Home » Virus List
Trojan.Agent
Risk Level 1
 
File Size : 1830024 KB
File Type : Portable Executable file
File Name

icwres32.exe

MD5

8bf9a828a83e42849460f37a2de1e9aa

SHA1

07d72aad64d3275260c15db562e0efcf0bff09ed

SHA256

ab45caf348c8ba6167d01bb4bd99160270b8b4b7fc4f1d837a

General information:

* File name: C:\Users\vmware\Desktop\malware\Virus.Win32.Small.exe

Changes to registry :

* Creates value "UseGlobalSettings=00000001" in key HKEY_LOCAL_MACHINE\software\microsoft\Windows\CurrentVersion\Explorer\BitBucket
* Creates value "DontShowUI=00000001" in key HKEY_LOCAL_MACHINE\software\microsoft\Windows\Windows Error Reporting
* Creates Registry key HKEY_LOCAL_MACHINE\software\microsoft\Windows\Windows Error Reporting\LocalDumps
* Creates value "Type=00000110" in key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\REGmom
* Creates value "Start=00000002" in key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\REGmom
* Creates value "ErrorControl=00000001" in key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\REGmom
* Creates value "DisplayName=REGmom" in key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\REGmom
binary data=5200450047006D006F006D000000
* Creates value "ImagePath=C:\Program Files\Windows Media Player\SVCHOST.EXE" in key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\REGmom
binary data=43003A005C00500072006F006700720061006D002000460069006C00650073005C00570069006E0064006F007700730020004D006500640069006100200050006C0061007900650072005C0053005600430048004F00530054002E004500580045000000
* Creates value "Description=REGmom of the Diskdrive,That's right, cannot stop this service. So order a subscription to AdSenseAccelerator and see how much this COO and Vice President at iPowerWeb" in key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\REGmom
binary data=5200450047006D006F006D0020006F006600200074006800650020004400690073006B00640072006900760065002C005400680061007400270073002000720069006700680074002C002000630061006E006E006F0074002000730074006F00700020007400680069007300200073006500720076006900630065002E00200053006F0020006F00720064006500720020006100200073007500620073006300720069007000740069006F006E00200074006F00200041006400530065006E007300650041006300630065006C0065007200610074006F007200200061006E0064002000730065006500200068006F00770020006D0075006300680020007400680069007300200043004F004F00200061006E00640020005600690063006500200050007200650073006900640065006E0074002000610074002000690050006F007700650072005700650062000000
* Modifies value "Play_Background_Sounds=no" in key HKEY_CURRENT_USER\software\Microsoft\Internet Explorer\Main
binary data=6E006F000000
old value "Play_Background_Sounds=yes"
binary data=7900650073000000
* Modifies value "Play_Animations=no" in key HKEY_CURRENT_USER\software\Microsoft\Internet Explorer\Main
binary data=6E006F000000
old value "Play_Animations=yes"
binary data=7900650073000000
* Creates value "Display Inline Videos=no" in key HKEY_CURRENT_USER\software\Microsoft\Internet Explorer\Main
binary data=6E006F000000
* Creates value "Enable AutoImageResize=no" in key HKEY_CURRENT_USER\software\Microsoft\Internet Explorer\Main
binary data=6E006F000000
* Creates value "DisableScriptDebuggerIE=yes" in key HKEY_CURRENT_USER\software\Microsoft\Internet Explorer\Main
binary data=7900650073000000

Changes to filesystem:

* Creates file C:\1464179052.bat
* Creates file C:\mpvisc.dll
* Creates file (hidden) C:\Program Files\Internet Explorer\SVCHOST.EXE
* Creates file C:\Program Files\Windows Media Player\startplay.wav
* Creates file C:\Program Files\Windows Media Player\SVCHOST.EXE
* Modifies file (empty) C:\Users\vmware\Desktop\malware\Virus.Win32.Small.exe

Network services:

* Queries DNS "dns.msftncsi.com".
* C:\Sandbox\vmware\DefaultBox\drive\C\Program Files\Internet Explorer\SVCHOST.EXE Connects to "207.46.225.226" on port 80 (TCP - HTTP).
* Downloads file from "www.lmok123.com/kills.txt".
* Downloads file from "easycf.51.net/kills.txt".
* Downloads file from "58.49.58.20/kills.txt".

Process/window/string information:

* Gets user name information.
* Gets volume information.
* Checks for debuggers.
* Creates process "null, C:\1464179052.bat, null".
* Injects code into process "C:\Windows\System32\cmd.exe".
* Creates a service named "REGmom".
* Creates process "C:\Program Files\Internet Explorer\SVCHOST.EXE, "C:\Program Files\Internet Explorer\SVCHOST.EXE" , C:\Users\vmware\Desktop\malware".
* Injects code into process "C:\Sandbox\vmware\DefaultBox\drive\C\Program Files\Internet Explorer\SVCHOST.EXE".
* Creates process "C:\Windows\system32\cmd.exe, "C:\Windows\system32\cmd.exe" /c del C:\Users\vmware\Desktop\malware\VIRUSW~1.EXE > nul, C:\Users\vmware\Desktop\malware".
* Enables privilege SeIncreaseBasePriorityPrivilege.
* Enables process privileges.
* Contains string Detected Anti-Malware Analyzer routine: WinDbg detection ("dbghelp.dll")
* Contains string Traces of AutoStart registry key ("Software\Microsoft\Windows\CurrentVersion\Run")
* Contains string Detected Anti-Malware Analyzer routine: Norman Sandbox detection ("CurrentUser")
* Contains string Checked for QQ messaging software presence ("QQ.EXE")
* Contains string Checked for registry software presence ("REG.EXE")
* Sleeps 848 seconds.

Additional Information:

How To Remove icwres32.exe

1.Download Sniper Antivirus
2.Install the exe file on your system.
3.Full Scan your Computer OR Folder where icwres32.exe located.
4.Once the scan is finished, you’ll get the message “scan is complete”.
Click OK button to get the results.
5.Then Delete the threat from table.

Top