SonicALERT
Search

Sonicwall Signatures

 

Go to All Categories list.


  Virut.A_1133
Virut.A_1133 is a polymorphic file infector virus that target Microsoft Windows operating systems. It is known to infect files with .exe and .scr extensions on local drives, removable media, and network shares.

      Process Related Changes
      It creates the following mutex(es):
      • OutlookExpress_InstanceMutex_101897"
      • CTF.TimListCache.FMPDefaultS-1-5-21-1078081533-842925246-854245398-1003MUTEX.DefaultS-1-5-21-1078081533-842925246-854245398-1003"
      • c:!documents and settings!admin!local settings!history!history.ie5!"
      • CTF.TMD.MutexDefaultS-1-5-21-1078081533-842925246-854245398-1003"
      • CTF.Asm.MutexDefaultS-1-5-21-1078081533-842925246-854245398-1003"
      • CTF.Compart.MutexDefaultS-1-5-21-1078081533-842925246-854245398-1003"
      • CTF.Layouts.MutexDefaultS-1-5-21-1078081533-842925246-854245398-1003"
      • c:!documents and settings!admin!local settings!temporary internet files!content.ie5!"
      • shqq"
      • CTF.LBES.MutexDefaultS-1-5-21-1078081533-842925246-854245398-1003"
      • c:!documents and settings!admin!cookies!"

      It creates the following process(es):
      • C:\WINDOWS\Temp\d83bd6d56a26f39c7aa4077980665d79.exe [ \c:\windows\temp\d83bd6d56a26f39c7aa4077980665d79.exe ]

      It injects malicious code into the following process(es):
      • "C:\Program Files\Adobe\Reader 9.0\Reader\reader_sl.exe"
      • "C:\WINDOWS\system32\svchost.exe"
      • "C:\WINDOWS\system32\tlntsrv.exe"
      • "C:\WINDOWS\system32\winlogon.exe"
      • "C:\WINDOWS\system32\rundll32.exe"
      • "C:\WINDOWS\system32\ctfmon.exe"
      • "C:\WINDOWS\system32\wbem\wmiprvse.exe"
      • "C:\WINDOWS\explorer.exe"
      • "C:\WINDOWS\system32\services.exe"
      • "C:\WINDOWS\system32\alg.exe"
      • "C:\WINDOWS\system32\lsass.exe"
      • "C:\Program Files\Java\jre6\bin\jqs.exe"
      • "C:\WINDOWS\system32\spoolsv.exe"

      Network Activity
      We observed the following DNS query/queries:
      • sys.zief.pl

      It attempts to connect to the following remote servers:
      • 148.81.xxxxxx:65520

      Registry Related Changes
      It makes the following registry modifications to ensure infection after system reboot:
      • HKLM\system\CurrentControlSet\Services\sharedaccess\epoch\= h
      • HKLM\system\CurrentControlSet\Services\= h
      • egAABoSqBoANCg8IzWsQpvWJmwEYlAIghARQ2PWRlghY0IkCYIGUqFJwjS14AIAB3SGIAd0hkAH6gICAgduqgUBmgHADHoAABDYqgb1BgoPCIFrEJeNh5sBGJQCIIQEUNj1kZYIWNCJAmCBlKhScI0teACAAbYGiAG2BpABoCAmJDG4owumgG2BnoAAAMxihkuCg8I82UQgo7smQEYAggyANSG0hLTE1cc29mdHdhcmVcbWljcm9zb2Z0XG9sZaoZVwoPCO1lEL6L7JkBGPwIIMgDUjFIS0NSXGFwcGlkXHs4YmMzZjA1ZS1kODZiLTExZDAtYTA3NS0wMGMwNGZiNjg4MjB9WhFzZXJ2aWNlcGFyYW1ldGVyc6oZSwoPCO5lEPmL7JkBGPwIIMgDUjFIS0NSXGFwcGlkXHs4YmMzZjA1ZS1kODZiLTExZDAtYTA3NS0wMGMwNGZiNjg4MjB9WgVydW5hc6oZVwoPCO9lEKuM7JkBGPwIIMgDUjFIS0NSXGFwcGlkXHs4YmMzZjA1ZS1kODZiLTExZDAtYTA3NS0wMGMwNGZiNjg4MjB9WhFhY3RpdmF0ZWF0c3RvcmFnZaoZVgoPCPBlEN2M7JkBGPwIIMgDUjFIS0NSXGFwcGlkXHs4YmMzZjA1ZS1kODZiLTExZDAtYTA3NS0wMGMwNGZiNjg4MjB9WhBsYXVuY2hwZXJtaXNzaW9uqhlWCg8I8WUQkY3smQEYAggyANSMUhLQ1JcYXBwaWRcezhiYzNmMDVlLWQ4NmItMTFkMC1hMDc1LTAwYzA0ZmI2ODgyMH1aEGxhdW5jaHBlcm1pc3Npb26qGVYKDwjyZRDEjeyZARj8CCDIA1IxSEtDUlxhcHBpZFx7OGJjM2YwNWUtZDg2Yi0xMWQwLWEwNzUtMDBjMDRmYjY4ODIwfVoQbGF1bmNocGVybWlzc2lvbqoZSQoPCPVlEOaO7JkBGPwIIMgDUhtIS0xNXHNvZnR3YXJlXG1pY3Jvc29mdFxvbGVaGWxlZ2FjeWF1dGhlbnRpY2F0aW9ubGV2ZWyqGUgKDwj2ZRCbjyZARj8CCDIA1IbSEtMTVxzb2Z0d2FyZVxtaWNyb3NvZnRcb2xlWhhsZWdhY3lpbXBlcnNvbmF0aW9ubGV2ZWyqGVkKDwj4ZRDojyZARj8CCDIA1IxSEtDUlxhcHBpZFx7OGJjM2YwNWUtZDg2Yi0xMWQwLWEwNzUtMDBjMDRmYjY4ODIwfVoTYXV0aGVudGljYXRpb25sZXZlbKABBqoGxAYKDwiCaxC9k4ebARiUAiCEBFDY9ZGWCFjQiQJggZSoUnCNLXgAgAGFBogBhQaQAfqAgJiAwOKMRJoBhQZ6AAADAIoZRAoPCP5lEJaT7JkBGPwIIMgDUjFIS0NSXGNsc2lkXHs4YmMzZjA1ZS1kODZiLTExZDAtYTA3NS0wMGMwNGZiNjg4MjB9ihknCg8IgmYQ2pTsmQEYAggyANSFEhLVVxzLTEtNS0xOF9jbGFzc2VzihlECg8IhGYQr5XsmQEYAggyANSMUhLQ1JcYXBwaWRcezhiYzNmMDVlLWQ4NmItMTFkMC1hMDc1LTAwYzA0ZmI2ODgyMH2qGVAKDwj6ZRDOkeyZARj8CCDIA1IxSEtDUlxhcHBpZFx7OGJjM2YwNWUtZDg2Yi0xMWQwLWEwNzUtMDBjMDRmYjY4ODIwfVoKYXBwaWRmbGFnc6oZVgoPCPtlEIaS7JkBGPwIIMgDUjFIS0NSXGFwcGlkXHs4YmMzZjA1ZS1kODZiLTExZDAtYTA3NS0wMGMwNGZiNjg4MjB9WhByZW1vdGVzZXJ2ZXJuYW1lqhlTCg8IGUQupLsmQEYAggyANSMUhLQ1JcYXBwaWRcezhiYzNmMDVlLWQ4NmItMTFkMC1hMDc1LTAwYzA0ZmI2ODgyMH1aDXNycHRydXN0bGV2ZWyqGUYKDwiGZhDgluyZARj8CCDIA1IxSEtDUlxhcHBpZFx7OGJjM2YwNWUtZDg2Yi0xMWQwLWEwNzUtMDBjMDRmYjY4ODIwfVoAqhlSCg8Ih2YQnpfsmQEYAggyANSMUhLQ1JcYXBwaWRcezhiYzNmMDVlLWQ4NmItMTFkMA= _Special_Characters_


      Relevant Information