Mal/ChepVil-A

Category: Viruses and SpywareProtection available since:20 May 2011 10:17:28 (GMT)
Type: Malicious behaviorLast Updated:20 May 2011 10:17:28 (GMT)
Prevalence: Small Number of Reports

Download Download our free Virus Removal Tool - Find and remove threats your antivirus missed

Examples of Mal/ChepVil-A include:

Example 1

File Information

Size
21K
SHA-1
1d5b27abef202b1f71b8b96e3fd0e461ec3ee114
MD5
534be4d1b48ecb6e7ff0485ba5af47d2
CRC-32
2afdb285
File type
application/x-ms-dos-executable
First seen
2011-05-19

Runtime Analysis

Dropped Files
  • c:\Documents and Settings\test user\Local Settings\Temp\tmp45C0.tmp
    Size
    413K
    SHA-1
    21119141cf095c041b9280d35d7e0f2e4a0ae21f
    MD5
    27c21afa70711649b3f320b7049b3570
    CRC-32
    03981004
    File type
    application/x-ms-dos-executable
    First seen
    2011-05-20
  • C:\Documents and Settings\All Users\Application Data\MEXFxpGUVShIHWB.exe
    Size
    413K
    SHA-1
    21119141cf095c041b9280d35d7e0f2e4a0ae21f
    MD5
    27c21afa70711649b3f320b7049b3570
    CRC-32
    03981004
    File type
    application/x-ms-dos-executable
    First seen
    2011-05-20
Registry Keys Created
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
    DisableTaskMgr
    0x00000001
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
    DisableTaskMgr
    0x00000001
  • HKCU\Software
    75fa38b7-8b94-4995-ad32-52e938867954
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments
    SaveZoneInformation
    0x00000001
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Run
    MEXFxpGUVShIHWB
    C:\Documents and Settings\All Users\Application Data\MEXFxpGUVShIHWB.exe
Registry Keys Modified
  • HKCU\Software\Microsoft\Internet Explorer\Download
    CheckExeSignatures
    no
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Associations
    LowRiskFileTypes
    /{hq:/s`s:/ogn:/uyu:/dyd:/c`u:/bnl:/ble:/sdf:/lrh:/iul:/iulm:/fhg:/clq:/kqf:/`wh:/lqf:/lqdf:/lnw:/lq2:/l2t:/v`w:/rbs:
  • HKLM\SYSTEM\CurrentControlSet\Services\Spooler
    Start
    0x00000002
Processes Created
  • c:\documents and settings\all users\application data\mexfxpguvshihwb.exe
  • c:\docume~1\support\locals~1\temp\pusk.exe
  • c:\docume~1\support\locals~1\temp\trol.exe
  • c:\windows\system32\cmd.exe
  • c:\windows\system32\svchost.exe
HTTP Requests
  • http://193.105.154.210/stat.php
  • http://kkojjors.net/f/g.php
  • http://searchago.org/404.php
  • http://searchat.org/404.php
  • http://searchbound.org/pica1/531-direct
  • http://variantov.com/pusk.exe
  • http://variantov.com/trol.exe
IP Connections
  • 193.105.154.210:80
  • 193.105.154.213:81
DNS Requests
  • kkojjors.net
  • searchago.org
  • searchat.org
  • searchbound.org
  • variantov.com

Example 2

File Information

Size
21K
SHA-1
2a1ebdabb3b167764e68759ad3641d7a1306f450
MD5
ec6b7a635ad4013597bb249684257310
CRC-32
a04aa369
File type
application/x-ms-dos-executable
First seen
2011-05-20

Runtime Analysis

Dropped Files
  • c:\Documents and Settings\test user\Local Settings\Temp\tmp5BC8.tmp
    Size
    413K
    SHA-1
    21119141cf095c041b9280d35d7e0f2e4a0ae21f
    MD5
    27c21afa70711649b3f320b7049b3570
    CRC-32
    03981004
    File type
    application/x-ms-dos-executable
    First seen
    2011-05-20
  • C:\Documents and Settings\All Users\Application Data\MEXFxpGUVShIHWB.exe
    Size
    413K
    SHA-1
    21119141cf095c041b9280d35d7e0f2e4a0ae21f
    MD5
    27c21afa70711649b3f320b7049b3570
    CRC-32
    03981004
    File type
    application/x-ms-dos-executable
    First seen
    2011-05-20
Registry Keys Created
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments
    SaveZoneInformation
    0x00000001
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Run
    MEXFxpGUVShIHWB
    C:\Documents and Settings\All Users\Application Data\MEXFxpGUVShIHWB.exe
  • HKCU\Software
    75fa38b7-8b94-4995-ad32-52e938867954
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
    DisableTaskMgr
    0x00000001
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
    DisableTaskMgr
    0x00000001
Registry Keys Modified
  • HKLM\SYSTEM\CurrentControlSet\Services\Spooler
    Start
    0x00000002
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Associations
    LowRiskFileTypes
    /{hq:/s`s:/ogn:/uyu:/dyd:/c`u:/bnl:/ble:/sdf:/lrh:/iul:/iulm:/fhg:/clq:/kqf:/`wh:/lqf:/lqdf:/lnw:/lq2:/l2t:/v`w:/rbs:
  • HKCU\Software\Microsoft\Internet Explorer\Download
    CheckExeSignatures
    no
Processes Created
  • c:\documents and settings\all users\application data\mexfxpguvshihwb.exe
  • c:\docume~1\support\locals~1\temp\pusk.exe
  • c:\docume~1\support\locals~1\temp\trol.exe
  • c:\windows\system32\cmd.exe
  • c:\windows\system32\svchost.exe
HTTP Requests
  • http://193.105.154.210/stat.php
  • http://clickodd.org/pica1/531-direct
  • http://kkojjors.net/f/g.php
  • http://searchago.org/404.php
  • http://searchbound.org/pica1/531-direct
  • http://variantov.com/pusk.exe
  • http://variantov.com/trol.exe
IP Connections
  • 193.105.154.210:80
  • 193.105.154.213:81
DNS Requests
  • clickodd.org
  • kkojjors.net
  • searchago.org
  • searchbound.org
  • variantov.com

Example 3

File Information

Size
19K
SHA-1
9f6f6b838dbf9020e4d0d5fb6aa84dec59c78b0a
MD5
1685ba58587ddb93f3c061f3141a25a3
CRC-32
0a3a0266
File type
application/x-ms-dos-executable
First seen
2011-05-18

Other vendor detection

Kaspersky
Trojan-Downloader.Win32.FraudLoad.zfji

Runtime Analysis

Dropped Files
  • C:\Documents and Settings\All Users\Application Data\MEXFxpGUVShIHWB.exe
    Size
    413K
    SHA-1
    f95a2ddeaea14d1ff77de1a401793728070b95f7
    MD5
    02fe7aeea78e99886bfd52479185cc1c
    CRC-32
    eb6c59d7
    File type
    application/x-ms-dos-executable
    First seen
    2011-05-20
  • c:\Documents and Settings\test user\Local Settings\Temp\tmp5DCC.tmp
    Size
    413K
    SHA-1
    f95a2ddeaea14d1ff77de1a401793728070b95f7
    MD5
    02fe7aeea78e99886bfd52479185cc1c
    CRC-32
    eb6c59d7
    File type
    application/x-ms-dos-executable
    First seen
    2011-05-20
Registry Keys Created
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments
    SaveZoneInformation
    0x00000001
  • HKCU\Software
    75fa38b7-8b94-4995-ad32-52e938867954
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Run
    MEXFxpGUVShIHWB
    C:\Documents and Settings\All Users\Application Data\MEXFxpGUVShIHWB.exe
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
    DisableTaskMgr
    0x00000001
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
    DisableTaskMgr
    0x00000001
Registry Keys Modified
  • HKCU\Software\Microsoft\Internet Explorer\Download
    CheckExeSignatures
    no
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Associations
    LowRiskFileTypes
    /{hq:/s`s:/ogn:/uyu:/dyd:/c`u:/bnl:/ble:/sdf:/lrh:/iul:/iulm:/fhg:/clq:/kqf:/`wh:/lqf:/lqdf:/lnw:/lq2:/l2t:/v`w:/rbs:
  • HKLM\SYSTEM\CurrentControlSet\Services\Spooler
    Start
    0x00000002
Processes Created
  • c:\documents and settings\all users\application data\mexfxpguvshihwb.exe
  • c:\docume~1\support\locals~1\temp\pusk3.exe
  • c:\windows\system32\svchost.exe
HTTP Requests
  • http://clickodd.org/pica1/531-direct
  • http://kkojjors.net/f/g.php
  • http://miliardov.com/pusk3.exe
  • http://searchago.org/404.php
  • http://searchbound.org/pica1/531-direct
DNS Requests
  • clickodd.org
  • kkojjors.net
  • miliardov.com
  • searchago.org
  • searchbound.org