rage1.exe : INFECTED with W32/Backdoor (Signature: NO_VIRUS)
[ DetectionInfo ]
* Filename: C:analyzerscanrage1.exe.
* Sandbox name: W32/Backdoor.
* Signature name: NO_VIRUS.
* Compressed: NO.
* TLS hooks: NO.
* Executable type: Application.
* Executable file structure: OK.
* Filetype: PE_I386.
[ General information ]
* File length: 88064 bytes.
* MD5 hash: 5b4c17334849e14b7ae630f2384d941e.
* SHA1 hash: c53c24426d2c86706329ce3df9e3f7ed22e6fd3e.
* Entry-point detection: Microsoft Visual C++.
[ Changes to filesystem ]
* Creates directory C:PROGRA~1COMMON~1.
* Creates file C:PROGRA~1COMMON~1Systemsvchost.exe.
* Overwrites file C:PROGRA~1COMMON~1Systemsvchost.exe.
[ Changes to registry ]
* Creates key “HKLMSoftwareMicrosoftWindows”.
* Sets value “Windows Update”=”C:PROGRA~1COMMON~1Systemsvchost.exe” in key “HKLMSoftwareMicrosoftWindows”.
* Creates key “HKLMSystemCurrentControlSetServicesSharedAccessParameters”.
* Sets value “C:PROGRA~1COMMON~1Systemsvchost.exe”=”C:PROGRA~1COMMON~1Systemsvchost.exe:*:Enabled:Windows Update” in key “HKLMSystemCurrentControlSetServicesSharedAccessParameters”.
[ Network services ]
* Connects to “desbarata.homeip.net” on port 6667 (TCP).
* Connects to IRC server.
* IRC: Uses nickname raGe|eBFOPHjDIu.
* IRC: Uses username hhvjj.
* IRC: Joins channel ##risa## with password rage.
[ Process/window information ]
* Creates a mutex mx.
* Creates process “svchost.exe”.
[ Signature Scanning ]
* C:PROGRA~1COMMON~1Systemsvchost.exe (88064 bytes) : no signature detection.