ThreatExpert Report: Virus.Win32.Heur

Visit ThreatExpert web site

Close Report

Submission Summary:

Submission details:

Submission received: 6 October 2012, 13:19:58
Processing time: 10 min 6 sec
Submitted sample:

File MD5: 0x6E809FB8B5635D8261966C67838C3A71
File SHA-1: 0x10FB4D88B38E4F97F4CEC88E4018A96F8EF25C6F
Filesize: 3,125,948 bytes

Technical Details:

The new window was created, as shown below:

NOTICE: The content shown in the above window is captured automatically and is not controlled or endorsed by ThreatExpert.
Please contact us on this link should any material be offensive or inappropriate and we will ensure any such content is blocked from future viewers of the report.

File System Modifications

The following files were created in the system:

#	Filename(s)	File Size	File Hash	Alias
1	%Temp%\7z.dll	914,432 bytes	MD5: 0x04AD4B80880B32C94BE8D0886482C774 SHA-1: 0x344FAF61C3EB76F4A2FB6452E83ED16C9CCE73E0	(not available)
2	%Temp%\archive.xml	6,508 bytes	MD5: 0xD8B0ED2A0270B688C46312D50F9B25D9 SHA-1: 0x1CA60749D6AF7C414E1B0C9760765DD3E7056ADA	(not available)
3	%Temp%\dw.log	76 bytes	MD5: 0x66859A76D07A08C69AB5136C7DAB4050 SHA-1: 0xCECBD1D4DFE8AF687CA211E776A792E796B9AD2C	(not available)
4	%Temp%\html\images\bg-1.png	30,906 bytes	MD5: 0xF743D617D343CE2415DFDF02E405596D SHA-1: 0x07037404C57B2012F91E56513163D3B08ACACCB9	(not available)
5	%Temp%\html\images\bg-3.png	3,968 bytes	MD5: 0x0FE64AACD07DEC72A6DD985279D38E42 SHA-1: 0xD4CC072D674AE9C3965864BC85A125AA762188F4	(not available)
6	%Temp%\html\images\bg-4.png	5,407 bytes	MD5: 0xB0992AEDD91ECC1A414519642DB5FF84 SHA-1: 0x8A9637DE5303F2988BA8A9F7671CB6734F868194	(not available)
7	%Temp%\html\images\bramus\percentImage.gif	154 bytes	MD5: 0x68A3AB18442534294BE5209EBA4390C9 SHA-1: 0x01A35E807F4D378EAF1FFEE7CCAB3D84EC71CA7C	(not available)
8	%Temp%\html\images\bramus\percentImage.png	192 bytes	MD5: 0x351FDD6FB94C90C34D65DFBD03B09B7B SHA-1: 0x1C352445407AE081225B99CA04B87C2C3F61F13A	(not available)
9	%Temp%\html\images\bramus\percentImage_back.png	690 bytes	MD5: 0x855160FFD2B5AF83D8C7BA4B39D66603 SHA-1: 0x8A8E43D95C913F317E0355B7A0DBB4A23391DCD0	(not available)
10	%Temp%\html\images\bramus\Thumbs.db	4,608 bytes	MD5: 0xA3517E8C6FA3E2AF03566B153A941A2E SHA-1: 0x11F8F6E2E0F246E5BE83BB04C9B82987CFB3B9B9	(not available)
11	%Temp%\html\images\icons\add.gif	990 bytes	MD5: 0x108619AA8A5B363CBDDA706ECCDDEC8C SHA-1: 0xE3C450068C7ECA3A19B535D5C677C5F2D7415B17	(not available)
12	%Temp%\html\images\icons\empty.gif	963 bytes	MD5: 0x046F216FCE5148F91AE13688BDD21484 SHA-1: 0x103C7B8A083BC4745EE69667D1A74D297D0F7978	(not available)
13	%Temp%\html\images\icons\fill.gif	1,003 bytes	MD5: 0xF31AB043C890A60BFFFE115E2AE83DE2 SHA-1: 0xE0C46F2ECAFAA7F65757D942C3743240F32FA5ED	(not available)
14	%Temp%\html\images\icons\get.gif	991 bytes	MD5: 0xFD8582BB764C43FBF261DFD2FE71E77C SHA-1: 0x40145DDBBCD05CA2F25DF5F32DBAC6A3EE55B9B3	(not available)
15	%Temp%\html\images\icons\minus.gif	991 bytes	MD5: 0xF983A4988C7DF406794FA17F5D235B61 SHA-1: 0xFD8267A00666D47854958B7B61DB51AE71C577FC	(not available)
16	%Temp%\html\images\icons\set.gif	1,006 bytes	MD5: 0x81B7C8A9025E4BBCCCA689AA331E4221 SHA-1: 0x23D35C36EA84CD36D10517DD62CE2B21E62CD100	(not available)
17	%Temp%\html\images\icons\Thumbs.db	6,656 bytes	MD5: 0xB9BD7BB858B65A5E957CDAF93D3E4034 SHA-1: 0xE4770F7159009C6EA0C08ABC778AE9B997A1F68A	(not available)
18	%Temp%\html\images\Thumbs.db	9,216 bytes	MD5: 0xE865EC42815E1045429DCC158D31119C SHA-1: 0xD2758A430BD662A6489D9F7D9E4428CA5F76B586	(not available)
19	%Temp%\html\js\bramus\jsProgressBarHandler.js	16,873 bytes	MD5: 0x00B4375D22A8C9391371E8A773E0DBCE SHA-1: 0x51E51F7A2F2B0ECBB57E87B345021F9FD54B6D4E	(not available)
20	%Temp%\html\js\jquery.js	85,925 bytes	MD5: 0xE85AED5C30D734F1E30646E030D7A817 SHA-1: 0xB8DCAA1C866905C0BDB0B70C8E564FF1C3FE27AD	(not available)
21	%Temp%\html\js\mask.js	3,343 bytes	MD5: 0x8AC5015164E111D6AEC48B1C72F18A02 SHA-1: 0x5E6D98449520CA0FCC812701B7B5CAFFE2B88FE3	(not available)
22	%Temp%\html\js\prototype\prototype.js	126,127 bytes	MD5: 0xD3A5B20D5368C1BCABE655B57B52D097 SHA-1: 0x015CF89260F3E8F0B86F5A17558125C933692989	(not available)
23	%Temp%\html\page.html	2,507 bytes	MD5: 0x58C7C2577897225937E83C19C4B3B7EB SHA-1: 0x2D7BCA205878B79D9351C0221E7416883166D657	(not available)
24	%Temp%\html\page2.html	2,308 bytes	MD5: 0xF02EC27D312C36D4BD4593D26456BE46 SHA-1: 0x2B97FB6499AC1582F32166C0E545C9B82733F43F	(not available)
25	%Temp%\html\page3.html	2,181 bytes	MD5: 0x0619E99DCE3B812E6CB22CB7A1EE701A SHA-1: 0xCE72F6D11C7A2F1FAD67852B27C8914DC668CC58	(not available)
26	%Temp%\html\page4.html	2,352 bytes	MD5: 0xB34BF6278463268ACC3B2E3E490FC17A SHA-1: 0x1F3E0FBA9396D9429571D9217DEF0C9D74392DA3	(not available)
27	%Temp%\html\page44.html	2,367 bytes	MD5: 0xC349080113D997324236AFC200FC0F82 SHA-1: 0x7D94171A4FEFAE50303A685C21A093EEEFC1FDC6	(not available)
28	%Temp%\html\page45.html	2,383 bytes	MD5: 0x1E7839B028B54F19C4C485056FFD672D SHA-1: 0x37A470B07B7A346F52C95DC1112AAB844120D336	(not available)
29	%Temp%\html\page46.html	2,368 bytes	MD5: 0x398DFA4F5D130BF5D113C28D41755ADF SHA-1: 0x86C2C66998E68ABC7B593136103F330434F95D82	(not available)
30	%Temp%\html\page5.html	4,798 bytes	MD5: 0x123809981842D9065DB6A2BEDB7FAD2D SHA-1: 0xEFB8FEE93CBA9D77F9CB28B316D9263D4B48B504	(not available)
31	%Temp%\html.zip	130,674 bytes	MD5: 0x785F28CBC32F20F2B46D0A02E3F05E6A SHA-1: 0xDB2F3FD777A3DDD0FC7BF1E23999CA8E09224C58	(not available)
32	%Temp%\icon	9,662 bytes	MD5: 0xEC0DEF27691CC3237F160D0E9E858C58 SHA-1: 0x4FAAFFAA7209A2AB2512027EA3322EEE83A00793	(not available)
33	%Temp%\[filename of the sample #1]	3,010,294 bytes	MD5: 0xE42A4F332171C553F1B78C60D856321C SHA-1: 0x1E4F07D4B5FD826ABC536AFBF6E8F48E76F39580	Virus.Win32.Heur [Ikarus]
34	[file and pathname of the sample #1]	3,125,948 bytes	MD5: 0x6E809FB8B5635D8261966C67838C3A71 SHA-1: 0x10FB4D88B38E4F97F4CEC88E4018A96F8EF25C6F	(not available)

Note:

%Temp% is a variable that refers to the temporary folder in the short path form. By default, this is C:\Documents and Settings\[UserName]\Local Settings\Temp\ (Windows NT/2000/XP).

The following directories were created:

%Temp%\html
%Temp%\html\images
%Temp%\html\images\bramus
%Temp%\html\images\icons
%Temp%\html\js
%Temp%\html\js\bramus
%Temp%\html\js\prototype

Memory Modifications

There was a new process created in the system:

Process Name	Process Filename	Main Module Size
[filename of the sample #1]	%Temp%\[filename of the sample #1]	589,824 bytes

There was a new memory page created in the address space of the system process(es):

Process Name	Process Filename	Allocated Size
DW20.EXE	[pathname with a string SHARE]\dw20.exe	20,480 bytes

Other details

To mark the presence in the system, the following Mutex object was created:

_!SHMSFTHISTORY!_

The following Host Names were requested from a host database:

wpad.mrc.pctools.com.
xsp.zip-archive.com

The following GET request was made:

wpad.dat

All content ("Information") contained in this report is the copyrighted work of Threat Expert Ltd and its associated companies ("ThreatExpert") and may not be copied without the express permission of ThreatExpert.

The Information is provided on an "as is" basis. ThreatExpert disclaims all warranties, whether express or implied, to the maximum extent permitted by law, including the implied warranties that the Information is merchantable, of satisfactory quality, accurate, fit for a particular purpose or need, or non-infringing, unless such implied warranties are legally incapable of exclusion. Further, ThreatExpert does not warrant or make any representations regarding the use or the results of the use of the Information in terms of their correctness, accuracy, reliability, or otherwise.