xandora.net Report - b31e4624cdc45655b468921823e1b72b

xandora.net - Suspicious File Analyzer

HEUR:Trojan.Win32.Generic

File Details

MD5	b31e4624cdc45655b468921823e1b72b
SHA-1	16f2fd51a5f00e2d220adc0c5db684e40ac5bde7
File Type	exe
First Received (GMT+8)	2011-06-23 16:42:00
Size (bytes)	134144
Weightage	101
virustotal.com	18 vendors detected

Static File Header

++++++++++++++++++++++++ FILE HEADER INFORMATION +++++++++++++++++++++++++

TimeStamp: 4DFA632F Fri Jun 17 04:10:23 2011
Subsystem: 2 (Windows GUI)
Image Base: 00400000 Size: 00024000
Code Base: 00001000 Size: 00007600
Data Base: 00009000 Size: 00019200
Entry Point: 00002601 (file offset 00001A01)

++++++++++++++++++++++++++++++++ SECTIONS ++++++++++++++++++++++++++++++++

1: .text RVA: 00001000 Offset: 00000400 Size: 00007600 Flags: 60000020 (CER)
2: .rdata RVA: 00009000 Offset: 00007A00 Size: 00001C00 Flags: 40000040 (DR)
3: .data RVA: 0000B000 Offset: 00009600 Size: 00001200 Flags: C0000040 (DRW)
4: .rsrc RVA: 0000D000 Offset: 0000A800 Size: 00016400 Flags: 40000040 (DR)

Filesystem Change

The following file was changed in the system

MD5	Filename
0x94f3d031f48fdb8334878576113d81a5	"/WINDOWS/system32/userdiff.sav"

Registry Change

The following Registry Keys were changed

Action	Registry
Changed	software_Microsoft_DeviceControl
Added	software_Microsoft_DataFactory_HandlerInfo_SafeHandlerList_MSDFMAP_VC.Handler
Added	software_Microsoft_DeviceManager
Added	software_Microsoft_DeviceManager_BusTypes
Added	software_Microsoft_Windows_CurrentVersion_Group_Policy_State_Machine_Extension-List
Added	software_Microsoft_Windows_CurrentVersion_Group_Policy_State_Machine_Extension-List
Added	software_Microsoft_Windows_CurrentVersion_Group_Policy_State_S-1-5-21-790525478-1390067357-1417001333-500_Extension-List
Added	software_Microsoft_Windows_CurrentVersion_Group_Policy_State_S-1-5-21-790525478-1390067357-1417001333-500_Extension-List
Added	software_Microsoft_Windows_NT_CurrentVersion_AeDebug
Added	software_Microsoft_Windows_NT_CurrentVersion_AeDebug
Added	software_Microsoft_Windows_NT_CurrentVersion_Prefetcher
Added	software_Microsoft_Windows_NT_CurrentVersion_ProfileList
Added	software_Microsoft_Windows_NT_CurrentVersion_Prefetcher
Added	software_Microsoft_Windows_NT_CurrentVersion_ProfileList
Added	NTUSER_Software_Microsoft_Windows_CurrentVersion_Applets_SysTray
Added	NTUSER_Software_Microsoft_Windows_CurrentVersion_Applets_SysTray
Added	NTUSER_Software_Microsoft_Windows_CurrentVersion_Explorer_CD_Burning_Drives
Added	NTUSER_Software_Microsoft_Windows_CurrentVersion_Explorer_CLSID
Added	NTUSER_Software_Microsoft_Windows_CurrentVersion_Explorer_CD_Burning_Drives
Added	NTUSER_Software_Microsoft_Windows_CurrentVersion_Explorer_CLSID
Added	NTUSER_Software_Microsoft_Windows_CurrentVersion_Explorer_Desktop
Added	NTUSER_Software_Microsoft_Windows_CurrentVersion_Explorer_Desktop_CleanupWiz
Added	NTUSER_Software_Microsoft_Windows_CurrentVersion_Explorer_Discardable
Added	NTUSER_Software_Microsoft_Windows_CurrentVersion_Explorer_Desktop
Added	NTUSER_Software_Microsoft_Windows_CurrentVersion_Explorer_Desktop_CleanupWiz
Added	NTUSER_Software_Microsoft_Windows_CurrentVersion_Explorer_Discardable
Added	NTUSER_Software_Microsoft_Windows_CurrentVersion_Explorer_Discardable_PostSetup_Component_Categories_{00021493-0000-0000-C000-000000000046}_Enum
Added	NTUSER_Software_Microsoft_Windows_CurrentVersion_Explorer_Discardable_PostSetup_Component_Categories_{00021493-0000-0000-C000-000000000046}_Enum
Added	NTUSER_Software_Microsoft_Windows_CurrentVersion_Explorer_Discardable_PostSetup_Component_Categories_{00021494-0000-0000-C000-000000000046}_Enum
Added	NTUSER_Software_Microsoft_Windows_CurrentVersion_Explorer_Discardable_PostSetup_ShellNew
Added	NTUSER_Software_Microsoft_Windows_CurrentVersion_Explorer_Discardable_PostSetup_Component_Categories_{00021494-0000-0000-C000-000000000046}_Enum
Added	NTUSER_Software_Microsoft_Windows_CurrentVersion_Explorer_Discardable_PostSetup_ShellNew
Added	NTUSER_Software_Microsoft_Windows_CurrentVersion_Explorer_RunMRU
Added	NTUSER_Software_Microsoft_Windows_CurrentVersion_Explorer_RunMRU
Added	NTUSER_Software_Microsoft_Windows_CurrentVersion_Explorer_UserAssist_{5E6AB780-7743-11CF-A12B-00AA004AE837}_Count
Added	NTUSER_Software_Microsoft_Windows_CurrentVersion_Explorer_UserAssist_{5E6AB780-7743-11CF-A12B-00AA004AE837}_Count
Added	NTUSER_Software_Microsoft_Windows_CurrentVersion_Explorer_UserAssist_{75048700-EF1F-11D0-9888-006097DEACF9}_Count
Added	NTUSER_Software_Microsoft_Windows_CurrentVersion_Explorer_UserAssist_{75048700-EF1F-11D0-9888-006097DEACF9}_Count
Added	NTUSER_Software_Microsoft_Windows_CurrentVersion_Ext_Stats_{02478D38-C3F9-4EFB-9B51-7695ECA05670}_iexplore
Added	NTUSER_Software_Microsoft_Windows_CurrentVersion_Ext_Stats_{02478D38-C3F9-4EFB-9B51-7695ECA05670}_iexplore
Added	NTUSER_Software_Microsoft_Windows_CurrentVersion_Run
Added	NTUSER_Software_Microsoft_Windows_CurrentVersion_RunOnce
Added	NTUSER_Software_Microsoft_Windows_CurrentVersion_WindowsUpdate
Added	NTUSER_Software_Microsoft_Windows_CurrentVersion_WinTrust

Running Processes

PID	Command
288	smss.exe
392	csrss.exe
416	winlogon.exe
532	services.exe
544	lsass.exe
700	svchost.exe
744	svchost.exe
804	svchost.exe
848	svchost.exe
896	svchost.exe
1080	explorer.exe
1584	alg.exe
212	svchost.exe

Traffic - by TCP/IP Connections

2 outbound connection found