| Visit ThreatExpert web site | | | Close Report |
[Symantec] [Kaspersky Lab] [McAfee] [Sophos] [Microsoft] [AhnLab]| What's been found | Severity Level |
| Hosts file modification that may block access to the security web sites. |  |
| Communication with a remote IRC server. |  |
| Downloads/requests other files from Internet. | |
| Compromises SafeBoot registry key(s) in an attempt to disable the Safe Mode. |  |
| Creates a startup registry entry. |  |
| There were some system executable files modified, which might indicate the presence of a PE-file infector. | |
| Contains characteristics of an identified security risk. |  |
NOTICE: The content shown in the above window is captured automatically and is not controlled or endorsed by ThreatExpert.
Please contact us on this link should any material be offensive or inappropriate and we will ensure any such content is blocked from future viewers of the report.
 | Possible Security Risk |
| Security Risk | Description |
| Spyware.Alexa |
This is a toolbar installed on your Internet Explorer without warning that if you use it, you will be sending information to MSN and Alexa. If you don't use the toolbar, it is harmless. The general recommendation is to remove it. |
| Virus.Parite.B |
Virus Parite.B will remain in memory after executed, and infecting every SCR and PE file on every drive and network share. |
| Adware.Component.Unrelated |
These common components have files and keys that are in different threats but the threats are not related to one another in that the author of the signature is not the same. It is recommended that all these entries be removed. |
| Trojan.Obfuscated.GX |
Trojan.Obfuscated.GX will try to download other files through the internet to complete it's malicious routines without user's knowledge. |
| Trojan.Refpron.GEN |
Trojan.Refpron.GEN on execution runs in the background and can download other malicious files onto the computer without users knowledge. |
| Threat Category | Description |
 |
A malicious trojan horse or bot that may represent security risk for the compromised system and/or its network environment |
 |
A virus capable to modify other files by infecting, prepending, or overwriting them them with its own body |
 |
A keylogger program that can capture all user keystrokes (including confidential details such username, password, credit card number, etc.) |
 |
A malicious backdoor trojan that runs in the background and allows remote access to the compromised system |
 | File System Modifications |
| # | Filename(s) | File Size | File Hash | Alias |
| 1 | %Temp%\2456094.exe | 87,040 bytes | MD5: 0x457A2278A8EDD12FCAB2E117F2BC7023 SHA-1: 0x0544C6F0206A1851696BD4FA0F001E27D0CF7982 |
Packed.Win32.Koblu.c [Kaspersky Lab] Refpron.gen.i [McAfee] Mal/Refpron-B [Sophos] Backdoor:Win32/Refpron.P [Microsoft] |
| 2 | %Temp%\2462815.exe | 115,200 bytes | MD5: 0x985F34162F77C45C85532ED307B904A6 SHA-1: 0x1082686B6E3A358BCB4B34916EA5B827B63C57FF |
(not available) |
| 3 | %Temp%\271xxx.dll | 26,112 bytes | MD5: 0x1DCFECB5AA10096BEB337AFBC087AC62 SHA-1: 0x34AA4386E008B44EAE286D08645B40106205A830 |
Trojan-PSW.Win32.Agent.oll [Kaspersky Lab] |
| 4 | %Temp%\3.log | 187 bytes | MD5: 0xF5759012306B8ED9282D273935FEA0AB SHA-1: 0xF27DC40CAAE2F0AD3133B675812FF5193351B043 |
(not available) |
| 5 | %Temp%\52725usc.dll | 11,776 bytes | MD5: 0xEE3394F042EB539904723EC1C1056717 SHA-1: 0x648036285B33DEAA63D2251D88C768E7C4E592E8 |
(not available) |
| 6 | %Temp%\hdcfhe.dll | 6,656 bytes | MD5: 0x1BE1BE10642D543902F4D1C1A074BE70 SHA-1: 0x4E4DA0CF1DAED28653C3F4F8B6F00B9E4D094E35 |
Downloader-BGO [McAfee] |
| 7 | %Temp%\ka.ini | 60 bytes | MD5: 0x98DEB5378F4F290120E32BF5D2FB15DA SHA-1: 0xABD566CBF8EACCDB4841CD2337F9CBCB468FDF5E |
(not available) |
| 8 |
%Temp%\mta13187.dll
%Temp%\x1c53994.dll %Windir%\Temp\mta13187.dll
|
612,352 bytes | MD5: 0x3F795D6FB4050C93CBBD0FF699A2635A SHA-1: 0xD6F6FF1E3809C980CA78710E842AC3F1C1697E92 |
(not available) |
| 9 |
%Temp%\nia7.tmp
%Temp%\qja8.tmp %Windir%\Temp\mja9.tmp %Windir%\Temp\xfa6.tmp |
176,128 bytes | MD5: 0x685F1CBD4AF30A1D0C25F252D399A666 SHA-1: 0x6A1B978F5E6150B88C8634146F1406ED97D2F134 |
Virus.Parite.B [PCTools] W32.Pinfi [Symantec]Trojan.Win32.Genome.cssz [Kaspersky Lab] W32/Pate.b.dll [McAfee]PE_PARITE.A-O [Trend Micro]W32/Parite-B [Sophos]Virus:Win32/Parite.B.dll [Microsoft]Win32/Parite [AhnLab] |
| 10 |
%UserProfile%\ntuser.dll
%Programs%\Startup\scandisk.dll
%System%\calc.dll
%Windir%\Temp\rundll32.dll
|
24,064 bytes | MD5: 0x487D788710F5AC5E406BC40748F973BD SHA-1: 0xD268EFD1EA8268949551F7DB1D8BB0D3A2895A7D |
Trojan-PSW.Generic [PCTools] Infostealer [Symantec]Packed.Win32.Krap.ah [Kaspersky Lab] Mal/EncPk-MA, Mal/FakeDouf-B [Sophos] Packed.Win32.Krap [Ikarus] |
| 11 | %Programs%\Startup\scandisk.lnk | 655 bytes | MD5: 0x6DD9F4546AA0A7BCD89C00844B635F53 SHA-1: 0x5A6D36E041C59B1689B6CD62FE32C93369C55FFD |
(not available) |
| 12 |
%Windir%\Install.txt
%System%\Install.txt |
266 bytes | MD5: 0x5EA154792744C57AAEE317012CD835E4 SHA-1: 0x6E9BD312CECBEB0D8948E53F0D84879C3787A8D1 |
(not available) |
| 13 |
%Windir%\isvchost.exe
|
599,508 bytes | MD5: 0xDECE7E8313561306FABBC2B9CF25C3EA SHA-1: 0xB181E7ED34C2A056FBBCAAC78EAF1CDBD46DE383 |
Win32.Parite.B [PCTools] W32.Pinfi [Symantec]Virus.Win32.Parite.b [Kaspersky Lab]W32/Pate.b [McAfee]PE_PARITE.A [Trend Micro]W32/Parite-B [Sophos]Virus:Win32/Parite.B [Microsoft]Win32/Parite [AhnLab] |
| 14 |
%Windir%\svchost.exe
|
1,166,848 bytes | MD5: 0x48EAF5CD4962747FFCD3473AB3BB1795 SHA-1: 0x1D1114BBE90B70A758153489F80D202884407D21 |
Malware.Virut [PCTools] W32.Virut.CF [Symantec]Virus.Win32.Virut.ce [Kaspersky Lab]W32/Virut.n.gen [McAfee]W32/Scribble-B [Sophos]Virus:Win32/Virut.BM [Microsoft]Win32/Virut.F [AhnLab] |
| 15 |
%Windir%\svchust.exe
|
924,126 bytes | MD5: 0x800C8980244B97D1792FF1DFFA37A148 SHA-1: 0xE9522C9CF70F4FA984DCF605CD680E3EB1B8D128 |
Win32.Parite.B2 [PCTools] W32.Pinfi [Symantec]Virus.Win32.Parite.b [Kaspersky Lab]W32/Pate.b [McAfee]PE_PARITE.A [Trend Micro]W32/Parite-B [Sophos]Virus:Win32/Parite.B [Microsoft]Win32/Parite [AhnLab] |
| 16 | %System%\3.tmp | 88 bytes | MD5: 0xC366C61C89A3D6CB7201D6E3C9AB16C7 SHA-1: 0x1E4C6122D17C071C879926363C53D9264A83D9F4 |
(not available) |
| 17 | %System%\3cd05.dll | 312,525 bytes | MD5: 0xAE01E46F8D06D0A796BAF6C9F55B6B35 SHA-1: 0xA4480FF93CB14BF2B940E6FDB3FAE623BD9A32D8 |
Mal/Patched-A [Sophos] |
| 18 | %System%\5.tmp | 88,576 bytes | MD5: 0x1C5E79F5F4CAAB5F5C9A69AB91D478B2 SHA-1: 0x428D52728C29EC557F1E4DF282AB76AF70230823 |
Trojan.Generic [PCTools] Trojan Horse [Symantec]Packed.Win32.Krap.af [Kaspersky Lab] W32/Rimecud [McAfee] WORM_PALEVO.SMI [Trend Micro] Mal/Rimecud-A, Mal/Zbot-I [Sophos] Trojan:Win32/Sisproc [Microsoft]Trojan.Generic.CJ [Ikarus]Win-Trojan/Obfuscator.88576.B [AhnLab] |
| 19 |
%System%\6to4v32.dll
|
61,440 bytes | MD5: 0x065718D0DF31EDF5D5D2B795357A3092 SHA-1: 0x0CF0325C194A4179AC241DD98B15AD4D20140CB1 |
Backdoor.Win32.Agent.andh [Kaspersky Lab] Troj/Wimpix-Gen [Sophos] |
| 20 |
%System%\BtwSrv.dll
|
46,080 bytes | MD5: 0xDD878E8834D4EBFC8625C7B527A8FA8A SHA-1: 0xBC356D17AB62F43D4934DE51EFBF66BEFAC7A94D |
Packed.Win32.Koblu.d [Kaspersky Lab] Trojan:Win32/Refpron.F [Microsoft] |
| 21 | %System%\damdrv.sys | 2,304 bytes | MD5: 0x30305D10BB5D0B6587515ADB2B462866 SHA-1: 0x5E1FDF26B6FA9C5A5FAB5367610F6CB5C4646E1F |
(not available) |
| 22 | %System%\FastNetSrv.exe | 74,240 bytes | MD5: 0x54B88ADE23A6866F65FC8B7757D0A1DC SHA-1: 0x537FA0A043AC7598056006F6410CE3CF3339BAFF |
Malware.Virut [PCTools] W32.Virut.CF [Symantec]Virus.Win32.Virut.ce [Kaspersky Lab]W32/Virut.n.gen [McAfee]W32/Scribble-B [Sophos]Virus:Win32/Virut.BM [Microsoft]Win32/Virut.F [AhnLab] |
| 23 |
%System%\lsm32.sys
|
36,864 bytes | MD5: 0xFC51DFCA07368E92930FBE7D4B24C932 SHA-1: 0x63744ADFBE3F718BABF5C187EC14ABA37EF64438 |
Trojan.Win32.Clicker.cr [Kaspersky Lab] Generic AdClicker.p [McAfee]Mal/Bimay-A [Sophos] |
| 24 | [file and pathname of the sample #1] | 184,320 bytes | MD5: 0x4B480D7AE584E9473467EEC83ACD1AB3 SHA-1: 0x04A7F04C289B9ACFFE5FDC5B6DC50DB3B1AC90A8 |
Malware.Virut [PCTools] W32.Virut.CF [Symantec]Virus.Win32.Virut.ce [Kaspersky Lab]W32/Virut.n.gen [McAfee]W32/Scribble-B [Sophos]Virus:Win32/Virut.BM [Microsoft]Win32/Virut.F [AhnLab] |
| 25 |
%System%\win.dll
|
77,355 bytes | MD5: 0x377C0BE2A5DC6981F9305B55F13A5F00 SHA-1: 0xEAB1DB89137302799EAA9941E4A64844282CED0F |
(not available) |
| 26 |
%System%\winnt.exe
|
42,392 bytes | MD5: 0x638DF3B1CAA0CE21A312C8E930F61B06 SHA-1: 0x406E08006029655791EF1205C7CD697FDAAD229C |
Trojan.Win32.Sasfis.vvs [Kaspersky Lab] Trojan.Win32.Sasfis [Ikarus] |
| 27 | %System%\winnts.dll | 6,144 bytes | MD5: 0x534EC11E1F0E3797FBD390F64EEAB4DF SHA-1: 0x3B03FF58904C32BCA54C0C5F8032172C675A9F18 |
(not available) |
| 28 | %Windir%\Temp\nsrbgxod.bak | 0 bytes | MD5: 0xD41D8CD98F00B204E9800998ECF8427E SHA-1: 0xDA39A3EE5E6B4B0D3255BFEF95601890AFD80709 |
(not available) |
 | Memory Modifications |
| Process Name | Process Filename | Main Module Size |
| [filename of the sample #1] | [file and pathname of the sample #1] | 184,320 bytes |
| svchost.exe | %Windir%\svchost.exe | 577,536 bytes |
| 2456094.exe | %Temp%\2456094.exe | 110,592 bytes |
| Process Name | Process Filename | Allocated Size |
| svchost.exe | %System%\svchost.exe | 192,512 bytes |
| wmiprvse.exe | %System%\wbem\wmiprvse.exe | 40,960 bytes |
| Module Name | Module Filename | Address Space Details |
| 6to4v32.dll | %System%\6to4v32.dll | Process name: svchost.exe Process filename: %System%\svchost.exe Address space: 0x10000000 - 0x1000F000 |
| rundll32.dll | %Windir%\TEMP\rundll32.dll | Process name: [generic host process] Process filename: [generic host process filename] Address space: 0x10000000 - 0x10000001 |
| win.dll | %System%\win.dll | Process name: svchost.exe Process filename: %System%\svchost.exe Address space: 0x960000 - 0x980000 |
| 3cd05.dll | %System%\3cd05.dll | Process name: svchost.exe Process filename: %System%\svchost.exe Address space: 0x960000 - 0xAC7200 |
| rundll32.dll | %Windir%\TEMP\rundll32.dll | Process name: wmiprvse.exe Process filename: %System%\wbem\wmiprvse.exe Address space: 0x700000 - 0x700001 |
| Service Name | Display Name | Status | Service Filename |
| NetLogin | Net Login | "Running" | %Windir%\svchost.exe |
| win | windo | "Running" | %System%\svchost.exe -k netsvcs |
| 6to4 | 6to4 | "Running" | %System%\svchost.exe -k netsvcs |
| .Net CLR | Microsoft .Net Framework COM+ Support | "Running" | %System%\svchost.exe -k ".Net CLR" |
 | Registry Modifications |
 | Other details |
 |
China |
 |
Russian Federation |
| Remote Host | Port Number |
| 174.123.160.146 | 80 |
| 193.104.94.11 | 80 |
| 212.117.177.140 | 80 |
| 91.206.201.39 | 80 |
| 202.97.184.196 | 81 |
 | Outbound traffic (potentially malicious) |
All content ("Information") contained in this report is the copyrighted work of Threat Expert Ltd and its associated companies ("ThreatExpert") and may not be copied without the express permission of ThreatExpert.
The Information is provided on an "as is" basis. ThreatExpert disclaims all warranties, whether express or implied, to the maximum extent permitted by law, including the implied warranties that the Information is merchantable, of satisfactory quality, accurate, fit for a particular purpose or need, or non-infringing, unless such implied warranties are legally incapable of exclusion. Further, ThreatExpert does not warrant or make any representations regarding the use or the results of the use of the Information in terms of their correctness, accuracy, reliability, or otherwise.
Copyright © 2010 ThreatExpert. All rights reserved.