Submission Summary:

What's been foundSeverity Level
Capability to block security-related software by modifying firewall settings and by disabling security services, such as Windows Update, Norton Autoprotect, Kaspersky Anti-Virus, etc.
Produces outbound traffic.
Downloads/requests other files from Internet.
There were some system executable files modified, which might indicate the presence of a PE-file infector.
Contains characteristics of an identified security risk.

 

Technical Details:

 

Possible Security Risk

Threat CategoryDescription
A virus capable to modify other files by infecting, prepending, or overwriting them them with its own body

 

File System Modifications

#Filename(s)File SizeFile HashAlias
1 %Windir%\ggiogq.exe
[file and pathname of the sample #1]
109,568 bytes MD5: 0xD9A6A9E11697F0419AA8D40E2781DCE4
SHA-1: 0x0331F385B7368C1E09803C6BFEE688446D008B0F
W32.Ramnit!inf [Symantec]
Virus.Win32.Nimnul.a [Kaspersky Lab]
W32/Ramnit.a [McAfee]
W32/Patched-I [Sophos]
Virus:Win32/Ramnit.A [Microsoft]
Virus.Win32.Ramnit [Ikarus]
Win32/Ramnit.B [AhnLab]
2 %Windir%\ggiogqSrv.exe 86,528 bytes MD5: 0x90CB45B226122F9B6ADF8FE692B22F35
SHA-1: 0xE9694B7387049501D16A06272F0E40C468FB3563
W32.Virut.CF [Symantec]
Packed.Win32.Krap.hm [Kaspersky Lab]
PWS-Zbot.gen.pq [McAfee]
W32/Scribble-B [Sophos]
Virus:Win32/Virut.BN [Microsoft]
Gen.Trojan.Heur [Ikarus]
3 [part of the sample filename]1Srv.exe 86,528 bytes MD5: 0x119346790702968202A5D8CC1C05FF4C
SHA-1: 0xC44B70870A850BCCF3303EFF2BBBDCEEFE623018
W32.Virut.CF [Symantec]
Packed.Win32.Krap.hm [Kaspersky Lab]
PWS-Zbot.gen.pq [McAfee]
W32/Scribble-B [Sophos]
Virus:Win32/Virut.BN [Microsoft]
Virus.Win32.Virut [Ikarus]

 

Memory Modifications

Process NameProcess FilenameMain Module Size
ggiogq.exe%Windir%\ggiogq.exe163,840 bytes
ggiogqSrv.exe%Windir%\ggiogqSrv.exe77,824 bytes
[filename of the sample #1][file and pathname of the sample #1]163,840 bytes

Service NameDisplay NameStatusService Filename
.Net CLRMicrosoft .Net Framework COM+ Support"Running"%Windir%\ggiogq.exe

 

Registry Modifications

 

Other details

China
Russian Federation

PortProtocolProcess
1035TCPggiogq.exe (%Windir%\ggiogq.exe)
1038TCPggiogq.exe (%Windir%\ggiogq.exe)
1039TCPggiogq.exe (%Windir%\ggiogq.exe)

Remote HostPort Number
157.52.160.1145588
a.aklianfa.com9530
www.aabao.top9999
inqtux.com443
88.198.69.4380

Server NameServer PortConnect as UserConnection Password
127.0.0.280127.0.0.2127.0.0.2
127.0.0.380127.0.0.3127.0.0.3
127.0.0.480127.0.0.4127.0.0.4

 

Outbound traffic (potentially malicious)

 

 

All content ("Information") contained in this report is the copyrighted work of Threat Expert Ltd and its associated companies ("ThreatExpert") and may not be copied without the express permission of ThreatExpert.

The Information is provided on an "as is" basis. ThreatExpert disclaims all warranties, whether express or implied, to the maximum extent permitted by law, including the implied warranties that the Information is merchantable, of satisfactory quality, accurate, fit for a particular purpose or need, or non-infringing, unless such implied warranties are legally incapable of exclusion. Further, ThreatExpert does not warrant or make any representations regarding the use or the results of the use of the Information in terms of their correctness, accuracy, reliability, or otherwise.

Copyright © 2017 ThreatExpert. All rights reserved.