Vaklik.HMG is a Trojan. A Trojan is a program that pretends to have a valid use, but in fact modifies the user's computer in malicious way. Trojans do not replicate or spread to other computers. File Related Changes It drops the following file(s) on the system: - "c:\Users\Admin\AppData\Local\Temp\xvassdf.exe"
- "c:\Users\Admin\AppData\Local\Temp\4tddfwq0.dll"
- "c:\06.exe"
Process Related Changes It creates the following mutex(es): - "SmartScreen_ClientId_Mutex"
- "MSIMGSIZECacheMutex"
- "ConnHashTable<3628>_HashTable_Mutex"
- "SmartScreen_UrsCacheMutex_2CEDBFBC-DBA8-43AA-B1FD-CC8E6316E3E2High_S-1-5-21-239287854-1939494589-2009181562-1001"
- "CB35EF5D-4591-41d9-BBA2-0363342F3783"
- "IESQMMUTEX_0_208"
It creates the following process(es): - c:\Program Files\Internet Explorer\iexplore.exe [ \c:\Program Files\Internet Explorer\iexplore.exe SCODEF:3628 CREDAT:14337 ]
- c:\Program Files\Internet Explorer\iexplore.exe [ \c:\Program Files\Internet Explorer\iexplore.exe ]
Network Activity It attempts to connect to the following remote servers: - ocsp.verisign.net:80 (199.7.xxxxxx)
- www3.l.google.com:80 (74.125.xxxxxx)
- www.google.com:80 (74.125.xxxxxx)
- clients.l.google.com:80 (74.125.xxxxxx)
- www.google.com:443 (74.125.xxxxxx)
We observed the following DNS query/queries: - clients1.google.com
- pki.google.com
- www.google.com
- crl.geotrust.com
- gtglobal-ocsp.geotrust.com
Registry Related Changes It makes the following registry modifications to ensure infection after system reboot: - HKCU\Software\Microsoft\Windows\CurrentVersion\Run\54dfsger = C:\Users\Admin\AppData\Local\Temp\xvassdf.exe
|