Skip to main content

Trojan.NSIS.StartPage_953598580c


Trojan-Downloader.Win32.Genome.ghos (Kaspersky), Trojan-Downloader.NSIS.Agent.nos (v) (VIPRE), Artemis!953598580CE4 (McAfee), Trojan.NSIS.StartPage.FD, Trojan.Win32.IEDummy.FD, mzpefinder_pcap_file.YR (Lavasoft MAS)Behaviour: Trojan-Downloader, Trojan

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

MD5: 953598580ce47905e48df3323dfe171d

SHA1: e39c37979a96199c4199e9ca8fbaf3253bd2002f

SHA256: fde9e070d468048a203afb940c259c74de8aac05627f885e13e277404df63a0f

SSDeep: 6144:ue34vYsvdb VUxaLbQQckDPxcKd/soTHTrSri:WYOwXQ1OX/sUTuG

Size: 226648 bytes

File type: EXE

Platform: WIN32

Entropy: Packed

PEID: UPolyXv05_v6

Company:

Created at: 2009-06-07 00:41:59

Analyzed on: WindowsXP SP3 32-bit

Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Dynamic Analysis

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

wuauclt.exe:540
%original file name%.exe:1684
sqgbfvt.exe:3960

The Trojan injects its code into the following process(es):

greendou.exe:1856
iexplore.exe:416

File activity

The process greendou.exe:1856 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\vExport[2].js (2187 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@lg1236.565882[1].txt (145 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\2276/270200[1].swf (1728 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\vExport[1].js (1927 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\liangao1[1].htm (338 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\close[1].png (536 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\close[1].png (536 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\CAG1AJ4X.htm (1875 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (5784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\vDisplay[2].htm (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\vShow[1].htm (7973 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\cpv1[1].htm (797 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@565882[1].txt (2587 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\vDisplay[1].htm (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\CA8H0LKB.htm (603 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\70e1[1].htm (338 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\vShow[1].htm (8851 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\2276/270200[2].swf (1728 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@565882[2].txt (2552 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Cookies\Current_User@565882[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@565882[2].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\close[1].png (0 bytes)

The process wuauclt.exe:540 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%WinDir%\SoftwareDistribution\DataStore\Logs\edb.chk (100 bytes)
%WinDir%\SoftwareDistribution\DataStore\Logs\edb.log (2016 bytes)
%WinDir%\SoftwareDistribution\DataStore\DataStore.edb (100 bytes)

The Trojan deletes the following file(s):

%WinDir%\SoftwareDistribution\DataStore\Logs\tmp.edb (0 bytes)

The process %original file name%.exe:1684 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Start Menu\Programs\脙茠芒鈧