Systweak Spyware Library
Systweak Spyware Library text
More than 21875 spyware signatures and growing
Microsoft Gold Certified Partner
Search in:
DoS.vb Analysis Report
Threat Submitted On: 9/27/2008 8:56:21 PM
Threat Analysed On: 9/28/2008 1:56:21 AM
Threat Updated On: 1/28/2011 2:37:54 AM
Type : Denial-of-service
Symptoms of vb
  • Exploit that denies users from accessing a particular service on a network.
  • Uses software bugs to crash or freeze a service or resource.
Information
Alias : dos.win32.vb.au
Md5 Hash : [8126516b644e2df7ecedd25cc01c6726]
File Size : (679936 bytes)

Technical Details

Here are the Technical findings of our analysis team after analyzing this malware in detail :-

Creates the following infected Files on user's System
Note:
Delete the following Files to remove Infection
File: file1.exe
Path : %workingdir%

Md5Hash :c82474780fb9e251e8a57d6ab2a2c2c5 ( 192512 bytes)
File: file2.exe
Path : %workingdir%

Md5Hash :731e1175ba0e75abf9d6c2850a656cff ( 40960 bytes)
File: mvastnet.dll
Path : %workingdir%

Md5Hash :( bytes)
File: crsvs.exe
Path : %windir%

Skip Navigation Links.
Collapse Md5Hash :Md5Hash :
0872143a015b7dacb62b9eb54973c7b2 ( 36865 bytes)
84177d95bbdf76db93b7ac4a5fc4973d ( 36865 bytes)
File: update.exe
Path : %windir%\system

Skip Navigation Links.
Collapse Md5Hash :Md5Hash :
1c35d01ad571739a6a7b691f39d7c17f ( 786432 bytes)
387e9c93cb91650f9bc169dcfa591b02 ( 786432 bytes)
96f3e207493f90cbdb6075cc450a5ba7 ( 786432 bytes)
ba6809b6d3b7a0c7e6d00c91c5b471d9 ( 786432 bytes)
d8772e961a4b8bae615bc082fd11f5c2 ( 786432 bytes)
e57bee94a05fef031886d2572ecf7ffd ( 786432 bytes)
e92337876b01311a04e755315f74385b ( 786432 bytes)
File: ftdutil.exe
Path : %windir%\system32

Md5Hash :8126516b644e2df7ecedd25cc01c6726 ( 679936 bytes)
File: ntvxdc.exe
Path : %windir%\system32

Md5Hash :8126516b644e2df7ecedd25cc01c6726 ( 679936 bytes)
File: wcsydrv.exe
Path : %windir%\system32

Md5Hash :8126516b644e2df7ecedd25cc01c6726 ( 679936 bytes)
File: wintgtsv.exe
Path : %windir%\system32

Md5Hash :8126516b644e2df7ecedd25cc01c6726 ( 679936 bytes)
File: winlogon.exe
Path : %windir%

Skip Navigation Links.
Collapse Md5Hash :Md5Hash :
26ff710caaebc4a2a73c5ad3dbcdf3d2 ( 40960 bytes)
48663b8c7a56190de51ccdb90268bb76 ( 40960 bytes)
52603e29664a4fb3f857903dac23bed4 ( 36864 bytes)
540096e33e99ad80f115e90435d53b23 ( 36909 bytes)
cdeb9687054aca61ab147c4ce312b8f2 ( 41006 bytes)
e3836a3a47e4ef99f220df09d5590ed9 ( 36864 bytes)
e75a756384b3cd97bd262fe239bc3ae5 ( 36875 bytes)
ec2476724b1ca2cddfcfab28e7274c02 ( 36864 bytes)
File: [randomname].exe
Path : %workingdir%

Skip Navigation Links.
Collapse Md5Hash :Md5Hash :
035d03d16dd92d9fe5bb9e403cb0f0e5 ( 127008 bytes)
090279f3f46e7476a61b03e066680ede ( 172032 bytes)
0c4f55ab94abf509d36f61cea9a43ccf ( 122880 bytes)
0c656837655b2ae7f94cf8e1cce09e33 ( 53248 bytes)
10c3cf202a160d9e9ecf7e7e561dcadc ( 245760 bytes)
134fee90c1d6535f6c7a8c710136d368 ( 53248 bytes)
1aa62c64605df667f363ff17e8ed8c64 ( 36864 bytes)
1c35d01ad571739a6a7b691f39d7c17f ( 786432 bytes)
1edae322790b1010c8cad57d0b383a8d ( 36864 bytes)
1ee65b774a8e4408e119e9e67c3b19df ( 19002 bytes)
2009a2424f0dad3e3bc05a35f0d00072 ( 40960 bytes)
204d7bb5639e64a5075df0eacde67866 ( 32768 bytes)
20c778842eebb8e8d0106c4b010c9ce1 ( 147456 bytes)
230774b1dd7e63108deb21de4afe2dcb ( 40960 bytes)
26ff710caaebc4a2a73c5ad3dbcdf3d2 ( 40960 bytes)
280bce84ef48d3278f9acbbc86a6051c ( 36864 bytes)
2a7de2ffec41a82237e01ccef850941c ( 93046 bytes)
2f1f51e688b02afa8f02a4ed677f86db ( 127010 bytes)
32c1bb7cf1b2789e33b05c45dfdd09a7 ( 3634 bytes)
370fea45fbe407764335140dcfff3635 ( 40960 bytes)
387e9c93cb91650f9bc169dcfa591b02 ( 786432 bytes)
399c4dc970b5e33674175d14ad2698a7 ( 36864 bytes)
3b3a3b23d994ad9944dc8a71c91c2105 ( 311296 bytes)
3f3764659faa8f560a04fc975aafd336 ( 225280 bytes)
4196b225d1cb979b0b3ece04704dccd0 ( 147456 bytes)
4298c60fd9a980c7a15126e936a66b45 ( 3390 bytes)
48663b8c7a56190de51ccdb90268bb76 ( 40960 bytes)
52603e29664a4fb3f857903dac23bed4 ( 36864 bytes)
532b41adf39787da89018148106ce002 ( 28673 bytes)
540096e33e99ad80f115e90435d53b23 ( 36909 bytes)
54268ba803b3d01180271de603a9f586 ( 762880 bytes)
547b6c43d34aa144cddf7fa94cec04e5 ( 24578 bytes)
5514c5268f7ee6635d7413b6b199703b ( 73728 bytes)
5523410e59834806c5c3a542fa46632b ( 311298 bytes)
58b54de700e19d0300a5a8ac8ebb0a11 ( 53250 bytes)
5bdb45b0b6c51d866c7b94d7cd13e290 ( 3632 bytes)
5cfb2e1cf37bd8b0cfb20c26bd50ef9c ( 36864 bytes)
5ddff3be0d78d2a8e7bb49b6f81fc5f6 ( 28672 bytes)
630975fdf3189e66a2618d6f537505df ( 122880 bytes)
64190d4a338f944f39564d29fbe89f3d ( 253954 bytes)
6a37dc1d7375ba5ebb40a2330d818111 ( 36864 bytes)
6ec40f2bbf4321910a9c5cd12ab53342 ( 36864 bytes)
6ec84018f0fd160a96d4ebb2a769d347 ( 245760 bytes)
770fe7316c0515b24f7d249b8fd030ec ( 40966 bytes)
784325bc84f6ef2d71c504038d4bfd04 ( 40960 bytes)
7a101a25a612b7f9dd0733906aaf1293 ( 36927 bytes)
7d5791bcad0c1b4941743c8738286dfc ( 135168 bytes)
7eec534058c68d63c2d5a6f5e867adfe ( 36864 bytes)
803cf11603bba2df73aab168bbb7cbb5 ( 695808 bytes)
8063d5d189e4b95470f856303084de17 ( 92796 bytes)
8126516b644e2df7ecedd25cc01c6726 ( 679936 bytes)
813a610b80077f4ce71ec77a5fba02a9 ( 36864 bytes)
846b7f04fa75f52e92e6545f051cd1b5 ( 172034 bytes)
8581376034f7ad16fe6efcccf92639c9 ( 36864 bytes)
86026da63d9c3d2fa6f487ab481fa038 ( 36864 bytes)
87b98a85277c03269c350a9ecb65e003 ( 40960 bytes)
88ea422834d0177c116d73d9e7666608 ( 54852 bytes)
8f6dd06660a115f2ff0fa1d12dbc7db5 ( 253952 bytes)
8faf67675e70ec920a57c8a8ce8e0ce3 ( 36866 bytes)
90ccea9e321f099c05decdee58eea22f ( 36864 bytes)
91c9eafe403a5ba2935195f2eeb61eae ( 36864 b
Also creates the following files on user's System which are also created by Genuine Software :-
Note:
These file(s) can be kept as they are also created by genuine Software.
File : winsck.ocx
Path : %windir%\system32

Md5Hash :3d8fd62d17a44221e07d5c535950449b ( 109248 bytes)
File : winscn.ocx
Path : %windir%\system32

Md5Hash :851f34233b9ec424695815cad2a909d8 ( 109248 bytes)
The following Registry Values are added to the provided Registry Keys :-
Note:
Delete the added Values from the Key to remove Infection
|__ Value Added :
shell = "explorer.exe %windir%\winlogon.exe"
|__ Value Added :
windows login = "%windir%\winlogon.exe"
|__ Value Added :
windows updates = "%windir%\system\update.exe"
|__ Value Added :
shell = "explorer.exe %windir%\crsvs.exe"
|__ Value Added :
shell = "explorer.exe %windir%\explorer.exe"
|__ Value Added :
sys startup = "wintgtsv.exe"
|__ Value Added :
windows start = "explorer.exe"
|__ Value Added :
explorer options2 = "wintgtsv.exe"
|__ Value Added :
mswinlogon = "%windir%\mswinlogon.exe"
|__ Value Added :
systemupdate = "%SYSTEMDRIVE%\data\1ee65b774a8e4408e119e9e67c3b19df.exe"
|__ Value Added :
systemupdate = "%SYSTEMDRIVE%\data\c88b2b5ab3beb8544add86dba7d6bfd3.exe"
|__ Value Added :
systemupdate = "%SYSTEMDRIVE%\data\d93c73aa193a218dfde0b8b6c0cf8cfa.exe"
|__ Value Added :
systemupdate = "%SYSTEMDRIVE%\data\dd63e5c51d27b76cb75402ee6ffa8cf9.exe"
|__ Value Added :
systemupdate = "%SYSTEMDRIVE%\data\ded7bc5b59888dee1d8edf1ca6bbbaa9.exe"
|__ Value Added :
systemupdate = "%SYSTEMDRIVE%\data\f3202a8c650ff8a944539936c6b82694.exe"
|__ Value Added :
systemupdate = "%SYSTEMDRIVE%\data\file2.exe"
|__ Value Added :
windows updates = "%windir%\system\update.exe"
|__ Value Added :
virtual java = "wintgtsv.exe"
Creates the following child process(s) on execution:

services.exe

%windir%\system32\wcsydrv.exe a

Creates the Following MUTEX(s) on user's System:-
ral3bbe6ce7
3bbe6ce7::wk
úÞvcgm-2o0osopo8&-4177«ü
Copies the Following Files to Given Location :-

Copies :%workingdir%\[random name].exe

To : %windir%\system32\wcsydrv.exe

Copies :%workingdir%\[random name].exe

To : %windir%\system32\wintgtsv.exe

Copies :%workingdir%\[random name].exe

To : %windir%\system32\ntvxdc.exe

Copies :%workingdir%\[random name].exe

To : %windir%\system32\ftdutil.exe

NOTE:

1. %workingdir% Refers to the current directory in which user is working.
2. %userprofile% Refers to the windows current user's profile folder. By default it is 'C:\Documents and Settings\[user]'
3. %windir% Refers to the windows root folder. By default it is 'C:\Windows'

Important: We strongly recommend that you backup the Registry before making any changes to it. Incorrect changes to the Registry can result in permanent data loss or corrupted Files. Modify the malicious\suspicious Subkeys only.

Click Here for more spywarelib.com recommended PC Security and Optimization Tools

To modify registry entries in Windows Operating System:
Follow Steps:
1. Click Start > Run
2. Type “regedit” : to open registry editor
3. Navigate to required registry Key from the Left Tree control and modify accordingly.


Microsoft Gold Certified Partner

© Systweak Inc., 1999-2011 All rights reserved.