Thursday, May 13, 2010

#1

Variant 1

 

Service

Possible displaynames and file locations
ServiceDll C:\Documents and Settings\NetworkService\1e0219eb.dll
ServiceDll C:\Documents and Settings\%user%\42ecacd.dll  - Virustotal


 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\1e0219eb

Imagepath %SystemRoot%\System32\svchost.exe -k "1e0219eb"


File 1e0219eb.dll received on 2010.05.13 16:52:44 (UTC)
http://www.virustotal.com/analisis/75361b610426287685d57fb7e2947f52b1fe740cb6d3f5ac8e9c98fea0b7c7e7-1273769564
Result: 23/41 (56.10%)
a-squared    4.5.0.50    2010.05.10    Trojan.Win32.Agent!IK
AhnLab-V3    2010.05.13.01    2010.05.13    Win-Trojan/Mdmbot.30720
AntiVir    8.2.1.242    2010.05.13    TR/CryptRedol.30720.3
Antiy-AVL    2.0.3.7    2010.05.13    Trojan/Win32.Agent.gen
Avast    4.8.1351.0    2010.05.13    Win32:Malware-gen
Avast5    5.0.332.0    2010.05.13    Win32:Malware-gen
AVG    9.0.0.787    2010.05.13    Agent2.ASUL
BitDefender    7.2    2010.05.13    Trojan.CryptRedol.Gen.3
Comodo    4832    2010.05.13    UnclassifiedMalware
F-Secure    9.0.15370.0    2010.05.13    Trojan.CryptRedol.Gen.3
Fortinet    4.1.133.0    2010.05.13    W32/Agent.DXTO!tr
GData    21    2010.05.13    Trojan.CryptRedol.Gen.3
Ikarus    T3.1.1.84.0    2010.05.13    Trojan.Win32.Agent
Kaspersky    7.0.0.125    2010.05.13    Trojan.Win32.Agent.dxto
McAfee-GW-Edition    2010.1    2010.05.13    Artemis!E40670E6A0AD
Microsoft    1.5703    2010.05.13    Backdoor:Win32/Mdmbot.D
nProtect    2010-05-13.01    2010.05.13    Trojan.CryptRedol.Gen.3
Panda    10.0.2.7    2010.05.13    Suspicious file
Sunbelt    6298    2010.05.13    Trojan.Win32.Generic!BT
TheHacker    6.5.2.0.280    2010.05.13    Trojan/Agent.dxto
TrendMicro    9.120.0.1004    2010.05.13    BKDR_MDMBOT.A
TrendMicro-HouseCall    9.120.0.1004    2010.05.13    BKDR_MDMBOT.A
VBA32    3.12.12.4    2010.05.13    Trojan.Win32.Agent.dxto
Additional information
File size: 30720 bytes
MD5   : e40670e6a0ad1c41211f38b92bfe436a


e40670e6a0ad1c41211f38b92bfe436a
 Variant 2
Also known as  AppMgmt.dll
 
Service
Displayname Application Management
Service name Application Management
Description Processes installation, removal, and enumeration requests for Active Directory IntelliMirror group policy programs. If the service is disabled, users will be unable to install, remove, or enumerate any IntelliMirror programs. If this service is disabled, any services that explicitly depend on it will fail to start.
Default - Manual
Legitimate key
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AppMgmt\Parameters\ServiceDll\%SystemRoot%\System32\appmgmts.dll
Service starts - Manual
Compromised key
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\AppMgmt\Parameters\ServiceDll
C:\Documents and Settings\Default User\AppMgmt.dll
Service starts - automatic
 
 
C\Documents and Settings\Default User
File AppMgmt.dll received on 2010.05.06 03:57:39 (UTC)
Result: 5/40 (12.5%)
BitDefender    7.2    2010.05.06    Trojan.CryptRedol.Gen.3
F-Secure    9.0.15370.0    2010.05.06    Trojan.CryptRedol.Gen.3
GData    21    2010.05.06    Trojan.CryptRedol.Gen.3
Microsoft    1.5703    2010.05.05    Backdoor:Win32/Mdmbot.D
nProtect    2010-05-05.01    2010.05.05    Trojan.CryptRedol.Gen.3
Additional information
File size: 30720 bytes
MD5...: e40670e6a0ad1c41211f38b92bfe436a


========================================================================
========================================================================



No comments:

Post a Comment