Search

following files: __tmp_rar_sfx_access_check_76640 %User Temp%\RarSFX0\_CHAR(0x04)_ _ YSGxBArVzWJr (Note: %User Temp% is the user's temporary folder, where it usually is C:\Documents and Settings\{user name}

\Software\Microsoft\ Windows\CurrentVersion\Ext\ Settings\{b16fb86d-2c77-46e8-8ef3-950af3188f56} This report is generated via an automated analysis system. Worm:Win32/Vundo.A (Microsoft); Vundo (McAfee);

dd_vcredistMSI6BB9.txt dd_vcredistUI5DA7.txt dd_vcredistUI6BB9.txt Perflib_Perfdata_42c.dat Perflib_Perfdata_740.dat _$Df smss temp-467253783.bat Dropping Routine This backdoor drops the following files: %User Startup%

HKEY_CURRENT_USER\Software\Microsoft\ Windows\CurrentVersion\Applets\ Wordpad\IP Dropping Routine This Trojan drops the following files: %User Temp%\macfss.exe %User Temp%\˜_•¶–â‘è‚ɂ‚¢‚Ä.doc (Note: %User Temp% is

and target directory where the download will be saved. clr_combine → Combine files that contains a custom filename + "_*.config_txt". clr_scloader → Shellcode loader that contains a BASE64-encoded

ƒ„uq}=…€w‚qtu~>s}" HKEY_LOCAL_MACHINE\SOFTWARE\opactium port = "H@" HKEY_LOCAL_MACHINE\SOFTWARE\opactium password = "€qs„y…}" HKEY_LOCAL_MACHINE\SOFTWARE\opactium myname = "_€DsGA…}" HKEY_LOCAL_MACHINE

}.satan_pro It drops the following file(s) as ransom note: {drive letter}:\_如何解密我的文件_.txt It leaves text files that serve as ransom notes containing the following text: Downloaded from the Internet, Dropped by

characters replaced with '_' However, as of this writing, the said sites are inaccessible. NOTES: It does not have rootkit capabilities. It does not exploit any vulnerability. Trojan:Win32/Miuref.A (Microsoft

%-SSl$$%*SAdd-Type -TypeDefinition $hd2ba7a2;Sl$$%-SSl$$%*S[v62ee1]::a89a716();Sl$$%-SSl$$%*SSl$$%-SSl$$%*SSl$$%-SSl$$%*_ Other System Modifications This Trojan modifies the following file(s):

"Powershell wevtutil el | Foreach-Object {Write-Host \"Clearing $_\"; wevtutil cl \"$_\"}" /ru "" /RL HIGHEST cmd.exe /c schtasks /create /tn shutdown00 /tr \"shutdown -r -t 0\" /sc once /st {Time} /ru

\dd_vcredistUI6BB9.txt %User Temp%\Perflib_Perfdata_42c.dat %User Temp%\Perflib_Perfdata_740.dat %User Temp%\_$Df %Temporary Internet Files%\. %Temporary Internet Files%\.. %Temporary Internet Files%\Content.IE5

'VY7BSsQwFAB/JYYiLdi0qyLSsoi4rgiyu7gHD+rhNXnQaJIXksdWEf/d6s37zDCGvrJDjOJ80Rcp+uUdcv0IwZDvC/KYxVI834aDTRQ8Bn7tuplYkzOYdsBjKR9Ig7uO0VkNbCmsgEFWfbnBqd4Ob6hZ7D8zo1cbZPWEw42zc6hSK5qCIzBr61DdhwO9YylH5tg1jcaB0RCD0uSb9qy9OG0Xl/JE/j29/J4q/EBZfU/jrJdHxVXVH+8ZEte7RBpzFv/RHw==' ) "\" + [StriNg][ChaR]44 +"\"[Io.ComPrESsiON.compRessioNmoDE]::dECOmPREss) | fOrEACH-OBJecT { new-obJEcT Io.stREamREADer( `$_"\" + [StriNg][ChaR]44 +"\"

\ IPMsgEng\Fonts\SendEdit Italic = "0" HKEY_CURRENT_USER\Software\HSTools\ IPMsgEng\Fonts\SendEdit UnderLine = "0" HKEY_CURRENT_USER\Software\HSTools\ IPMsgEng\Fonts\SendEdit StrikeOut = "0" HKEY_CURRENT_USER

remote sites. Installation This backdoor drops the following files: %User Temp%\GoogleUp-date.exe - also detected as BKDR_ZAPCHAST.SG %User Temp%\_$temp - encrypted component %User Startup%\(Empty).lnk -

]:NSIS, [$PLUGINSDIR\install.exe/$PLUGINSDIR\EP.exe]:Trojan-Do (Kaspersky); Trojan.Win32.FraudPack.gen.a (v), Trojan.Win32.Alureon.bk (v), Trojan.Win32.Bredolab.Gen.2 (v), Troj (Sunbelt);

substrings: smpl vir malw test troj It terminates itself if any of the following user name(s) are found in the affected system: luser perl python trace dump It searches for itself in the following autostart

backdoor uses the computer name as the title of the draft it creates. It then adds the text "$_$Today is a very important day for me.$" It also includes the date and time the malware is executed in the

Trojan.Win32.Monderd.gen (Kaspersky); Vundo (McAfee); Troj/Virtum-Gen (Sophos); Trojan.Vundo.Gen.4 (FSecure); Trojan.Win32.Monder.gen.1 (Sunbelt); Trojan.Win32.Monderd (Ikarus) Downloaded from the Internet Drops files

creates the following event(s): {Computer Name}{Fullpath and Filename} special characters replaced with '_' Troj/VBDrop-AR (Sophos) ,Trojan-Ransom.PornoAsset (Ikarus) ,Win32.Malware!Drop (Sunbelt)

with '_' Troj/VBDrop-AS (Sophos) ,Trojan horse Generic35.AXFQ (AVG) ,W32/Dorkbot.BAAr (Fortinet) ,Trojan.Win32.Inject (Ikarus) ,Trojan.Win32.Inject.gyju (Kaspersky) ,Trojan.Dropper (Symantec)