Examples of Mal/ChepVil-A include:
Example 1
File Information
- Size
- 21K
- SHA-1
- 1d5b27abef202b1f71b8b96e3fd0e461ec3ee114
- MD5
- 534be4d1b48ecb6e7ff0485ba5af47d2
- CRC-32
- 2afdb285
- File type
- application/x-ms-dos-executable
- First seen
- 2011-05-19
Runtime Analysis
Dropped Files
- c:\Documents and Settings\test user\Local Settings\Temp\tmp45C0.tmp
- Size
- 413K
- SHA-1
- 21119141cf095c041b9280d35d7e0f2e4a0ae21f
- MD5
- 27c21afa70711649b3f320b7049b3570
- CRC-32
- 03981004
- File type
- application/x-ms-dos-executable
- First seen
- 2011-05-20
- C:\Documents and Settings\All Users\Application Data\MEXFxpGUVShIHWB.exe
- Size
- 413K
- SHA-1
- 21119141cf095c041b9280d35d7e0f2e4a0ae21f
- MD5
- 27c21afa70711649b3f320b7049b3570
- CRC-32
- 03981004
- File type
- application/x-ms-dos-executable
- First seen
- 2011-05-20
Registry Keys Created
- HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
- DisableTaskMgr
- 0x00000001
- HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
- DisableTaskMgr
- 0x00000001
- HKCU\Software
- 75fa38b7-8b94-4995-ad32-52e938867954
- HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments
- SaveZoneInformation
- 0x00000001
- HKCU\Software\Microsoft\Windows\CurrentVersion\Run
- MEXFxpGUVShIHWB
- C:\Documents and Settings\All Users\Application Data\MEXFxpGUVShIHWB.exe
Registry Keys Modified
- HKCU\Software\Microsoft\Internet Explorer\Download
- CheckExeSignatures
- no
- HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Associations
- LowRiskFileTypes
- /{hq:/s`s:/ogn:/uyu:/dyd:/c`u:/bnl:/ble:/sdf:/lrh:/iul:/iulm:/fhg:/clq:/kqf:/`wh:/lqf:/lqdf:/lnw:/lq2:/l2t:/v`w:/rbs:
- HKLM\SYSTEM\CurrentControlSet\Services\Spooler
- Start
- 0x00000002
Processes Created
- c:\documents and settings\all users\application data\mexfxpguvshihwb.exe
- c:\docume~1\support\locals~1\temp\pusk.exe
- c:\docume~1\support\locals~1\temp\trol.exe
- c:\windows\system32\cmd.exe
- c:\windows\system32\svchost.exe
HTTP Requests
- http://193.105.154.210/stat.php
- http://kkojjors.net/f/g.php
- http://searchago.org/404.php
- http://searchat.org/404.php
- http://searchbound.org/pica1/531-direct
- http://variantov.com/pusk.exe
- http://variantov.com/trol.exe
IP Connections
- 193.105.154.210:80
- 193.105.154.213:81
DNS Requests
- kkojjors.net
- searchago.org
- searchat.org
- searchbound.org
- variantov.com
Example 2
File Information
- Size
- 21K
- SHA-1
- 2a1ebdabb3b167764e68759ad3641d7a1306f450
- MD5
- ec6b7a635ad4013597bb249684257310
- CRC-32
- a04aa369
- File type
- application/x-ms-dos-executable
- First seen
- 2011-05-20
Runtime Analysis
Dropped Files
- c:\Documents and Settings\test user\Local Settings\Temp\tmp5BC8.tmp
- Size
- 413K
- SHA-1
- 21119141cf095c041b9280d35d7e0f2e4a0ae21f
- MD5
- 27c21afa70711649b3f320b7049b3570
- CRC-32
- 03981004
- File type
- application/x-ms-dos-executable
- First seen
- 2011-05-20
- C:\Documents and Settings\All Users\Application Data\MEXFxpGUVShIHWB.exe
- Size
- 413K
- SHA-1
- 21119141cf095c041b9280d35d7e0f2e4a0ae21f
- MD5
- 27c21afa70711649b3f320b7049b3570
- CRC-32
- 03981004
- File type
- application/x-ms-dos-executable
- First seen
- 2011-05-20
Registry Keys Created
- HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments
- SaveZoneInformation
- 0x00000001
- HKCU\Software\Microsoft\Windows\CurrentVersion\Run
- MEXFxpGUVShIHWB
- C:\Documents and Settings\All Users\Application Data\MEXFxpGUVShIHWB.exe
- HKCU\Software
- 75fa38b7-8b94-4995-ad32-52e938867954
- HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
- DisableTaskMgr
- 0x00000001
- HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
- DisableTaskMgr
- 0x00000001
Registry Keys Modified
- HKLM\SYSTEM\CurrentControlSet\Services\Spooler
- Start
- 0x00000002
- HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Associations
- LowRiskFileTypes
- /{hq:/s`s:/ogn:/uyu:/dyd:/c`u:/bnl:/ble:/sdf:/lrh:/iul:/iulm:/fhg:/clq:/kqf:/`wh:/lqf:/lqdf:/lnw:/lq2:/l2t:/v`w:/rbs:
- HKCU\Software\Microsoft\Internet Explorer\Download
- CheckExeSignatures
- no
Processes Created
- c:\documents and settings\all users\application data\mexfxpguvshihwb.exe
- c:\docume~1\support\locals~1\temp\pusk.exe
- c:\docume~1\support\locals~1\temp\trol.exe
- c:\windows\system32\cmd.exe
- c:\windows\system32\svchost.exe
HTTP Requests
- http://193.105.154.210/stat.php
- http://clickodd.org/pica1/531-direct
- http://kkojjors.net/f/g.php
- http://searchago.org/404.php
- http://searchbound.org/pica1/531-direct
- http://variantov.com/pusk.exe
- http://variantov.com/trol.exe
IP Connections
- 193.105.154.210:80
- 193.105.154.213:81
DNS Requests
- clickodd.org
- kkojjors.net
- searchago.org
- searchbound.org
- variantov.com
Example 3
File Information
- Size
- 19K
- SHA-1
- 9f6f6b838dbf9020e4d0d5fb6aa84dec59c78b0a
- MD5
- 1685ba58587ddb93f3c061f3141a25a3
- CRC-32
- 0a3a0266
- File type
- application/x-ms-dos-executable
- First seen
- 2011-05-18
Other vendor detection
- Kaspersky
- Trojan-Downloader.Win32.FraudLoad.zfji
Runtime Analysis
Dropped Files
- C:\Documents and Settings\All Users\Application Data\MEXFxpGUVShIHWB.exe
- Size
- 413K
- SHA-1
- f95a2ddeaea14d1ff77de1a401793728070b95f7
- MD5
- 02fe7aeea78e99886bfd52479185cc1c
- CRC-32
- eb6c59d7
- File type
- application/x-ms-dos-executable
- First seen
- 2011-05-20
- c:\Documents and Settings\test user\Local Settings\Temp\tmp5DCC.tmp
- Size
- 413K
- SHA-1
- f95a2ddeaea14d1ff77de1a401793728070b95f7
- MD5
- 02fe7aeea78e99886bfd52479185cc1c
- CRC-32
- eb6c59d7
- File type
- application/x-ms-dos-executable
- First seen
- 2011-05-20
Registry Keys Created
- HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments
- SaveZoneInformation
- 0x00000001
- HKCU\Software
- 75fa38b7-8b94-4995-ad32-52e938867954
- HKCU\Software\Microsoft\Windows\CurrentVersion\Run
- MEXFxpGUVShIHWB
- C:\Documents and Settings\All Users\Application Data\MEXFxpGUVShIHWB.exe
- HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
- DisableTaskMgr
- 0x00000001
- HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
- DisableTaskMgr
- 0x00000001
Registry Keys Modified
- HKCU\Software\Microsoft\Internet Explorer\Download
- CheckExeSignatures
- no
- HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Associations
- LowRiskFileTypes
- /{hq:/s`s:/ogn:/uyu:/dyd:/c`u:/bnl:/ble:/sdf:/lrh:/iul:/iulm:/fhg:/clq:/kqf:/`wh:/lqf:/lqdf:/lnw:/lq2:/l2t:/v`w:/rbs:
- HKLM\SYSTEM\CurrentControlSet\Services\Spooler
- Start
- 0x00000002
Processes Created
- c:\documents and settings\all users\application data\mexfxpguvshihwb.exe
- c:\docume~1\support\locals~1\temp\pusk3.exe
- c:\windows\system32\svchost.exe
HTTP Requests
- http://clickodd.org/pica1/531-direct
- http://kkojjors.net/f/g.php
- http://miliardov.com/pusk3.exe
- http://searchago.org/404.php
- http://searchbound.org/pica1/531-direct
DNS Requests
- clickodd.org
- kkojjors.net
- miliardov.com
- searchago.org
- searchbound.org