Submission Summary:

What's been foundSeverity Level
Downloads/requests other files from Internet.
Creates a startup registry entry.
Contains characteristics of an identified security risk.

 

Technical Details:

 

Possible Security Risk

Threat CategoryDescription
A virus capable to modify other files by infecting, prepending, or overwriting them them with its own body
A malicious backdoor trojan that runs in the background and allows remote access to the compromised system

 

File System Modifications

#Filename(s)File SizeFile HashAlias
1 %Temp%\Explerer.exe
%Temp%\ServerName.exe
%Programs%\Startup\ServerName.EXE
24,064 bytes MD5: 0xBC9227ECBA7CD7A3DE0661182E96DF03
SHA-1: 0xB7E4AD32B1C002769080B0C21DBF7C28BF8E8F70
(not available)
2 %Temp%\SkypeSetup.exe 1,136,768 bytes MD5: 0xE7C118493061A85822E1C1A68F4E2B02
SHA-1: 0xE77983EB56AD2F5538C2AC98511EA0BE577EF9B1
W32.Sality.AE [Symantec]
Virus.Win32.Sality.gen [Kaspersky Lab]
W32/Sality.gen.z [McAfee]
Mal/Sality-D [Sophos]
Virus:Win32/Sality.AT [Microsoft]
Win32/Kashu.E [AhnLab]
3 %Temp%\??? ???????.vbs 69,434 bytes MD5: 0xE7B134E40114A770F5071AF7ADADCFC2
SHA-1: 0x3B8EAA58D3F9A9F24E5BF00DA2DBF12B0EEDF638
(not available)
4 [file and pathname of the sample #1] 1,220,608 bytes MD5: 0x0A79456C688AA5D872038D7F53A70570
SHA-1: 0xBB803E4528B78471B89569AB28F5665F21052234
Backdoor.Win32.Rbot.hyj [Kaspersky Lab]
BackDoor-EFI [McAfee]
Troj/Delf-FFY [Sophos]
TrojanDropper:Win32/Agent.BAD [Microsoft]
Trojan.Win32.ProcessHijack [Ikarus]
Win32/IRCBot.worm.variant [AhnLab]

 

Memory Modifications

Process NameProcess FilenameMain Module Size
[filename of the sample #1][file and pathname of the sample #1]1,249,280 bytes
SkypeSetup.exe%Temp%\SkypeSetup.exe2,707,456 bytes
Explerer.exe%Temp%\explerer.exeN/A

 

Registry Modifications

 

Other details

PortProtocolProcess
1071TCPExplerer.exe (%Temp%\Explerer.exe)

Server NameServer PortConnect as UserConnection Password
www.skype.com80(null)(null)

 

 

Downloaded File Summary:

What's been foundSeverity Level
Registers a 32-bit in-process server DLL.

 

Technical Details:

 

File System Modifications

#Filename(s)File SizeFile Hash
1 %CommonDesktopDir%\Skype.lnk 1,878 bytes MD5: 0xEEE42D7EF336E1181833835140E0F618
SHA-1: 0xBFDBD129BAB9442E77393D3D9F6FD6CEACAD9E62
2 %CommonPrograms%\Skype\Skype.lnk 1,686 bytes MD5: 0x4B70E915D1690D75F8823108A2AC2F47
SHA-1: 0xA993A667C3D9C73ADCB6EEDAAD3AA9A5551E4B5F
3 %UserProfile%\SendTo\Skype.lnk 1,692 bytes MD5: 0x3B73BC946EC2D54739CB301712814B86
SHA-1: 0x3A525F1D19F26A784465CB32ADC6507165DC046D
4 %ProgramFiles%\Common Files\Skype\Skype4COM.dll 2,399,872 bytes MD5: 0x07363E3CD4367D66CA4E484E224FCA65
SHA-1: 0x7D59C85E3D88AE17D4BB91D9F2079BBFBE848CB2
5 %ProgramFiles%\Skype\Browser\SkypeBrowserHost.exe 337,024 bytes MD5: 0x0274D997A9F620899158CD879EDACF7D
SHA-1: 0x1FA9EA24E47146E1DD762E7A8B976A3077314ECC
6 %ProgramFiles%\Skype\desktop.ini 84 bytes MD5: 0x94B4847112E57E5D00A2BD1A90DBA835
SHA-1: 0xAC16950809044F1C26FD1FD521CF0E642CCDCA8C
7 %ProgramFiles%\Skype\Phone\roottools.dll 1,752,720 bytes MD5: 0x53DD781D1D9C76ED3CC67AAA38A2D745
SHA-1: 0x765F459E7E9889E525C6379B5E103ADD9039E021
8 %ProgramFiles%\Skype\Phone\RtmCodecs.dll 3,728,016 bytes MD5: 0x5B1C759CE28B581E758E11E8C8C400D9
SHA-1: 0xA1D776C4F9D928AB93B9ADC83E6988B2B9ECAC85
9 %ProgramFiles%\Skype\Phone\RtmMediaManager.dll 657,040 bytes MD5: 0x6DD99DE7CF7EB86D8DB9A69182C0B41A
SHA-1: 0x6E4B4801CD2BBEF52E4EEE89BFB24C4A0CA9A0EF
10 %ProgramFiles%\Skype\Phone\RtmPal.dll 373,904 bytes MD5: 0xD1BE6D395679AE9FD7973757F484EEA7
SHA-1: 0x8C4198EA9799093450D805F49AE7C880420AE33D
11 %ProgramFiles%\Skype\Phone\RtmPltfm.dll 8,391,312 bytes MD5: 0x2A728514CEECF49C8A751B38EAB4AF60
SHA-1: 0xD34856292637BA6D21359CA53C40B5F312EB2B5F
12 %ProgramFiles%\Skype\Phone\Skype.exe 0 bytes MD5: 0xD41D8CD98F00B204E9800998ECF8427E
SHA-1: 0xDA39A3EE5E6B4B0D3255BFEF95601890AFD80709
13 %ProgramFiles%\Skype\Phone\SkypeResources.dll 0 bytes MD5: 0xD41D8CD98F00B204E9800998ECF8427E
SHA-1: 0xDA39A3EE5E6B4B0D3255BFEF95601890AFD80709
14 %ProgramFiles%\Skype\Phone\SkypeSkylib.dll 0 bytes MD5: 0xD41D8CD98F00B204E9800998ECF8427E
SHA-1: 0xDA39A3EE5E6B4B0D3255BFEF95601890AFD80709
15 %ProgramFiles%\Skype\Phone\ssScreenVVS2.dll 70,800 bytes MD5: 0xDA426D31783DF6346600A16644F97E0C
SHA-1: 0x196AAFB6718F386EFE32A67B92EE19EA487D0893
16 %ProgramFiles%\Skype\Phone\VideoN.dll 102,528 bytes MD5: 0x1B234603B6931FB1F13779F0E8812B46
SHA-1: 0xEDE87ACE346ADDE771B0F065873CAB372F353A2D
17 %ProgramFiles%\Skype\third-party_attributions.txt 31,451 bytes MD5: 0xA5242478115CA3D40F811EBD84353DE1
SHA-1: 0xA73900CC10B89A8C221542028388BBA555D8881F
18 %ProgramFiles%\Skype\Updater\Updater.dll 130,176 bytes MD5: 0x788C04405E3991ABE470E0735FBB2122
SHA-1: 0xC3AC9FCC42B2EC0B48ADF6E1D533A33B81663BE0
19 %ProgramFiles%\Skype\Updater\Updater.exe 324,224 bytes MD5: 0x6749AD471D1D44CBD1F30257C861F77B
SHA-1: 0xFF20FF07275C6A1C0EA3EBD371786B900435E183
20 %Windir%\Installer\17dab.msi 1,595,392 bytes MD5: 0x54684168B08C9241D9EF9241F40EA0EC
SHA-1: 0x75CF88FD64C7FBB0F3D5D9648DF947041B6A03F4
21 %Windir%\Installer\{FC965A47-4839-40CA-B618-18F486F042C6}\SkypeIcon.exe 145,760 bytes MD5: 0x00B0ACE97EAA8A8F1CC1867E49B1FE74
SHA-1: 0xDE074CE41FA91DFFCA582FD80AC402F874C533FC
22 %System%\msvcp120.dll 455,328 bytes MD5: 0xFD5CABBE52272BD76007B68186EBAF00
SHA-1: 0xEFD1E306C1092C17F6944CC6BF9A1BFAD4D14613
23 %System%\msvcr120.dll 970,912 bytes MD5: 0x034CCADC1C073E4216E9466B720F9849
SHA-1: 0xF19E9D8317161EDC7D3E963CC0FC46BD5E4A55A1

 

Memory Modifications

Process NameProcess FilenameMain Module Size
skypeicon.exe%Windir%\installer\{fc965a47-4839-40ca-b618-18f486f042c6}\skypeicon.exe145,760 bytes
skypebrowserhost.exe%ProgramFiles%\skype\browser\skypebrowserhost.exe335,872 bytes
updater.exe%ProgramFiles%\skype\updater\updater.exe323,584 bytes

Service NameDisplay NameStatusService Filename
SkypeUpdateSkype Updater"Stopped""%ProgramFiles%\Skype\Updater\Updater.exe"

Service NameDisplay NameNew StatusService Filename
MSIServerWindows Installer"Running"%System%\msiexec.exe /V

 

Registry Modifications

 

Other details

Estonia

 

 

All content ("Information") contained in this report is the copyrighted work of Threat Expert Ltd and its associated companies ("ThreatExpert") and may not be copied without the express permission of ThreatExpert.

The Information is provided on an "as is" basis. ThreatExpert disclaims all warranties, whether express or implied, to the maximum extent permitted by law, including the implied warranties that the Information is merchantable, of satisfactory quality, accurate, fit for a particular purpose or need, or non-infringing, unless such implied warranties are legally incapable of exclusion. Further, ThreatExpert does not warrant or make any representations regarding the use or the results of the use of the Information in terms of their correctness, accuracy, reliability, or otherwise.

Copyright © 2017 ThreatExpert. All rights reserved.