Tema: pc rara
Ver Mensaje Individual
  post #6 (permalink)  
Antiguo 30/04/08, 18:49:03
incognito20 incognito20 está offline
Usuario
  
Registrado: ene 2007
Ubicación: México
Mensajes: 23
Re: pc rara
este tema ya lo estoy tratando en http://www.forospyware.com/t166159.html creo que deveriamos cerrar este tema para no tener dos abiertos de todos modos aqui esta los reportes

Análisis del archivo WINTMP.EXE recibido el 01.05.2008 00:36:52 (CET)Motor antivirus Versión Última actualización Resultado
AhnLab-V3 2008.5.1.0 2008.04.30 -
AntiVir 7.8.0.11 2008.04.30 Worm/IrcBot.19968.18
Authentium 4.93.8 2008.04.30 -
Avast 4.8.1169.0 2008.04.30 -
AVG 7.5.0.516 2008.04.30 SHeur.BHTM
BitDefender 7.2 2008.05.01 Win32.Worm.Slenfbot.E
CAT-QuickHeal 9.50 2008.04.30 Backdoor.IRCBot.csf
ClamAV 0.92.1 2008.04.30 -
DrWeb 4.44.0.09170 2008.04.30 -
eSafe 7.0.15.0 2008.04.28 suspicious Trojan/Worm
eTrust-Vet 31.3.5749 2008.04.30 -
Ewido 4.0 2008.04.30 -
F-Prot 4.4.2.54 2008.05.01 -
F-Secure 6.70.13260.0 2008.04.30 Backdoor.Win32.IRCBot.csf
FileAdvisor 1 2008.05.01 -
Fortinet 3.14.0.0 2008.04.30 W32/IRCBot.CSF!tr.bdr
Ikarus T3.1.1.26.0 2008.04.30 Dialer
Kaspersky 7.0.0.125 2008.05.01 Backdoor.Win32.IRCBot.csf
McAfee 5285 2008.04.30 -
Microsoft 1.3408 2008.04.22 Worm:Win32/Slenfbot.gen!B
NOD32v2 3067 2008.04.30 -
Norman 5.80.02 2008.04.30 -
Panda 9.0.0.4 2008.04.30 -
Prevx1 V2 2008.05.01 Generic.Malware
Rising 20.42.22.00 2008.04.30 -
Sophos 4.29.0 2008.05.01 Mal/Generic-A
Sunbelt 3.0.1056.0 2008.04.17 -
Symantec 10 2008.05.01 -
TheHacker 6.2.92.298 2008.04.30 Backdoor/IRCBot.csf
VBA32 3.12.6.5 2008.04.30 -
VirusBuster 4.3.26:9 2008.04.30 -
Webwasher-Gateway 6.6.2 2008.04.30 BlockReason.0

Información adicional
Tamano archivo: 19968 bytes
MD5...: 9d10555d0796dca73d8a7368fc85f702
SHA1..: 97ae12d35067ce032820426910e74df0176c571b
SHA256: 788faa85b3a3a2c3dc896f731556aa7a1f215e4b63057d1150 4bf3287a6b1e30
SHA512: b9fe617296cb8e73463cc5ff47898f40365ac8164f8106ad38 ebc40f01c88aad<BR>8c883b60693ccf965f7d9b048bc630e3 61223a3db74f15c2f6ebcbfc3b65af6f
PEiD..: UPX 2.90 [LZMA] -&gt; Markus Oberhumer, Laszlo Molnar &amp; John Reiser
PEInfo: PE Structure information<BR><BR>( base data )<BR>entrypointaddress.: 0x4173e0<BR>timedatestamp.....: 0x418366fd (Sat Oct 30 10:03:41 2004)<BR>machinetype.......: 0x14c (I386)<BR><BR>( 3 sections )<BR>name viradd virsiz rawdsiz ntrpy md5<BR>UPX0 0x1000 0x12000 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e<BR>UPX1 0x13000 0x5000 0x4600 7.87 842d92290b966029a679b602f315d7e2<BR>UPX2 0x18000 0x2000 0x400 1.40 37ce303867af1864cb2adc8571b0b59e<BR><BR>( 3 imports ) <BR>&gt; KERNEL32.DLL: LoadLibraryA, GetProcAddress, VirtualProtect, VirtualAlloc, VirtualFree, ExitProcess<BR>&gt; GDI32.DLL: Chord<BR>&gt; USER32.DLL: ScrollDC<BR><BR>( 0 exports ) <BR>
Prevx info: http://info.prevx.com/aboutprogramtext.asp?PX5=4C69728B003910C94E6800437 58B96009B19C839
packers (F-Prot): UPX

Motor antivirus;Versión;Última actualización;Resultado
AhnLab-V3;2008.5.1.0;2008.04.30;-
AntiVir;7.8.0.11;2008.04.30;Worm/IrcBot.19968.18
Authentium;4.93.8;2008.04.30;-
Avast;4.8.1169.0;2008.04.30;-
AVG;7.5.0.516;2008.04.30;SHeur.BHTM
BitDefender;7.2;2008.05.01;Win32.Worm.Slenfbot.E
CAT-QuickHeal;9.50;2008.04.30;Backdoor.IRCBot.csf
ClamAV;0.92.1;2008.04.30;-
DrWeb;4.44.0.09170;2008.04.30;-
eSafe;7.0.15.0;2008.04.28;suspicious Trojan/Worm
eTrust-Vet;31.3.5749;2008.04.30;-
Ewido;4.0;2008.04.30;-
F-Prot;4.4.2.54;2008.05.01;-
F-Secure;6.70.13260.0;2008.04.30;Backdoor.Win32.IRCB ot.csf
FileAdvisor;1;2008.05.01;-
Fortinet;3.14.0.0;2008.04.30;W32/IRCBot.CSF!tr.bdr
Ikarus;T3.1.1.26.0;2008.04.30;Dialer
Kaspersky;7.0.0.125;2008.05.01;Backdoor.Win32.IRCB ot.csf
McAfee;5285;2008.04.30;-
Microsoft;1.3408;2008.04.22;Worm:Win32/Slenfbot.gen!B
NOD32v2;3067;2008.04.30;-
Norman;5.80.02;2008.04.30;-
Panda;9.0.0.4;2008.04.30;-
Prevx1;V2;2008.05.01;Generic.Malware
Rising;20.42.22.00;2008.04.30;-
Sophos;4.29.0;2008.05.01;Mal/Generic-A
Sunbelt;3.0.1056.0;2008.04.17;-
Symantec;10;2008.05.01;-
TheHacker;6.2.92.298;2008.04.30;Backdoor/IRCBot.csf
VBA32;3.12.6.5;2008.04.30;-
VirusBuster;4.3.26:9;2008.04.30;-
Webwasher-Gateway;6.6.2;2008.04.30;BlockReason.0

Información adicional
Tamano archivo: 19968 bytes
MD5...: 9d10555d0796dca73d8a7368fc85f702
SHA1..: 97ae12d35067ce032820426910e74df0176c571b
SHA256: 788faa85b3a3a2c3dc896f731556aa7a1f215e4b63057d1150 4bf3287a6b1e30
SHA512: b9fe617296cb8e73463cc5ff47898f40365ac8164f8106ad38 ebc40f01c88aad<BR>8c883b60693ccf965f7d9b048bc630e3 61223a3db74f15c2f6ebcbfc3b65af6f
PEiD..: UPX 2.90 [LZMA] -&gt; Markus Oberhumer, Laszlo Molnar &amp; John Reiser
PEInfo: PE Structure information<BR><BR>( base data )<BR>entrypointaddress.: 0x4173e0<BR>timedatestamp.....: 0x418366fd (Sat Oct 30 10:03:41 2004)<BR>machinetype.......: 0x14c (I386)<BR><BR>( 3 sections )<BR>name viradd virsiz rawdsiz ntrpy md5<BR>UPX0 0x1000 0x12000 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e<BR>UPX1 0x13000 0x5000 0x4600 7.87 842d92290b966029a679b602f315d7e2<BR>UPX2 0x18000 0x2000 0x400 1.40 37ce303867af1864cb2adc8571b0b59e<BR><BR>( 3 imports ) <BR>&gt; KERNEL32.DLL: LoadLibraryA, GetProcAddress, VirtualProtect, VirtualAlloc, VirtualFree, ExitProcess<BR>&gt; GDI32.DLL: Chord<BR>&gt; USER32.DLL: ScrollDC<BR><BR>( 0 exports ) <BR>
Prevx info: http://info.prevx.com/aboutprogramtext.asp?PX5=4C69728B003910C94E6800437 58B96009B19C839
packers (F-Prot): UPX

--------------------------------------------------------------------------
Análisis del archivo QARLW.EXE recibido el 01.05.2008 00:41:37 (CET)Motor antivirus Versión Última actualización Resultado
AhnLab-V3 2008.5.1.0 2008.04.30 -
AntiVir 7.8.0.11 2008.04.30 -
Authentium 4.93.8 2008.04.30 -
Avast 4.8.1169.0 2008.04.30 -
AVG 7.5.0.516 2008.04.30 Generic10.RCL
BitDefender 7.2 2008.05.01 -
CAT-QuickHeal 9.50 2008.04.30 -
ClamAV 0.92.1 2008.04.30 -
DrWeb 4.44.0.09170 2008.04.30 -
eSafe 7.0.15.0 2008.04.28 suspicious Trojan/Worm
eTrust-Vet 31.3.5749 2008.04.30 -
Ewido 4.0 2008.04.30 -
F-Prot 4.4.2.54 2008.05.01 -
F-Secure 6.70.13260.0 2008.04.30 -
FileAdvisor 1 2008.05.01 -
Fortinet 3.14.0.0 2008.04.30 -
Ikarus T3.1.1.26.0 2008.04.30 Backdoor.Win32.Tofsee.F
Kaspersky 7.0.0.125 2008.05.01 Heur.Trojan.Generic
McAfee 5285 2008.04.30 -
Microsoft 1.3408 2008.04.22 Backdoor:Win32/Tofsee.F
NOD32v2 3067 2008.04.30 -
Norman 5.80.02 2008.04.30 W32/Malware
Panda 9.0.0.4 2008.04.30 -
Prevx1 V2 2008.05.01 TROJAN.AGENT.GEN
Rising 20.42.22.00 2008.04.30 -
Sophos 4.29.0 2008.05.01 -
Sunbelt 3.0.1056.0 2008.04.17 -
Symantec 10 2008.05.01 Backdoor.Ranky
TheHacker 6.2.92.298 2008.04.30 -
VBA32 3.12.6.5 2008.04.30 -
VirusBuster 4.3.26:9 2008.04.30 -
Webwasher-Gateway 6.6.2 2008.04.30 BlockReason.0

Información adicional
Tamano archivo: 59392 bytes
MD5...: 2f471160b98b6db84c9abb1db495947b
SHA1..: 9041e0624e403e8e19b0f4834136db6272db740f
SHA256: 7a328eb57af93431a9ceb5d4b361d8c21025822358e8f93ad2 e72a3be85ebbf7
SHA512: 9a10089d4a0fbdd5d0a273547bbbb2b110b2ae2e340687683f c8a16dc268501e<BR>e2ade8b64a0c15ec7a639005cf41af1a 81061b0b37792bb009f82596a1f495d5
PEiD..: UPX 2.90 [LZMA] -&gt; Markus Oberhumer, Laszlo Molnar &amp; John Reiser
PEInfo: PE Structure information<BR><BR>( base data )<BR>entrypointaddress.: 0x42bd50<BR>timedatestamp.....: 0x419d054e (Thu Nov 18 20:25:50 2004)<BR>machinetype.......: 0x14c (I386)<BR><BR>( 3 sections )<BR>name viradd virsiz rawdsiz ntrpy md5<BR>UPX0 0x1000 0x1d000 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e<BR>UPX1 0x1e000 0xe000 0xe000 7.87 ba800aecd20360fd2d7fd1cbe64ea413<BR>UPX2 0x2c000 0x2000 0x400 1.61 8781c941e999b89e4c50d49cac8496f2<BR><BR>( 4 imports ) <BR>&gt; KERNEL32.DLL: LoadLibraryA, GetProcAddress, VirtualProtect, VirtualAlloc, VirtualFree, ExitProcess<BR>&gt; GDI32.DLL: GetPixel<BR>&gt; OLE32.DLL: OleLoad<BR>&gt; USER32.DLL: IsChild<BR><BR>( 0 exports ) <BR>
Norman Sandbox: [ General information ]<BR>* **IMPORTANT: PLEASE SEND THE SCANNED FILE TO: ANALYSIS@NORMAN.NO - REMEMBER TO ENCRYPT IT (E.G. ZIP WITH PASSWORD)**.<BR>* Creating several executable files on hard-drive.<BR>* File length: 59392 bytes.<BR><BR>[ Changes to filesystem ]<BR>* Creates file C:\DOCUME~1\SANDBOX\lscqfy.exe.<BR>* Creates file C:\WINDOWS\SYSTEM32\lxqso.exe.<BR>* Creates file C:\WINDOWS\TEMP\removeMe2113.bat.<BR>* Deletes file \"c:\sample.exe\"&gt;nul.<BR>* Deletes file \"%%0\".<BR><BR>[ Changes to registry ]<BR>* Accesses Registry key \"HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\R un\".<BR>* Accesses Registry key \"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\".<BR>* Modifies value \"UserInit\"=\"C:\WINDOWS\system32\userinit.exe,C: \DOCUME~1\SANDBOX\lscqfy.exe \s\" in key \"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\".<BR>* Creates value \"lxqso\"=\"C:\WINDOWS\SYSTEM32\lxqso.exe \u\" in key \"HKLM\Software\Microsoft\Windows\CurrentVersion\R un\".<BR>* Sets value \"WarnOnZoneCrossing\"=\"\" in key \"HKCU\Software\Microsoft\Windows\CurrentVersion\I nternet Settings\".<BR>* Sets value \"WarnOnPostRedirect\"=\"\" in key \"HKCU\Software\Microsoft\Windows\CurrentVersion\I nternet Settings\".<BR>* Sets value \"WarnonBadCertRecving\"=\"\" in key \"HKCU\Software\Microsoft\Windows\CurrentVersion\I nternet Settings\".<BR>* Creates key \"HKCU\Software\Microsoft\Internet Explorer\IntelliForms\".<BR>* Sets value \"AskUser\"=\"\" in key \"HKCU\Software\Microsoft\Internet Explorer\IntelliForms\".<BR>* Sets value \"WarnOnPost\"=\"\" in key \"HKCU\Software\Microsoft\Windows\CurrentVersion\I nternet Settings\".<BR>* Creates key \"HKCU\Software\Microsoft\Windows\CurrentVersion\I nternet Settings\Zones\2\".<BR>* Sets value \"MinLevel\"=\"\" in key \"HKCU\Software\Microsoft\Windows\CurrentVersion\I nternet Settings\Zones\2\".<BR>* Sets value \"RecommendedLevel\"=\"\" in key \"HKCU\Software\Microsoft\Windows\CurrentVersion\I nternet Settings\Zones\2\".<BR>
Prevx info: http://info.prevx.com/aboutprogramtext.asp?PX5=AAEC8E7B00042629E802002DD 2B75F00207E7D9C
packers (Kaspersky): PE_Patch.UPX, UPX, PE_Patch.UPX, UPX, PE_Patch.UPX, UPX
packers (F-Prot): UPX

Motor antivirus;Versión;Última actualización;Resultado
AhnLab-V3;2008.5.1.0;2008.04.30;-
AntiVir;7.8.0.11;2008.04.30;-
Authentium;4.93.8;2008.04.30;-
Avast;4.8.1169.0;2008.04.30;-
AVG;7.5.0.516;2008.04.30;Generic10.RCL
BitDefender;7.2;2008.05.01;-
CAT-QuickHeal;9.50;2008.04.30;-
ClamAV;0.92.1;2008.04.30;-
DrWeb;4.44.0.09170;2008.04.30;-
eSafe;7.0.15.0;2008.04.28;suspicious Trojan/Worm
eTrust-Vet;31.3.5749;2008.04.30;-
Ewido;4.0;2008.04.30;-
F-Prot;4.4.2.54;2008.05.01;-
F-Secure;6.70.13260.0;2008.04.30;-
FileAdvisor;1;2008.05.01;-
Fortinet;3.14.0.0;2008.04.30;-
Ikarus;T3.1.1.26.0;2008.04.30;Backdoor.Win32.Tofse e.F
Kaspersky;7.0.0.125;2008.05.01;Heur.Trojan.Generic
McAfee;5285;2008.04.30;-
Microsoft;1.3408;2008.04.22;Backdoor:Win32/Tofsee.F
NOD32v2;3067;2008.04.30;-
Norman;5.80.02;2008.04.30;W32/Malware
Panda;9.0.0.4;2008.04.30;-
Prevx1;V2;2008.05.01;TROJAN.AGENT.GEN
Rising;20.42.22.00;2008.04.30;-
Sophos;4.29.0;2008.05.01;-
Sunbelt;3.0.1056.0;2008.04.17;-
Symantec;10;2008.05.01;Backdoor.Ranky
TheHacker;6.2.92.298;2008.04.30;-
VBA32;3.12.6.5;2008.04.30;-
VirusBuster;4.3.26:9;2008.04.30;-
Webwasher-Gateway;6.6.2;2008.04.30;BlockReason.0

Información adicional
Tamano archivo: 59392 bytes
MD5...: 2f471160b98b6db84c9abb1db495947b
SHA1..: 9041e0624e403e8e19b0f4834136db6272db740f
SHA256: 7a328eb57af93431a9ceb5d4b361d8c21025822358e8f93ad2 e72a3be85ebbf7
SHA512: 9a10089d4a0fbdd5d0a273547bbbb2b110b2ae2e340687683f c8a16dc268501e<BR>e2ade8b64a0c15ec7a639005cf41af1a 81061b0b37792bb009f82596a1f495d5
PEiD..: UPX 2.90 [LZMA] -&gt; Markus Oberhumer, Laszlo Molnar &amp; John Reiser
PEInfo: PE Structure information<BR><BR>( base data )<BR>entrypointaddress.: 0x42bd50<BR>timedatestamp.....: 0x419d054e (Thu Nov 18 20:25:50 2004)<BR>machinetype.......: 0x14c (I386)<BR><BR>( 3 sections )<BR>name viradd virsiz rawdsiz ntrpy md5<BR>UPX0 0x1000 0x1d000 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e<BR>UPX1 0x1e000 0xe000 0xe000 7.87 ba800aecd20360fd2d7fd1cbe64ea413<BR>UPX2 0x2c000 0x2000 0x400 1.61 8781c941e999b89e4c50d49cac8496f2<BR><BR>( 4 imports ) <BR>&gt; KERNEL32.DLL: LoadLibraryA, GetProcAddress, VirtualProtect, VirtualAlloc, VirtualFree, ExitProcess<BR>&gt; GDI32.DLL: GetPixel<BR>&gt; OLE32.DLL: OleLoad<BR>&gt; USER32.DLL: IsChild<BR><BR>( 0 exports ) <BR>
Norman Sandbox: [ General information ]<BR>* **IMPORTANT: PLEASE SEND THE SCANNED FILE TO: ANALYSIS@NORMAN.NO - REMEMBER TO ENCRYPT IT (E.G. ZIP WITH PASSWORD)**.<BR>* Creating several executable files on hard-drive.<BR>* File length: 59392 bytes.<BR><BR>[ Changes to filesystem ]<BR>* Creates file C:\DOCUME~1\SANDBOX\lscqfy.exe.<BR>* Creates file C:\WINDOWS\SYSTEM32\lxqso.exe.<BR>* Creates file C:\WINDOWS\TEMP\removeMe2113.bat.<BR>* Deletes file \"c:\sample.exe\"&gt;nul.<BR>* Deletes file \"%%0\".<BR><BR>[ Changes to registry ]<BR>* Accesses Registry key \"HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\R un\".<BR>* Accesses Registry key \"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\".<BR>* Modifies value \"UserInit\"=\"C:\WINDOWS\system32\userinit.exe,C: \DOCUME~1\SANDBOX\lscqfy.exe \s\" in key \"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\".<BR>* Creates value \"lxqso\"=\"C:\WINDOWS\SYSTEM32\lxqso.exe \u\" in key \"HKLM\Software\Microsoft\Windows\CurrentVersion\R un\".<BR>* Sets value \"WarnOnZoneCrossing\"=\"\" in key \"HKCU\Software\Microsoft\Windows\CurrentVersion\I nternet Settings\".<BR>* Sets value \"WarnOnPostRedirect\"=\"\" in key \"HKCU\Software\Microsoft\Windows\CurrentVersion\I nternet Settings\".<BR>* Sets value \"WarnonBadCertRecving\"=\"\" in key \"HKCU\Software\Microsoft\Windows\CurrentVersion\I nternet Settings\".<BR>* Creates key \"HKCU\Software\Microsoft\Internet Explorer\IntelliForms\".<BR>* Sets value \"AskUser\"=\"\" in key \"HKCU\Software\Microsoft\Internet Explorer\IntelliForms\".<BR>* Sets value \"WarnOnPost\"=\"\" in key \"HKCU\Software\Microsoft\Windows\CurrentVersion\I nternet Settings\".<BR>* Creates key \"HKCU\Software\Microsoft\Windows\CurrentVersion\I nternet Settings\Zones\2\".<BR>* Sets value \"MinLevel\"=\"\" in key \"HKCU\Software\Microsoft\Windows\CurrentVersion\I nternet Settings\Zones\2\".<BR>* Sets value \"RecommendedLevel\"=\"\" in key \"HKCU\Software\Microsoft\Windows\CurrentVersion\I nternet Settings\Zones\2\".<BR>
Prevx info: http://info.prevx.com/aboutprogramtext.asp?PX5=AAEC8E7B00042629E802002DD 2B75F00207E7D9C
packers (Kaspersky): PE_Patch.UPX, UPX, PE_Patch.UPX, UPX, PE_Patch.UPX, UPX
packers (F-Prot): UPX

y este tambien me salio en el primer scaneo que hice ya que ahora esta escaneando por segunda vez por que no habia guardado el reporte y me lo pidieron

Análisis del archivo FDH.EXE recibido el 01.05.2008 00:43:38 (CET)Motor antivirus Versión Última actualización Resultado
AhnLab-V3 2008.5.1.0 2008.04.30 -
AntiVir 7.8.0.11 2008.04.30 -
Authentium 4.93.8 2008.04.30 -
Avast 4.8.1169.0 2008.04.30 -
AVG 7.5.0.516 2008.04.30 Generic10.RCL
BitDefender 7.2 2008.05.01 -
CAT-QuickHeal 9.50 2008.04.30 -
ClamAV 0.92.1 2008.04.30 -
DrWeb 4.44.0.09170 2008.04.30 -
eTrust-Vet 31.3.5749 2008.04.30 -
Ewido 4.0 2008.04.30 -
F-Prot 4.4.2.54 2008.05.01 -
F-Secure 6.70.13260.0 2008.04.30 -
Fortinet 3.14.0.0 2008.04.30 -
Ikarus T3.1.1.26 2008.04.30 Backdoor.Win32.Tofsee.F
Kaspersky 7.0.0.125 2008.05.01 Heur.Trojan.Generic
McAfee 5285 2008.04.30 -
Microsoft None 2008.04.22 -
NOD32v2 3067 2008.04.30 -
Norman 5.80.02 2008.04.30 W32/Malware
Panda 9.0.0.4 2008.04.30 -
Prevx1 V2 2008.05.01 TROJAN.AGENT.GEN
Rising 20.42.22.00 2008.04.30 -
Sophos 4.29.0 2008.05.01 -
Sunbelt 3.0.1056.0 2008.04.17 -
Symantec 10 2008.05.01 Backdoor.Ranky
TheHacker 6.2.92.298 2008.04.30 -
VBA32 3.12.6.5 2008.04.30 -
VirusBuster 4.3.26:9 2008.04.30 -
Webwasher-Gateway 6.6.2 2008.04.30 BlockReason.0

Información adicional
Tamano archivo: 59392 bytes
MD5...: 2f471160b98b6db84c9abb1db495947b
SHA1..: 9041e0624e403e8e19b0f4834136db6272db740f
SHA256: 7a328eb57af93431a9ceb5d4b361d8c21025822358e8f93ad2 e72a3be85ebbf7
SHA512: 9a10089d4a0fbdd5d0a273547bbbb2b110b2ae2e340687683f c8a16dc268501e<BR>e2ade8b64a0c15ec7a639005cf41af1a 81061b0b37792bb009f82596a1f495d5
PEiD..: UPX 2.90 [LZMA] -&gt; Markus Oberhumer, Laszlo Molnar &amp; John Reiser
PEInfo: PE Structure information<BR><BR>( base data )<BR>entrypointaddress.: 0x42bd50<BR>timedatestamp.....: 0x419d054e (Thu Nov 18 20:25:50 2004)<BR>machinetype.......: 0x14c (I386)<BR><BR>( 3 sections )<BR>name viradd virsiz rawdsiz ntrpy md5<BR>UPX0 0x1000 0x1d000 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e<BR>UPX1 0x1e000 0xe000 0xe000 7.87 ba800aecd20360fd2d7fd1cbe64ea413<BR>UPX2 0x2c000 0x2000 0x400 1.61 8781c941e999b89e4c50d49cac8496f2<BR><BR>( 4 imports ) <BR>&gt; KERNEL32.DLL: LoadLibraryA, GetProcAddress, VirtualProtect, VirtualAlloc, VirtualFree, ExitProcess<BR>&gt; GDI32.DLL: GetPixel<BR>&gt; OLE32.DLL: OleLoad<BR>&gt; USER32.DLL: IsChild<BR><BR>( 0 exports ) <BR>
packers: UPX
packers: PE_Patch.UPX, UPX, PE_Patch.UPX, UPX, PE_Patch.UPX, UPX
norman sandbox: [ General information ]<BR>* **IMPORTANT: PLEASE SEND THE SCANNED FILE TO: ANALYSIS@NORMAN.NO - REMEMBER TO ENCRYPT IT (E.G. ZIP WITH PASSWORD)**.<BR>* Creating several executable files on hard-drive.<BR>* File length: 59392 bytes.<BR><BR>[ Changes to filesystem ]<BR>* Creates file C:\DOCUME~1\SANDBOX\lscqfy.exe.<BR>* Creates file C:\WINDOWS\SYSTEM32\lxqso.exe.<BR>* Creates file C:\WINDOWS\TEMP\removeMe2113.bat.<BR>* Deletes file \"c:\sample.exe\"&gt;nul.<BR>* Deletes file \"%%0\".<BR><BR>[ Changes to registry ]<BR>* Accesses Registry key \"HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\R un\".<BR>* Accesses Registry key \"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\".<BR>* Modifies value \"UserInit\"=\"C:\WINDOWS\system32\userinit.exe,C: \DOCUME~1\SANDBOX\lscqfy.exe \s\" in key \"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\".<BR>* Creates value \"lxqso\"=\"C:\WINDOWS\SYSTEM32\lxqso.exe \u\" in key \"HKLM\Software\Microsoft\Windows\CurrentVersion\R un\".<BR>* Sets value \"WarnOnZoneCrossing\"=\"\" in key \"HKCU\Software\Microsoft\Windows\CurrentVersion\I nternet Settings\".<BR>* Sets value \"WarnOnPostRedirect\"=\"\" in key \"HKCU\Software\Microsoft\Windows\CurrentVersion\I nternet Settings\".<BR>* Sets value \"WarnonBadCertRecving\"=\"\" in key \"HKCU\Software\Microsoft\Windows\CurrentVersion\I nternet Settings\".<BR>* Creates key \"HKCU\Software\Microsoft\Internet Explorer\IntelliForms\".<BR>* Sets value \"AskUser\"=\"\" in key \"HKCU\Software\Microsoft\Internet Explorer\IntelliForms\".<BR>* Sets value \"WarnOnPost\"=\"\" in key \"HKCU\Software\Microsoft\Windows\CurrentVersion\I nternet Settings\".<BR>* Creates key \"HKCU\Software\Microsoft\Windows\CurrentVersion\I nternet Settings\Zones\2\".<BR>* Sets value \"MinLevel\"=\"\" in key \"HKCU\Software\Microsoft\Windows\CurrentVersion\I nternet Settings\Zones\2\".<BR>* Sets value \"RecommendedLevel\"=\"\" in key \"HKCU\Software\Microsoft\Windows\CurrentVersion\I nternet Settings\Zones\2\".<BR>
Prevx info: http://info.prevx.com/aboutprogramtext.asp?PX5=AAEC8E7B00042629E802002DD 2B75F00207E7D9C

Motor antivirus;Versión;Última actualización;Resultado
AhnLab-V3;2008.5.1.0;2008.04.30;-
AntiVir;7.8.0.11;2008.04.30;-
Authentium;4.93.8;2008.04.30;-
Avast;4.8.1169.0;2008.04.30;-
AVG;7.5.0.516;2008.04.30;Generic10.RCL
BitDefender;7.2;2008.05.01;-
CAT-QuickHeal;9.50;2008.04.30;-
ClamAV;0.92.1;2008.04.30;-
DrWeb;4.44.0.09170;2008.04.30;-
eTrust-Vet;31.3.5749;2008.04.30;-
Ewido;4.0;2008.04.30;-
F-Prot;4.4.2.54;2008.05.01;-
F-Secure;6.70.13260.0;2008.04.30;-
Fortinet;3.14.0.0;2008.04.30;-
Ikarus;T3.1.1.26;2008.04.30;Backdoor.Win32.Tofsee. F
Kaspersky;7.0.0.125;2008.05.01;Heur.Trojan.Generic
McAfee;5285;2008.04.30;-
Microsoft;None;2008.04.22;-
NOD32v2;3067;2008.04.30;-
Norman;5.80.02;2008.04.30;W32/Malware
Panda;9.0.0.4;2008.04.30;-
Prevx1;V2;2008.05.01;TROJAN.AGENT.GEN
Rising;20.42.22.00;2008.04.30;-
Sophos;4.29.0;2008.05.01;-
Sunbelt;3.0.1056.0;2008.04.17;-
Symantec;10;2008.05.01;Backdoor.Ranky
TheHacker;6.2.92.298;2008.04.30;-
VBA32;3.12.6.5;2008.04.30;-
VirusBuster;4.3.26:9;2008.04.30;-
Webwasher-Gateway;6.6.2;2008.04.30;BlockReason.0

Información adicional
Tamano archivo: 59392 bytes
MD5...: 2f471160b98b6db84c9abb1db495947b
SHA1..: 9041e0624e403e8e19b0f4834136db6272db740f
SHA256: 7a328eb57af93431a9ceb5d4b361d8c21025822358e8f93ad2 e72a3be85ebbf7
SHA512: 9a10089d4a0fbdd5d0a273547bbbb2b110b2ae2e340687683f c8a16dc268501e<BR>e2ade8b64a0c15ec7a639005cf41af1a 81061b0b37792bb009f82596a1f495d5
PEiD..: UPX 2.90 [LZMA] -&gt; Markus Oberhumer, Laszlo Molnar &amp; John Reiser
PEInfo: PE Structure information<BR><BR>( base data )<BR>entrypointaddress.: 0x42bd50<BR>timedatestamp.....: 0x419d054e (Thu Nov 18 20:25:50 2004)<BR>machinetype.......: 0x14c (I386)<BR><BR>( 3 sections )<BR>name viradd virsiz rawdsiz ntrpy md5<BR>UPX0 0x1000 0x1d000 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e<BR>UPX1 0x1e000 0xe000 0xe000 7.87 ba800aecd20360fd2d7fd1cbe64ea413<BR>UPX2 0x2c000 0x2000 0x400 1.61 8781c941e999b89e4c50d49cac8496f2<BR><BR>( 4 imports ) <BR>&gt; KERNEL32.DLL: LoadLibraryA, GetProcAddress, VirtualProtect, VirtualAlloc, VirtualFree, ExitProcess<BR>&gt; GDI32.DLL: GetPixel<BR>&gt; OLE32.DLL: OleLoad<BR>&gt; USER32.DLL: IsChild<BR><BR>( 0 exports ) <BR>
packers: UPX
packers: PE_Patch.UPX, UPX, PE_Patch.UPX, UPX, PE_Patch.UPX, UPX
norman sandbox: [ General information ]<BR>* **IMPORTANT: PLEASE SEND THE SCANNED FILE TO: ANALYSIS@NORMAN.NO - REMEMBER TO ENCRYPT IT (E.G. ZIP WITH PASSWORD)**.<BR>* Creating several executable files on hard-drive.<BR>* File length: 59392 bytes.<BR><BR>[ Changes to filesystem ]<BR>* Creates file C:\DOCUME~1\SANDBOX\lscqfy.exe.<BR>* Creates file C:\WINDOWS\SYSTEM32\lxqso.exe.<BR>* Creates file C:\WINDOWS\TEMP\removeMe2113.bat.<BR>* Deletes file \"c:\sample.exe\"&gt;nul.<BR>* Deletes file \"%%0\".<BR><BR>[ Changes to registry ]<BR>* Accesses Registry key \"HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\R un\".<BR>* Accesses Registry key \"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\".<BR>* Modifies value \"UserInit\"=\"C:\WINDOWS\system32\userinit.exe,C: \DOCUME~1\SANDBOX\lscqfy.exe \s\" in key \"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\".<BR>* Creates value \"lxqso\"=\"C:\WINDOWS\SYSTEM32\lxqso.exe \u\" in key \"HKLM\Software\Microsoft\Windows\CurrentVersion\R un\".<BR>* Sets value \"WarnOnZoneCrossing\"=\"\" in key \"HKCU\Software\Microsoft\Windows\CurrentVersion\I nternet Settings\".<BR>* Sets value \"WarnOnPostRedirect\"=\"\" in key \"HKCU\Software\Microsoft\Windows\CurrentVersion\I nternet Settings\".<BR>* Sets value \"WarnonBadCertRecving\"=\"\" in key \"HKCU\Software\Microsoft\Windows\CurrentVersion\I nternet Settings\".<BR>* Creates key \"HKCU\Software\Microsoft\Internet Explorer\IntelliForms\".<BR>* Sets value \"AskUser\"=\"\" in key \"HKCU\Software\Microsoft\Internet Explorer\IntelliForms\".<BR>* Sets value \"WarnOnPost\"=\"\" in key \"HKCU\Software\Microsoft\Windows\CurrentVersion\I nternet Settings\".<BR>* Creates key \"HKCU\Software\Microsoft\Windows\CurrentVersion\I nternet Settings\Zones\2\".<BR>* Sets value \"MinLevel\"=\"\" in key \"HKCU\Software\Microsoft\Windows\CurrentVersion\I nternet Settings\Zones\2\".<BR>* Sets value \"RecommendedLevel\"=\"\" in key \"HKCU\Software\Microsoft\Windows\CurrentVersion\I nternet Settings\Zones\2\".<BR>
Prevx info: http://info.prevx.com/aboutprogramtext.asp?PX5=AAEC8E7B00042629E802002DD 2B75F00207E7D9C
Responder Con Cita