Mal/ChepVil-A

    Category: Viruses and SpywareProtection available since:20 May 2011 10:17:28 (GMT)
    Type: Malicious behaviorLast Updated:20 May 2011 10:17:28 (GMT)
    Prevalence: Small Number of Reports

    Download Download our free Virus Removal Tool - Find and remove threats your antivirus missed

    Examples of Mal/ChepVil-A include:

    Example 1

    File Information

    Size
    21K
    SHA-1
    1d5b27abef202b1f71b8b96e3fd0e461ec3ee114
    MD5
    534be4d1b48ecb6e7ff0485ba5af47d2
    CRC-32
    2afdb285
    File type
    application/x-ms-dos-executable
    First seen
    2011-05-19

    Runtime Analysis

    Dropped Files
    • c:\Documents and Settings\test user\Local Settings\Temp\tmp45C0.tmp
      Size
      413K
      SHA-1
      21119141cf095c041b9280d35d7e0f2e4a0ae21f
      MD5
      27c21afa70711649b3f320b7049b3570
      CRC-32
      03981004
      File type
      application/x-ms-dos-executable
      First seen
      2011-05-20
    • C:\Documents and Settings\All Users\Application Data\MEXFxpGUVShIHWB.exe
      Size
      413K
      SHA-1
      21119141cf095c041b9280d35d7e0f2e4a0ae21f
      MD5
      27c21afa70711649b3f320b7049b3570
      CRC-32
      03981004
      File type
      application/x-ms-dos-executable
      First seen
      2011-05-20
    Registry Keys Created
    • HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
      DisableTaskMgr
      0x00000001
    • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
      DisableTaskMgr
      0x00000001
    • HKCU\Software
      75fa38b7-8b94-4995-ad32-52e938867954
    • HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments
      SaveZoneInformation
      0x00000001
    • HKCU\Software\Microsoft\Windows\CurrentVersion\Run
      MEXFxpGUVShIHWB
      C:\Documents and Settings\All Users\Application Data\MEXFxpGUVShIHWB.exe
    Registry Keys Modified
    • HKCU\Software\Microsoft\Internet Explorer\Download
      CheckExeSignatures
      no
    • HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Associations
      LowRiskFileTypes
      /{hq:/s`s:/ogn:/uyu:/dyd:/c`u:/bnl:/ble:/sdf:/lrh:/iul:/iulm:/fhg:/clq:/kqf:/`wh:/lqf:/lqdf:/lnw:/lq2:/l2t:/v`w:/rbs:
    • HKLM\SYSTEM\CurrentControlSet\Services\Spooler
      Start
      0x00000002
    Processes Created
    • c:\documents and settings\all users\application data\mexfxpguvshihwb.exe
    • c:\docume~1\support\locals~1\temp\pusk.exe
    • c:\docume~1\support\locals~1\temp\trol.exe
    • c:\windows\system32\cmd.exe
    • c:\windows\system32\svchost.exe
    HTTP Requests
    • http://193.105.154.210/stat.php
    • http://kkojjors.net/f/g.php
    • http://searchago.org/404.php
    • http://searchat.org/404.php
    • http://searchbound.org/pica1/531-direct
    • http://variantov.com/pusk.exe
    • http://variantov.com/trol.exe
    IP Connections
    • 193.105.154.210:80
    • 193.105.154.213:81
    DNS Requests
    • kkojjors.net
    • searchago.org
    • searchat.org
    • searchbound.org
    • variantov.com

    Example 2

    File Information

    Size
    21K
    SHA-1
    2a1ebdabb3b167764e68759ad3641d7a1306f450
    MD5
    ec6b7a635ad4013597bb249684257310
    CRC-32
    a04aa369
    File type
    application/x-ms-dos-executable
    First seen
    2011-05-20

    Runtime Analysis

    Dropped Files
    • c:\Documents and Settings\test user\Local Settings\Temp\tmp5BC8.tmp
      Size
      413K
      SHA-1
      21119141cf095c041b9280d35d7e0f2e4a0ae21f
      MD5
      27c21afa70711649b3f320b7049b3570
      CRC-32
      03981004
      File type
      application/x-ms-dos-executable
      First seen
      2011-05-20
    • C:\Documents and Settings\All Users\Application Data\MEXFxpGUVShIHWB.exe
      Size
      413K
      SHA-1
      21119141cf095c041b9280d35d7e0f2e4a0ae21f
      MD5
      27c21afa70711649b3f320b7049b3570
      CRC-32
      03981004
      File type
      application/x-ms-dos-executable
      First seen
      2011-05-20
    Registry Keys Created
    • HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments
      SaveZoneInformation
      0x00000001
    • HKCU\Software\Microsoft\Windows\CurrentVersion\Run
      MEXFxpGUVShIHWB
      C:\Documents and Settings\All Users\Application Data\MEXFxpGUVShIHWB.exe
    • HKCU\Software
      75fa38b7-8b94-4995-ad32-52e938867954
    • HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
      DisableTaskMgr
      0x00000001
    • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
      DisableTaskMgr
      0x00000001
    Registry Keys Modified
    • HKLM\SYSTEM\CurrentControlSet\Services\Spooler
      Start
      0x00000002
    • HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Associations
      LowRiskFileTypes
      /{hq:/s`s:/ogn:/uyu:/dyd:/c`u:/bnl:/ble:/sdf:/lrh:/iul:/iulm:/fhg:/clq:/kqf:/`wh:/lqf:/lqdf:/lnw:/lq2:/l2t:/v`w:/rbs:
    • HKCU\Software\Microsoft\Internet Explorer\Download
      CheckExeSignatures
      no
    Processes Created
    • c:\documents and settings\all users\application data\mexfxpguvshihwb.exe
    • c:\docume~1\support\locals~1\temp\pusk.exe
    • c:\docume~1\support\locals~1\temp\trol.exe
    • c:\windows\system32\cmd.exe
    • c:\windows\system32\svchost.exe
    HTTP Requests
    • http://193.105.154.210/stat.php
    • http://clickodd.org/pica1/531-direct
    • http://kkojjors.net/f/g.php
    • http://searchago.org/404.php
    • http://searchbound.org/pica1/531-direct
    • http://variantov.com/pusk.exe
    • http://variantov.com/trol.exe
    IP Connections
    • 193.105.154.210:80
    • 193.105.154.213:81
    DNS Requests
    • clickodd.org
    • kkojjors.net
    • searchago.org
    • searchbound.org
    • variantov.com

    Example 3

    File Information

    Size
    19K
    SHA-1
    9f6f6b838dbf9020e4d0d5fb6aa84dec59c78b0a
    MD5
    1685ba58587ddb93f3c061f3141a25a3
    CRC-32
    0a3a0266
    File type
    application/x-ms-dos-executable
    First seen
    2011-05-18

    Other vendor detection

    Kaspersky
    Trojan-Downloader.Win32.FraudLoad.zfji

    Runtime Analysis

    Dropped Files
    • C:\Documents and Settings\All Users\Application Data\MEXFxpGUVShIHWB.exe
      Size
      413K
      SHA-1
      f95a2ddeaea14d1ff77de1a401793728070b95f7
      MD5
      02fe7aeea78e99886bfd52479185cc1c
      CRC-32
      eb6c59d7
      File type
      application/x-ms-dos-executable
      First seen
      2011-05-20
    • c:\Documents and Settings\test user\Local Settings\Temp\tmp5DCC.tmp
      Size
      413K
      SHA-1
      f95a2ddeaea14d1ff77de1a401793728070b95f7
      MD5
      02fe7aeea78e99886bfd52479185cc1c
      CRC-32
      eb6c59d7
      File type
      application/x-ms-dos-executable
      First seen
      2011-05-20
    Registry Keys Created
    • HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments
      SaveZoneInformation
      0x00000001
    • HKCU\Software
      75fa38b7-8b94-4995-ad32-52e938867954
    • HKCU\Software\Microsoft\Windows\CurrentVersion\Run
      MEXFxpGUVShIHWB
      C:\Documents and Settings\All Users\Application Data\MEXFxpGUVShIHWB.exe
    • HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
      DisableTaskMgr
      0x00000001
    • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
      DisableTaskMgr
      0x00000001
    Registry Keys Modified
    • HKCU\Software\Microsoft\Internet Explorer\Download
      CheckExeSignatures
      no
    • HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Associations
      LowRiskFileTypes
      /{hq:/s`s:/ogn:/uyu:/dyd:/c`u:/bnl:/ble:/sdf:/lrh:/iul:/iulm:/fhg:/clq:/kqf:/`wh:/lqf:/lqdf:/lnw:/lq2:/l2t:/v`w:/rbs:
    • HKLM\SYSTEM\CurrentControlSet\Services\Spooler
      Start
      0x00000002
    Processes Created
    • c:\documents and settings\all users\application data\mexfxpguvshihwb.exe
    • c:\docume~1\support\locals~1\temp\pusk3.exe
    • c:\windows\system32\svchost.exe
    HTTP Requests
    • http://clickodd.org/pica1/531-direct
    • http://kkojjors.net/f/g.php
    • http://miliardov.com/pusk3.exe
    • http://searchago.org/404.php
    • http://searchbound.org/pica1/531-direct
    DNS Requests
    • clickodd.org
    • kkojjors.net
    • miliardov.com
    • searchago.org
    • searchbound.org

    Download Sophos HomeDownload
    Sophos Home

    Free business-grade security for the home.

    Endpoint Protection