Fake Microsoft Security Essentials Alert [Malware Info]

Posted: 30 November 2010 in Malware Info, New Malware
Tags: , , , ,

Fake Microsoft Security Essentials Alert

[ # ] VirusTotal : 4 /43 (9.3%) [MD5 : bedcc69b197b89856e6f5fbb5543b244]

Was detected by COMODO (Heur.Packed.Unknown) , Microsoft (TrojanDropper:Win32/Bamital.C) , Panda (Suspicious file) , TrendMicro (PAK_Generic.001)

My Report
—————————————————–
Datetime : 2010/11/30 09:48:45
Computer: TESTLAB-MALWAREWIKI
Username: Catalin
Operating System : Windows XP
—————————————————–

[ ! ] New Files
C:\WINDOWS\system32\mshta.exe
C:\Documents and Settings\Catalin\Application Data\agtyjkj.bat
C:\WINDOWS\system32\at.exe
C:\Documents and Settings\Catalin\Application Data\hotfix.exe

[ ! ] Registry Values deleted
HKLM\SYSTEM\ControlSet001\Services\kmixer\Enum: “SW\{b7eafdc0-a680-11d0-96d8-00aa0051e51d}\{9B365890-165F-11D0-A195-0020AFD156E4}”
HKLM\SYSTEM\CurrentControlSet\Services\kmixer\Enum: “SW\{b7eafdc0-a680-11d0-96d8-00aa0051e51d}\{9B365890-165F-11D0-A195-0020AFD156E4}”
HKU\S-1-5-21-1844237615-1677128483-854245398-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\WarnOnPost: 01 00 00 00

[ ! ] Registry Values Added
HKLM\SYSTEM\ControlSet001\Services\Schedule\AtTaskMaxHours: 0x00000048
HKLM\SYSTEM\CurrentControlSet\Services\Schedule\AtTaskMaxHours: 0x00000048
HKU\S-1-5-21-1844237615-1677128483-854245398-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_HVFPHG: 01 00 00 00 06 00 00 00 20 BC 78 CA 73 90 CB 01
HKU\S-1-5-21-1844237615-1677128483-854245398-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_EHACNGU:P:\Qbphzragf naq Frggvatf\Pngnyva\Qrfxgbc\snxrni.rkr: 01 00 00 00 06 00 00 00 A0 D0 F6 CB 73 90 CB 01
HKU\S-1-5-21-1844237615-1677128483-854245398-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\WarnOnPost: 0x00000000
HKU\S-1-5-21-1844237615-1677128483-854245398-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\WarnOnZoneCrossing: 0x00000000
HKU\S-1-5-21-1844237615-1677128483-854245398-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\WarnOnPostRedirect: 0x00000000
HKU\S-1-5-21-1844237615-1677128483-854245398-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\WarnonBadCertRecving: 0x00000000
HKU\S-1-5-21-1844237615-1677128483-854245398-1003\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\WINDOWS\system32\mshta.exe: “Microsoft (R) HTML Application host”
HKU\S-1-5-21-1844237615-1677128483-854245398-1003\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\Documents and Settings\Catalin\Application Data\agtyjkj.bat: “agtyjkj”
HKU\S-1-5-21-1844237615-1677128483-854245398-1003\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\WINDOWS\system32\at.exe: “Schedule service command line interface”
HKU\S-1-5-21-1844237615-1677128483-854245398-1003\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell: “C:\Documents and Settings\Catalin\Application Data\hotfix.exe”

[ ! ] Registry Values Modified
HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed: 94 CB 8D 87 5F 6E 8D E2 7E 34 12 60 13 A8 A3 87 91 DD D9 C0 CC 8A 8C EA 6B 83 12 6E C9 03 58 6F 6C FD 12 C5 30 E6 FC 82 78 5A 5D 50 E2 83 EE 0D 2B 06 79 20 44 73 5A 9C D4 DA FC D9 8A 3F 2D B5 B0 B9 48 F3 A2 6E EB 7E C8 92 F6 68 93 9B 47 9C
HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed: B3 1B 65 67 13 35 42 D8 3B AB FC 0B 94 DD C1 33 EC 73 67 E0 53 17 BE 85 30 FF 19 28 FE 5F 97 D9 1A 74 6A ED 9F B7 1C 77 CD 06 EF 0E D3 F5 3D 5C BC 13 DD D9 B6 BD 1D C0 A3 BD E8 13 49 3D 4B 29 91 E4 F8 EA 60 C2 1C D3 B7 FC BF 57 E0 E3 F4 1B
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher\TracesProcessed: 0x00000000
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher\TracesProcessed: 0x0000000F
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher\TracesSuccessful: 0x00000000
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher\TracesSuccessful: 0x0000000E
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher\LastTraceFailure: 0x00000000
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher\LastTraceFailure: 0x00000020
HKLM\SYSTEM\ControlSet001\Services\kmixer\Enum\Count: 0x00000001
HKLM\SYSTEM\ControlSet001\Services\kmixer\Enum\Count: 0x00000000
HKLM\SYSTEM\ControlSet001\Services\kmixer\Enum\NextInstance: 0x00000001
HKLM\SYSTEM\ControlSet001\Services\kmixer\Enum\NextInstance: 0x00000000
HKLM\SYSTEM\ControlSet001\Services\Schedule\NextAtJobId: 0x00000001
HKLM\SYSTEM\ControlSet001\Services\Schedule\NextAtJobId: 0x00000019
HKLM\SYSTEM\CurrentControlSet\Services\kmixer\Enum\Count: 0x00000001
HKLM\SYSTEM\CurrentControlSet\Services\kmixer\Enum\Count: 0x00000000
HKLM\SYSTEM\CurrentControlSet\Services\kmixer\Enum\NextInstance: 0x00000001
HKLM\SYSTEM\CurrentControlSet\Services\kmixer\Enum\NextInstance: 0x00000000
HKLM\SYSTEM\CurrentControlSet\Services\Schedule\NextAtJobId: 0x00000001
HKLM\SYSTEM\CurrentControlSet\Services\Schedule\NextAtJobId: 0x00000019
HKU\S-1-5-21-1844237615-1677128483-854245398-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_EHACNGU: 01 00 00 00 08 00 00 00 80 06 11 C4 73 90 CB 01
HKU\S-1-5-21-1844237615-1677128483-854245398-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_EHACNGU: 01 00 00 00 09 00 00 00 A0 D0 F6 CB 73 90 CB 01
HKU\S-1-5-21-1844237615-1677128483-854245398-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings: 3C 00 00 00 03 00 00 00 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
HKU\S-1-5-21-1844237615-1677128483-854245398-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings: 3C 00 00 00 04 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 C0 E0 C2 89 73 90 CB 01 01 00 00 00 0A 00 02 0F 00 00 00 00 00 00 00 00

Advertisements
Comments
  1. […] This post was mentioned on Twitter by Bart P, Catalin P. Catalin P said: Fake Microsoft Security Essentials Alert [Malware Info]: http://wp.me/pL5Pq-55 […]

  2. […] Fake Microsoft Security Essentials Alert [Malware Info] « MalwareWiki […]

  3. bet365 says:

    Good day I was luck to approach your topic in bing
    your post is excellent
    I obtain a lot in your blog really thanks very much
    btw the theme of you website is really marvelous
    where can find it

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s