SonicALERT
Search

Sonicwall Signatures

 

Go to All Categories list.


  Comame.A_9
Comame.A_9 is a Trojan. A Trojan is a program that pretends to have a valid use, but in fact modifies the user's computer in malicious ways. Trojans do not replicate or spread to other computers.

      Process Related Changes
      It creates the following mutex(es):
      • ZonesLockedCacheCounterMutex"
      • DDrawWindowListMutex"
      • CTF.Compart.MutexDefaultS-1-5-21-1078081533-842925246-854245398-1003"
      • DDrawDriverObjectListMutex"
      • !PrivacIE!SharedMemory!Mutex"
      • CTF.Asm.MutexDefaultS-1-5-21-1078081533-842925246-854245398-1003"
      • CTF.LBES.MutexDefaultS-1-5-21-1078081533-842925246-854245398-1003"
      • c:!documents and settings!admin!cookies!"
      • SHIMLIB_LOG_MUTEX"
      • c:!documents and settings!admin!local settings!history!history.ie5!"
      • f9314ef90d3767af0c2a7ffab8e6d140.exe"
      • __DDrawCheckExclMode__"
      • WininetConnectionMutex"
      • c:!documents and settings!admin!local settings!temporary internet files!content.ie5!"
      • BT4823DF041B09"
      • CTF.TMD.MutexDefaultS-1-5-21-1078081533-842925246-854245398-1003"
      • ZonesCounterMutex"
      • CTF.TimListCache.FMPDefaultS-1-5-21-1078081533-842925246-854245398-1003MUTEX.DefaultS-1-5-21-1078081533-842925246-854245398-1003"
      • ZoneAttributeCacheCounterMutex"
      • ZonesCacheCounterMutex"
      • CTF.Layouts.MutexDefaultS-1-5-21-1078081533-842925246-854245398-1003"
      • MSCTF.Shared.MUTEX.IOH"
      • __DDrawExclMode__"

      It creates the following process(es):
      • C:\WINDOWS\system32\mshta.exe [ C:\WINDOWS\System32\mshta.exe C:\DOCUME1\Admin\LOCALS1\Temp\HYD1.tmp.1393834647\HTA\index.hta?bittorrent \c:\windows\temp\f9314ef90d3767af0c2a7ffab8e6d140.exe /LOG C:\DOCUME1\Admin\LOCALS1\Temp\HYD1.tmp.1393834647\index.hta.log /PID \1804 /CID \ulPYOX4n8AmEZcQq /VERSION \254911954 /BUCKET \0 /SSB \0 /COUNTRY \US /OS \5.1 /BROWSERS C:\Program Files\Internet Explorer\iexplore.exe /USERTYPE \admin /ARCHITECTURE \32 /LANG \en /USERNAME \Admin /CLIENT \bittorrent ]
      • C:\WINDOWS\system32\cscript.exe
      • C:\WINDOWS\system32\ping.exe
      • C:\WINDOWS\Temp\f9314ef90d3767af0c2a7ffab8e6d140.exe [ \c:\windows\temp\f9314ef90d3767af0c2a7ffab8e6d140.exe ]

      Network Activity
      We observed the following DNS query/queries:
      • update.utorrent.com
      • i-50.b-000.xyz.bench.utorrent.com
      • router.bittorrent.com
      • ip-api.com
      • router.utorrent.com

      It attempts to connect to the following remote servers:
      • 127.xxxxxx:1034
      • 23.23.xxxxxx:80
      • 107.22xxxxxx:80
      • 127.xxxxxx:1037
      • 174.129xxxxxx:80


      Relevant Information


      © SonicWall 2020 | Privacy Policy | Conditions for use Version: 10.0