Submission Summary:

What's been foundSeverity Level
Downloads/requests other files from Internet.
Creates a startup registry entry.
Registers a 32-bit in-process server DLL.
Registers a Browser Helper Object (Microsoft's Internet Explorer plugin module).
Contains characteristics of an identified security risk.

 

Technical Details:

NOTICE: The content shown in the above window is captured automatically and is not controlled or endorsed by ThreatExpert.
Please contact us on this link should any material be offensive or inappropriate and we will ensure any such content is blocked from future viewers of the report.

 

Possible Security Risk

Security RiskDescription
Spyware.Known_Bad_Sites Indicates that a known bad site may have hijacked. Adware, Spyware and Phishing sites may use the Windows hosts file to redirect your browser to a malicious site when you try to access a valid site such as your Bank.

 

File System Modifications

#Filename(s)File SizeFile HashAlias
1 [file and pathname of the sample #1] 207,675 bytes MD5: 0x4CC0AC489A3BD5081E287C67C7528731
SHA-1: 0x6977B3D43FB4B999579A96B398F22F08CD231F74
(not available)
2 %System%\shdqmlecfe.exe 48,232 bytes MD5: 0x25C9F46076B84A54FB1F22B2BA894AC6
SHA-1: 0x3D5C4ED88B836FD2BC6732A44D1F7DDBBA636C21
(not available)
3 %System%\yexwtvdndumljhu.dll 402,432 bytes MD5: 0xB18390F1FBB2DC0142B4A4C87A27007C
SHA-1: 0x1D42DE63AC9F7638DE32E92DA46CE480416C3EA8
Trojan.Zlob [Ikarus]

 

Memory Modifications

Process NameProcess FilenameMain Module Size
Au_.exe%Temp%\~nsu.tmp\Au_.exe204,800 bytes

Module NameModule FilenameAddress Space Details
yexwtvdndumljhu.dll%System%\yexwtvdndumljhu.dllProcess name: [generic host process]
Process filename: [generic host process filename]
Address space: 0x10000000 - 0x10069000
yexwtvdndumljhu.dll%System%\yexwtvdndumljhu.dllProcess name: IEXPLORE.EXE
Process filename: %ProgramFiles%\internet explorer\iexplore.exe
Address space: 0xD70000 - 0xDD9000
yexwtvdndumljhu.dll%System%\yexwtvdndumljhu.dllProcess name: IEXPLORE.EXE
Process filename: %ProgramFiles%\internet explorer\iexplore.exe
Address space: 0xD70000 - 0xDD9000

 

Registry Modifications

 

Other details

Remote HostPort Number
168.75.207.2080
174.129.137.19680
204.0.5.1780
204.0.5.3280
204.0.5.980
209.200.63.6880
209.200.63.7580
64.237.101.8480
66.114.51.4480
66.94.242.2480

 

 

All content ("Information") contained in this report is the copyrighted work of Threat Expert Ltd and its associated companies ("ThreatExpert") and may not be copied without the express permission of ThreatExpert.

The Information is provided on an "as is" basis. ThreatExpert disclaims all warranties, whether express or implied, to the maximum extent permitted by law, including the implied warranties that the Information is merchantable, of satisfactory quality, accurate, fit for a particular purpose or need, or non-infringing, unless such implied warranties are legally incapable of exclusion. Further, ThreatExpert does not warrant or make any representations regarding the use or the results of the use of the Information in terms of their correctness, accuracy, reliability, or otherwise.

Copyright © 2014 ThreatExpert. All rights reserved.