ComPlus Applications.exe %ProgramFiles%\Internet Explorer\Internet Explorer.exe %ProgramFiles%\Messenger\Messenger.exe
%ProgramFiles%\microsoft frontpage\microsoft frontpage.exe %ProgramFiles%\Movie Maker\Movie Maker.exe %ProgramFiles%\MSN\MSN.exe
%ProgramFiles%\MSN Gaming Zone\MSN Gaming Zone.exe %ProgramFiles%\NetMeeting\NetMeeting.exe
%ProgramFiles%\Online Services\Online Services.exe %ProgramFiles%\Outlook Express\Outlook Express.exe %ProgramFiles%\Program Files.exe %ProgramFiles%\Uninstall Information\Uninstall Information.exe %ProgramFiles%\Web Publish\Web Publish.exe %ProgramFiles%\Windows Media Player\Windows Media Player.exe %ProgramFiles%\Windows NT\Windows NT.exe %ProgramFiles%\WindowsUpdate\WindowsUpdate.exe
%ProgramFiles%\WinPcap\WinPcap.exe
%ProgramFiles%\xerox\xerox.exe
c:\RECYCLER\RECYCLER.exe
c:\RECYCLER\S-1-5-21-606747145-764733703-839522115-1003\S-1-5-21-606747145-764733703-839522115-1003.exe c:\System\System.exe
%Windir%\addins\addins.exe
%Windir%\AppPatch\AppPatch.exe
%Windir%\assembly\assembly.exe
%Windir%\Cache\Cache.exe
%Windir%\Config\Config.exe
%Windir%\Connection Wizard\Connection Wizard.exe %Windir%\Cursors\Cursors.exe
%Windir%\Debug\Debug.exe
%DownloadedProgramFiles%\Downloaded Program Files.exe %Windir%\Driver Cache\Driver Cache.exe %Windir%\ehome\ehome.exe
%FontsDir%\Fonts.exe
%Windir%\Help\Help.exe
%Windir%\ime\ime.exe
%Windir%\inf\inf.exe
%Windir%\Installer\Installer.exe
%Windir%\java\java.exe
%Windir%\Media\Media.exe
%Windir%\Microsoft.NET\Microsoft.NET.exe
%Windir%\msagent\msagent.exe
%Windir%\msapps\msapps.exe
%Windir%\mui\mui.exe
%Windir%\Offline Web Pages\Offline Web Pages.exe %Windir%\pchealth\pchealth.exe
%Windir%\PeerNet\PeerNet.exe
%Windir%\Provisioning\Provisioning.exe
%Windir%\Registration\Registration.exe
%Windir%\repair\repair.exe
%Windir%\repair\Sys %Windir%\Resources\Resources.exe
%Windir%\srchasst\srchasst.exe
%Windir%\system\system.exe
%System%\Com\LSASS.exe
[file and pathname of the sample #1] %System%\system32.exe
%Windir%\Tasks\Tasks.exe
%Windir%\Temp\Temp.exe
%Windir%\twain_32\twain_32.exe
%Windir%\Web\Web.exe
%Windir%\WINDOWS.exe
%Windir%\WinSxS\WinSxS.exe
|
282,624 bytes | MD5: 0x11BEBBE399D637373EF3E12A3F9AAEE9 SHA-1: 0xA8A55FECA6A9144FF3E494DC041AC87E89583160 |
Trojan-Downloader.Win32.Agent.fyxf [Kaspersky Lab] Generic BackDoor.f [McAfee]Mal/SillyFDC-A [Sophos]Trojan:Win32/Vake.F [Microsoft] Trojan.AgentMB [Ikarus] |
| 3 | %Windir%\inf\safe.reg | 214 bytes | MD5: 0x3A59CEBCE619D9060F1B70891EB413E7 SHA-1: 0xE2A547A63F9D23A2033D998245D96D93D3B60FEB |
(not available) |
| 4 | %Windir%\repair\System.vbs | 324 bytes | MD5: 0x782E9FDC60A285E6AA464DE9F8B72D44 SHA-1: 0x6AA160FDC60FD0DB7799777DEA474030D1F3D1C2 |
(not available) |
 | Memory Modifications |
| Process Name | Process Filename | Main Module Size |
| [filename of the sample #1] | [file and pathname of the sample #1] | 323,584 bytes |
| All Users.exe | %AllUsersProfile%\all users.exe | 323,584 bytes |
| Default User.exe | %Profiles%\default user\default user.exe | 323,584 bytes |
| Documents and Settings.exe | %Profiles%\documents and settings.exe | 323,584 bytes |
| LocalService.exe | %Profiles%\localservice\localservice.exe | 323,584 bytes |
| NetworkService.exe | %Profiles%\networkservice\networkservice.exe | 323,584 bytes |
 | Registry Modifications |
All content ("Information") contained in this report is the copyrighted work of Threat Expert Ltd and its associated companies ("ThreatExpert") and may not be copied without the express permission of ThreatExpert.
The Information is provided on an "as is" basis. ThreatExpert disclaims all warranties, whether express or implied, to the maximum extent permitted by law, including the implied warranties that the Information is merchantable, of satisfactory quality, accurate, fit for a particular purpose or need, or non-infringing, unless such implied warranties are legally incapable of exclusion. Further, ThreatExpert does not warrant or make any representations regarding the use or the results of the use of the Information in terms of their correctness, accuracy, reliability, or otherwise.
Copyright © 2013 ThreatExpert. All rights reserved.