A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #4721  by Meriadoc
 Tue Jan 25, 2011 3:18 pm
Thanks nullptr :)
Security Zone change

File C:\WINDOWS\system32\sshnas21.dll
File C:\WINDOWS\Spuxoa.exe

Registry entry "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SSHNAS\ImagePath" (created) :
New entry was set to <%SystemRoot%\system32\svchost.exe -k netsvcs>
Registry entry "HKEY_CURRENT_USER\software\microsoft\windows\currentVersion\Run\CE8SIIFGSU" (created) :
New entry was set to <C:\DOCUME~1\user\LOCALS~1\Temp\Sn1.exe>
Registry entry "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SSHNAS\Parameters\ServiceDll" (created) :
New entry was set to <C:\WINDOWS\system32\sshnas21.dll>

Scheduled task "{22116563-108C-42c0-A7CE-60161B75E508}.job" (created) :
New scheduled task: <C:\Documents and Settings\user\Local Settings\Temp\Sn1.exe >
Scheduled task "{BBAEAEAF-1275-40e2-BD6C-BC8F88BD114A}.job" (created) :
New scheduled task: <C:\Documents and Settings\user\Local Settings\Temp\Sn2.exe >
Scheduled task "{62C40AA6-4406-467a-A5A5-DFDF1B559B7A}.job" (created) :
New scheduled task: <C:\WINDOWS\Spuxoa.exe >

Process Spuxoa.exe <C:\WINDOWS\Spuxoa.exe>
Process Sn2.exe <C:\Documents and Settings\user\Local Settings\Temp\Sn2.exe>
Process rundll32.exe <C:\WINDOWS\system32\rundll32.exe>
Process Sn1.exe <C:\Documents and Settings\user\Local Settings\Temp\Sn1.exe>

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
CE8SIIFGSU Windows Setup API (Not Verified) Avira GmbH c:\documents and settings\user\local settings\temp\sn1.exe
CL2GFOKBC9 Windows Setup API (Not Verified) Avira GmbH c:\windows\spuxoa.exe

HKLM\System\CurrentControlSet\Services
SSHNAS Windows Setup API (Not verified) Avira GmbH c:\windows\system32\sshnas21.dll
Attachments
(17.46 KiB) Downloaded 44 times
 #6911  by EP_X0FF
 Thu Jun 23, 2011 3:10 am
markusg wrote:flashPlugin.40028.exe
Code: Select all
 http://moviehugestorage.us/flashPlugin.40028.exe
http://www.virustotal.com/file-scan/rep ... 1308769637
you can change the last 2 numbers at the end from 01 till 99 and get files with other md5
Trojan Downloader Renos.

Posts moved.