I would appreciate if others would take a deeper look into this one / add comments.
MD5: 2efe003b8969fa946f194333152f334c
https://www.virustotal.com/file/8be9b39 ... /analysis/
This has some ZeroAccess similarities, it could be something new as I have not seen this type of folder created before.
Here are the notes I've gathered so far:
%Windir% reparse point folder is missing but the following folder is created: C:\WINDOWS\Installer\{1982f959-ca43-079e-42d0-55eab62fdb19}
Inside this folder is:
Folder: L [empty]
Folder: U [inside is: 00000001.@, 800000cb.@, 80000000.@]
File: @ [2kb]
File: n [44kb]
This folder is created too but isn't as complete as previous one: %userprofile%\Local Settings\Application Data\{1982f959-ca43-079e-42d0-55eab62fdb19}
No infected drivers or services.
MD5: 2efe003b8969fa946f194333152f334c
https://www.virustotal.com/file/8be9b39 ... /analysis/
This has some ZeroAccess similarities, it could be something new as I have not seen this type of folder created before.
Here are the notes I've gathered so far:
%Windir% reparse point folder is missing but the following folder is created: C:\WINDOWS\Installer\{1982f959-ca43-079e-42d0-55eab62fdb19}
Inside this folder is:
Folder: L [empty]
Folder: U [inside is: 00000001.@, 800000cb.@, 80000000.@]
File: @ [2kb]
File: n [44kb]
This folder is created too but isn't as complete as previous one: %userprofile%\Local Settings\Application Data\{1982f959-ca43-079e-42d0-55eab62fdb19}
No infected drivers or services.
Code: Select all
========== regfind ==========
Searching for "1982f959-ca43-079e-42d0-55eab62fdb19"
[HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InprocServer32]
@="C:\Documents and Settings\thisisu\Local Settings\Application Data\{1982f959-ca43-079e-42d0-55eab62fdb19}\n."
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InprocServer32]
@="\\.\globalroot\systemroot\Installer\{1982f959-ca43-079e-42d0-55eab62fdb19}\n."
[HKEY_USERS\S-1-5-21-1644491937-1383384898-854245398-1003\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InprocServer32]
@="C:\Documents and Settings\thisisu\Local Settings\Application Data\{1982f959-ca43-079e-42d0-55eab62fdb19}\n."
[HKEY_USERS\S-1-5-21-1644491937-1383384898-854245398-1003_Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InprocServer32]
@="C:\Documents and Settings\thisisu\Local Settings\Application Data\{1982f959-ca43-079e-42d0-55eab62fdb19}\n."
Attachments
pass: infected
(148.05 KiB) Downloaded 521 times
(148.05 KiB) Downloaded 521 times