testusa.helohmar.com

Remote Host Port Number
testusa.helohmar.com 8800

Resolved : [testusa.helohmar.com] To [76.73.36.42]

Registry Modifications

* The newly created Registry Values are:
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogon]
+ Taskman = “C:RECYCLERS-1-5-21-0243556031-888888379-781863308-1455fddg.exe”

so that fddg.exe runs every time Windows starts
o [HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun]
+ Tji771 = “C:RECYCLERS-1-5-21-0243556031-888888379-781863308-1455fddg.exe”

so that fddg.exe runs every time Windows starts
o [HKEY_CURRENT_USERSoftwareMicrosoftWindows NTCurrentVersionWinlogon]
+ Shell = “explorer.exe,C:RECYCLERS-1-5-21-0243556031-888888379-781863308-1455fddg.exe”

so that fddg.exe runs every time Windows starts

Memory Modifications

* There were new processes created in the system:

Process Name Process Filename Main Module Size
fddg.exe c:recyclers-1-5-21-0243556031-888888379-781863308-1455fddg.exe 20 480 bytes
[filename of the sample #1] [file and pathname of the sample #1] 24 576 bytes

File System Modifications

* The following files were created in the system:

# Filename(s) File Size File Hash Alias
1 c:RECYCLERS-1-5-21-0243556031-888888379-781863308-1455Desktop.ini 63 bytes MD5: 0xE783BDD20A976EAEAAE1FF4624487420
SHA-1: 0xC2A44FAB9DF00B3E11582546B16612333C2F9286 (not available)
2 c:RECYCLERS-1-5-21-0243556031-888888379-781863308-1455fddg.exe
[file and pathname of the sample #1] 24 576 bytes MD5: 0x778445E093BBE2B6A46B1F5CF932C650
SHA-1: 0x969910F3BB064848C6DC2D2A21871F0D7E040A86 Malware.Pilleuz!rem [PCTools]
W32.Pilleuz [Symantec]
P2P-Worm.Win32.Palevo.avji [Kaspersky Lab]
Generic.dx!txn [McAfee]
Mal/Generic-L [Sophos]
TrojanDropper:Win32/Injector.I [Microsoft]
Win-Trojan/Injector.24576.AI [AhnLab]