Submission Summary:

What's been foundSeverity Level
Produces outbound traffic.
Creates a startup registry entry.
Contains characteristics of an identified security risk.


Technical Details:


Possible Security Risk

Threat CategoryDescription
A virus capable to modify other files by infecting, prepending, or overwriting them them with its own body
A malicious trojan horse or bot that may represent security risk for the compromised system and/or its network environment
A network-aware worm that attempts to replicate across the existing network(s)


File System Modifications

#Filename(s)File SizeFile HashAlias
1 %CommonPrograms%\Startup\SVCHOST.SCR
[file and pathname of the sample #1]
335,872 bytes MD5: 0x6D624ECA1BEDDA1D35FC539C54CA077B
SHA-1: 0x55FB46B1C902E1D4049218C525195CA9E9CFAD69
W32.Ramnit!inf [Symantec]
Virus.Win32.Nimnul.a [Kaspersky Lab]
W32/Ramnit.a [McAfee]
W32/Patched-I [Sophos]
Virus:Win32/Ramnit.A [Microsoft]
Win32.SuspectCrc [Ikarus]
Win32/Ramnit.B [AhnLab]
2 %CommonPrograms%\Startup\svchostSrv.exe
[part of the sample filename]1Srv.exe
56,320 bytes MD5: 0xFF5E1F27193CE51EEC318714EF038BEF
SHA-1: 0xB4FA74A6F4DAB3A7BA702B6C8C129F889DB32CA6
Trojan.Zbot!gen9 [Symantec] [Kaspersky Lab]
PWS-Zbot.gen.pq [McAfee]
Mal/Agent-IE [Sophos]
Trojan-Spy.Win32.Zbot [Ikarus]
3 %System%\20171112164425 7 bytes MD5: 0x7A1920D61156ABC05A60135AEFE8BC67
SHA-1: 0x808D7DCA8A74D84AF27A2D6602C3D786DE45FE1E
(not available)
4 %System%\afc9fe2f418b00a0.bat 2,048 bytes MD5: 0x5B85431B1C7773FA72BE7F1ABEA27DBE
SHA-1: 0x4099B92A7ECBFEB65B8DA43CD70E01672FBF6BE3
P2P-Worm.Win32.Palevo.ejol [Kaspersky Lab]


Memory Modifications

Process NameProcess FilenameMain Module Size
V2011.exe%Windir%\v2011.exe356,352 bytes
SVCHOST.SCR%CommonPrograms%\startup\svchost.scr356,352 bytes
svchostsrv.exe%Temp%\v2011\svchostsrv.exe77,824 bytes
[filename of the sample #1][file and pathname of the sample #1]356,352 bytes


Registry Modifications


Other details

Russian Federation

Remote HostPort Number


Outbound traffic (potentially malicious)



All content ("Information") contained in this report is the copyrighted work of Threat Expert Ltd and its associated companies ("ThreatExpert") and may not be copied without the express permission of ThreatExpert.

The Information is provided on an "as is" basis. ThreatExpert disclaims all warranties, whether express or implied, to the maximum extent permitted by law, including the implied warranties that the Information is merchantable, of satisfactory quality, accurate, fit for a particular purpose or need, or non-infringing, unless such implied warranties are legally incapable of exclusion. Further, ThreatExpert does not warrant or make any representations regarding the use or the results of the use of the Information in terms of their correctness, accuracy, reliability, or otherwise.

Copyright © 2018 ThreatExpert. All rights reserved.