Visit ThreatExpert web site |Close Report

Submission Summary:

What's been foundSeverity Level
Downloads/requests other files from Internet.
Creates a startup registry entry.
Registers a 32-bit in-process server DLL.
Registers a Browser Helper Object (Microsoft's Internet Explorer plugin module).

 

Technical Details:

 

File System Modifications

#Filename(s)File SizeFile HashAlias
1 %CommonPrograms%\Xvid\Configure Decoder.lnk 1,389 bytes MD5: 0x1B6CDF63A45304080C1EFEC73FCB868C
SHA-1: 0xD9E6117A9F3A40523366F7EFF2AC338596E45C83		 (not available)
2 %CommonPrograms%\Xvid\Configure Encoder.lnk 1,399 bytes MD5: 0x55B0B31E0D8CA941BDB0C818399D5E31
SHA-1: 0x310E6569F9FE11554F326E12AA53582496EB436F		 (not available)
3 %CommonPrograms%\Xvid\INet-Doom9's Xvid Forum.lnk 684 bytes MD5: 0x6D9922DA7EADC67BFE79843251487190
SHA-1: 0x8E7DDC1B871857BAFE26538C29C08ACCF452D70D		 (not available)
4 %CommonPrograms%\Xvid\INet-Koepi's Homepage (Updates).lnk 758 bytes MD5: 0xB6E1AF01319B8D78AE4B6E6E5CF3BCBB
SHA-1: 0x08F8CB3DBAE16BC18427570BF797C7D18DFE3618		 (not available)
5 %CommonPrograms%\Xvid\INet-Xvid Homepage.lnk 688 bytes MD5: 0x2767FD5C1C3A08E0E91BBBF71B2FBFAB
SHA-1: 0xB3AC4865762133533A6948CD8B704D79C5D62044		 (not available)
6 %CommonPrograms%\Xvid\Koepi's OGMCalc.lnk 717 bytes MD5: 0x7948AFC19C15C65FEB7F449467BAE8E8
SHA-1: 0xAB9681411817663BF36AAA32CAECE1B0CC8C3C0D		 (not available)
7 %CommonPrograms%\Xvid\Nic's FourCC changer.lnk 668 bytes MD5: 0xBDC1A5FA5F320085980C07AFAA391AB3
SHA-1: 0x2CD306446544AD1686AD6456026C192B7D024EDD		 (not available)
8 %CommonPrograms%\Xvid\Nic's MiniCalc.lnk 672 bytes MD5: 0x3B3ADADD26BDB4A09609413F376B9C35
SHA-1: 0x05F1FECEFB6E311FC349A9806F93E1F2E73992E9		 (not available)
9 %CommonPrograms%\Xvid\Release Notes.lnk 726 bytes MD5: 0x86ADE317B7F035BF9E189126DC6B6689
SHA-1: 0x1BAF370E880635B8E30AD6B07A89F9F227898AFA		 (not available)
10 %CommonPrograms%\Xvid\Some quantization matrices.lnk 749 bytes MD5: 0x6DC294304C5E6EA7A230E5A9C57429CD
SHA-1: 0x6657B496128958AE5EB5622ECEA4E928A23BD4C6		 (not available)
11 %CommonPrograms%\Xvid\StatsReader 2.1.lnk 705 bytes MD5: 0x839F4D3619F3114AB1ABED25D25C2459
SHA-1: 0x464F7AE474C802E9271C3B34B4EA22D209634AD8		 (not available)
12 %CommonPrograms%\Xvid\StatsReader Notes.lnk 703 bytes MD5: 0x8EE862B649B8555F55E8CA0FF8CB8273
SHA-1: 0x175FAD453670736301596CDDF308705CDB81CAC1		 (not available)
13 %CommonPrograms%\Xvid\Uninstall Xvid.lnk 1,522 bytes MD5: 0x1D61B2DD134D547047D0AB76F6C7A15C
SHA-1: 0xDF1A7B34DB41D7748DEC6D3160536058F6669FF1		 (not available)
14 %CommonPrograms%\Xvid\Vidc.Cleaner.lnk 1,623 bytes MD5: 0x19B7B491B18009650A798E91DD8D6A70
SHA-1: 0xABEEE086E69E48D0D172DD7E074A154F5289272A		 (not available)
15 %AppData%\GoogleDownload.exe 53,248 bytes MD5: 0xD63D6096F2C30AFADACD398BE05F8534
SHA-1: 0xD7BD2C30D2751D51D7AE9C7BD8E99BFC5D033CA3		 (not available)
16 %AppData%\Microsoft\Crypto\RSA\S-1-5-21-606747145-764733703-839522115-1003\90ac1d5a5a4073905d0aad6e1ee11e6b_a7bcc1a4-f7a4-4502-8650-8579e607f7f7 77 bytes MD5: 0x83708FC68B5DA8E6E1DD4792CBAAB76B
SHA-1: 0x5B561D14BACCDADDC0D3BA3B24B276A79F389487		 (not available)
17 %AppData%\Microsoft\Google\s.txt 156 bytes MD5: 0xA71DB56D032282A51D5E60841E1B7AC5
SHA-1: 0xCEA9331D6D2A9D6F8522CCC1ED89BFBF1B7E680C		 (not available)
18 %Temp%\219201132626.exe
[file and pathname of the sample #1] 		45,412 bytes MD5: 0x826C855B440611A944E25F072A533EA3
SHA-1: 0xA47B808987DF31318F0ED76E68BDF9B46B0B1018		 (not available)
19 %Temp%\219201132629.exe
%Temp%\219201132631.exe 		64,512 bytes MD5: 0x45039C9BD32914D7E9A2AC380160E113
SHA-1: 0x0BDBF178318648E578CEE3C8B20BC0CED685688B		 (not available)
20 %Temp%\219201132633.exe 63,112 bytes MD5: 0x2F7F1C2F8BF471ED96C2A7114AC14655
SHA-1: 0xA2E23CADFB0C9A0AD582A91AD67EF9353B15F5D7		 (not available)
21 %Temp%\219201132634.exe 64,512 bytes MD5: 0x79950ECF7D41D7CB28B37F342DBD96A5
SHA-1: 0xB0850887AA33421EA830D4E97583C741AACCF293		 packed with UPX [Kaspersky Lab]
22 %Temp%\219201132636.exe 49,198 bytes MD5: 0xF95C289F293BBFBD361485EBD3018732
SHA-1: 0x2EDF346921FE24EA9CC116263BFB1C2B7FF57284		 (not available)
23 %Temp%\219201132654.exe 907,064 bytes MD5: 0x2580024FADF928DEB1020093CE90F7DF
SHA-1: 0x0EA1488ED66ABFAAB9A20D062FB7670BC1A7FA4C		 (not available)
24 %Temp%\219201132655.bat 55 bytes MD5: 0x035AB0C77B022996DEA64B81B6A812AE
SHA-1: 0xE5E0C0D7F00AAB96E514CA9001D05B697FCE52F2		 (not available)
25 %Temp%\219201132655.exe 907,064 bytes MD5: 0xF9A9485AE9BB129852711DD85304B8CD
SHA-1: 0x93D7EBA6F30C446962C4B0ABDC2AF421A9554CAA		 (not available)
26 %Temp%\219201132656.bat 55 bytes MD5: 0x8FB9B63ED15A390FC14AFD1ECD413549
SHA-1: 0x93C0FB587D945F6F491F7C3D42256382D050DD27		 (not available)
27 %Temp%\219201132820.exe 907,064 bytes MD5: 0x7B3DE1833032AA5E5735D38EBFBAD4A1
SHA-1: 0x858349225A74ECFA0B6F7FF67F90DAB330102DBD		 (not available)
28 %Temp%\219201132821.bat 55 bytes MD5: 0x6746F0BCD08B8B0467EFFFC80AE78873
SHA-1: 0x1F85824D09B7B07FBE8B88E935B1E405F524280C		 (not available)
29 %Temp%\nsn34.tmp\Background.png 963 bytes MD5: 0xE4161911C702BFE4F953A0C909075FCF
SHA-1: 0xD3E4B87F5CD405C634A786FF2A41DEF44790D01A		 (not available)
30 %Temp%\nsn34.tmp\blowfish.dll
%Temp%\nsu1B.tmp\blowfish.dll
%Temp%\nsv1E.tmp\blowfish.dll 		61,440 bytes MD5: 0x926E4475C00FB5254C32C876921B77D0
SHA-1: 0x8A55BC8B6E49021A4ABBD441783C41D5E019798B		 (not available)
31 %Temp%\nsn34.tmp\button-active.gif 991 bytes MD5: 0x88FCA2603BCB5C39B9592625B1A14212
SHA-1: 0x2691188FFB42FC83E9D8FAF9FA50D0B77429C3CA		 (not available)
32 %Temp%\nsn34.tmp\button.gif 1,084 bytes MD5: 0x6F5E5FDD7270519A55C71FE2E0971A7C
SHA-1: 0x1890CBE5D64D155370D77ADC81BFE964772089B0		 (not available)
33 %Temp%\nsn34.tmp\Components.html 67,017 bytes MD5: 0xEF783439456E7B2DF66940B5AADDED9E
SHA-1: 0xFC15562AF079C63681FA4202AEAA97D205E6916E		 (not available)
34 %Temp%\nsn34.tmp\Final.html 2,438 bytes MD5: 0x20622CDE5D463F692052753D96B47EAD
SHA-1: 0x03C103C158D0FF18561C11545A9A9AC4F9C3A1B7		 (not available)
35 %Temp%\nsn34.tmp\nswg.dll
%Temp%\nsu1B.tmp\nswg.dll
%Temp%\nsv1E.tmp\nswg.dll 		186,368 bytes MD5: 0x4F2B563F712670211D0E932E43B6E277
SHA-1: 0x53014306F362C90AF7F58AD546237E6310E58FD3		 (not available)
36 %Temp%\nsn34.tmp\System.dll 11,264 bytes MD5: 0xC17103AE9072A06DA581DEC998343FC1
SHA-1: 0xB72148C6BDFAADA8B8C3F950E610EE7CF1DA1F8D		 (not available)
37 %Temp%\nsn34.tmp\welcomebg.gif 35,270 bytes MD5: 0xF6918D85FE37ED92393432B6C003811D
SHA-1: 0x5D01308D78664E610BA31020F9C7F2214D848D32		 (not available)
38 %Temp%\nsn34.tmp\welcomepage.html 5,534 bytes MD5: 0xEAD9AA05537BFB602BF7CF3243EF4E59
SHA-1: 0x39F7F7662FC3EF31DE18FF03F55D37BCEBBBCDCC		 (not available)
39 %Temp%\nsu1B.tmp\InetLoadEx.dll
%Temp%\nsv1E.tmp\InetLoadEx.dll 		56,832 bytes MD5: 0x9FAE574B1004BB0650EEBBA3D8040C59
SHA-1: 0x541583EC14AF05915B8EFEFE520EDD4F25914C9A		 (not available)
40 %Temp%\nsu1B.tmp\Progress.dll
%Temp%\nsv1E.tmp\Progress.dll 		82,432 bytes MD5: 0x15E01578481287BBCF32D2217F1B5246
SHA-1: 0x67A7D05BB2F8B33980867D3352280FA0CD0B4E9F		 (not available)
41 %Temp%\nsy33.tmp 1,385,123 bytes MD5: 0xAFF1D60212FCCFCAA269CBECE359EDC5
SHA-1: 0x50FCE2066E50BC0607CCD2F302776FB18CAF587B		 (not available)
42 %InternetCache%\ziJILC0Bxj 2,284 bytes MD5: 0x26A4F1BB4FBB9D232C8EA2AAD577685C
SHA-1: 0x4DAA383FEC15A76F845CC3771351928830E4D09B		 (not available)
43 %ProgramFiles%\Xvid\AviC.exe 6,144 bytes MD5: 0xC39AD6299E0E1F7AA3F5B51AC9B5CD0E
SHA-1: 0x468E27F8A20C07AC8100E8223B326909095DD6D6		 (not available)
44 %ProgramFiles%\Xvid\doom9forum.url 79 bytes MD5: 0xDC45662BDF8CAD91226BA35461E5E645
SHA-1: 0x7419E01DD36CF99D20CCE57E8067ABD40E1765BA		 (not available)
45 %ProgramFiles%\Xvid\koepishomepage.url 121 bytes MD5: 0x2C6D2BF6124CF5ABEAB023541722DE8C
SHA-1: 0x9DA65E876702EB24D01A4BB8AB1AEC82D5F7EB60		 (not available)
46 %ProgramFiles%\Xvid\LICENSE 18,327 bytes MD5: 0x9E865F6174E00936D7BE7B816B3FF188
SHA-1: 0xE64C9C36E85D2022A45A3D4CB0F196C01F216072		 (not available)
47 %ProgramFiles%\Xvid\MiniCalc.exe 23,040 bytes MD5: 0x7CE40A557359849EA374E0E4DDE52E26
SHA-1: 0xD865E7EF9C41D8C622EC87577685F3E1868F420E		 packed with UPX [Kaspersky Lab]
48 %ProgramFiles%\Xvid\OGMCalc.exe 9,216 bytes MD5: 0x95CAEF9DA6E9AEE1ECD627527CFA0F38
SHA-1: 0xF0CE07A0C7DA2F0239EBFE3CA37CD03332D80F0B		 packed with UPX [Kaspersky Lab]
49 %ProgramFiles%\Xvid\plugins_lumimasking.c-diff.txt 5,021 bytes MD5: 0x193362D99E0BB3BFA64D6E57D4C339D2
SHA-1: 0x8EDDCF87C0D5FD8E3B1D054B955347B94556DA4A		 (not available)
50 %ProgramFiles%\Xvid\releasenotes.txt 1,095 bytes MD5: 0x493EAB5004E236C6EA44CE95E62235A2
SHA-1: 0x4B4394E4897A0CB04A38F0FFB5471B4046C1DE33		 (not available)
51 %ProgramFiles%\Xvid\StatsReader.exe 13,824 bytes MD5: 0x487AF46145B81C5BC54873E764F93636
SHA-1: 0xF948B0544C59127E8845EEF915F2EC3B6B1C3508		 packed with UPX [Kaspersky Lab]
52 %ProgramFiles%\Xvid\statsreader.txt 1,496 bytes MD5: 0x01221F7D49384F1EA1FB6967A2D11C20
SHA-1: 0x89F7BD49C109D5109A71FD24A092338FFB0BD76B		 (not available)
53 %ProgramFiles%\Xvid\unins000.dat 5,912 bytes MD5: 0x87647D6FA5602918EC90DCE495661C32
SHA-1: 0x30267B915A85D92DC67663FA85AD1CD5BD086857		 (not available)
54 %ProgramFiles%\Xvid\unins000.exe 673,610 bytes MD5: 0x4BFD4F1E61C5C1A7D4158952AE2A2AD6
SHA-1: 0x8D38D0D38ED2FFA7F5559A382D16AE82EF99A08E		 (not available)
55 %ProgramFiles%\Xvid\vidccleaner.exe 8,704 bytes MD5: 0x6B5E418A9C02AB0C3F3DD50B0E3CD3A6
SHA-1: 0xD7E976B79DE0E822F41845F45C6311D11D2179D0		 packed with UPX [Kaspersky Lab]
56 %ProgramFiles%\Xvid\xvid.ico 766 bytes MD5: 0x4D0DBF39F00A21CF520E172EF37145D2
SHA-1: 0x8E0F324F43D30EF9535CEDD3CDE46CCCB6B8A21D		 (not available)
57 %ProgramFiles%\Xvid\xvidhomepage.url 44 bytes MD5: 0xDFD74226477506DCACF1FD7698DC7C00
SHA-1: 0xE7F1CA16188CD26FA29E8A53C64A8D9D7E3DBC85		 (not available)
58 %ProgramFiles%\Xvid\Xvid_Quant_Matrices.zip 2,967 bytes MD5: 0xF0176ACEBF968B6F6DF8743C26258D0F
SHA-1: 0x021881D09DDFB398D65A0ABE367274553D926329		 (not available)
59 %System%\-9sAPjw1WLHo.exe 127,234 bytes MD5: 0x0DF77E05725BF1FABC5925C57011FA62
SHA-1: 0xB3585BB050513573A38298D109E13599E79C3CB7		 (not available)
60 %System%\2K-fD_.dll 2,127,360 bytes MD5: 0x3A4E6E4B235419B1594D9662E42D6245
SHA-1: 0x761CF7717DAF097DDAFD6CE67DD2BF255EAEA128		 (not available)
61 %System%\dll 36,316 bytes MD5: 0x8DB8100940972857279642952A257D14
SHA-1: 0x1BDA6DDD6292715DEE3216A2A195CE621CBEDC76		 (not available)
62 %System%\xvid.ax 77,824 bytes MD5: 0x06A1AAB474756DF76BB817CB680C4593
SHA-1: 0x7DE8634C41254217E67FD4D10643E8F88331CF62		 (not available)
63 %System%\xvidcore.dll 819,200 bytes MD5: 0x1CD08C0FA0C5BD53450E332F35304381
SHA-1: 0x3116C26AA9BA6FE26C004620EC3DB1B121FE2B1C		 (not available)
64 %System%\xvidvfw.dll 180,224 bytes MD5: 0x7FE2E2373140E32D4BB12633923C120A
SHA-1: 0x978BC33DA441D37CEADF71B1375306E01E8AEDEC		 (not available)
65 %System%\zx.dll 3,584 bytes MD5: 0x7049917042D3BBFA152CB42EFD9F240B
SHA-1: 0x4E9D0A1C45454ACD8E8B42FB62CC4AAF5CD15890		 W32/Bamital.dll [McAfee]
Backdoor.Win32.Shiz [Ikarus]
66 %Windir%\Temp\explorer.dat 1,032,192 bytes MD5: 0xA0732187050030AE399B241436565E64
SHA-1: 0x69F33740413DA112630BE73EBB805A23B69F2F7F		 (not available)
67 %Windir%\Temp\winlogon.dat 502,272 bytes MD5: 0x01C3346C241652F43AED8E2149881BFE
SHA-1: 0xA5396141CAB8B22D9D88B28A814089537DCE366A		 (not available)

 

Memory Modifications

Process NameProcess FilenameMain Module Size
GoogleDownload.exe%AppData%\googledownload.exe57,344 bytes
219201132633.exe%Temp%\219201132633.exe53,248 bytes
219201132636.exe%Temp%\219201132636.exe53,248 bytes
219201132820.exe%Temp%\219201132820.exe311,296 bytes

Process NameProcess FilenameAllocated Size
spoolsv.exe%System%\spoolsv.exe999,424 bytes
spoolsv.exe%System%\spoolsv.exe999,424 bytes

Module NameModule FilenameAddress Space Details
2K-fD_.dll%System%\2K-fD_.dllProcess name: IEXPLORE.EXE
Process filename: %ProgramFiles%\internet explorer\iexplore.exe
Address space: 0x2C9E0000 - 0x2CBF7000

 

Registry Modifications

 

Other details

Russian Federation
Germany

PortProtocolProcess
1069UDPGoogleDownload.exe (%AppData%\GoogleDownload.exe)
1081UDPGoogleDownload.exe (%AppData%\GoogleDownload.exe)
1116UDPGoogleDownload.exe (%AppData%\GoogleDownload.exe)
1196UDP219201132633.exe (%Temp%\219201132633.exe)
1235UDP219201132633.exe (%Temp%\219201132633.exe)
1236TCP219201132633.exe (%Temp%\219201132633.exe)

Remote HostPort Number
174.137.179.480
184.86.144.8080
184.86.147.19180
199.7.48.19080
204.0.5.4980
204.0.5.5180
206.127.14.9980
209.200.12.16480
65.55.12.24980
67.55.67.25080

 

 

All content ("Information") contained in this report is the copyrighted work of Threat Expert Ltd and its associated companies ("ThreatExpert") and may not be copied without the express permission of ThreatExpert.

The Information is provided on an "as is" basis. ThreatExpert disclaims all warranties, whether express or implied, to the maximum extent permitted by law, including the implied warranties that the Information is merchantable, of satisfactory quality, accurate, fit for a particular purpose or need, or non-infringing, unless such implied warranties are legally incapable of exclusion. Further, ThreatExpert does not warrant or make any representations regarding the use or the results of the use of the Information in terms of their correctness, accuracy, reliability, or otherwise.

Copyright © 2013 ThreatExpert. All rights reserved.