File details
</h4>Filename: wuauserv.exe
File size: 69632 bytes
Build: 13 December 2007 1:34:25 PM
MD5: 23f5b88e7aef06c9968b1371adfcb1dc
SHA1: 3bbdf6d8573d7736ceebc5146102e9aef55fd914
PEiD: Microsoft Visual C++ 6.0
______________________________QUOTEFile wuauserv.exe received on 12.14.2007 18:48:21 (CET)
AhnLab-V3 2007.12.15.10 2007.12.14 -
AntiVir 7.6.0.45 2007.12.14 -
Authentium 4.93.8 2007.12.13 -
Avast 4.7.1098.0 2007.12.13 -
AVG 7.5.0.503 2007.12.14 PSW.Generic5.ACZO
BitDefender 7.2 2007.12.14 -
CAT-QuickHeal 9.00 2007.12.14 -
ClamAV 0.91.2 2007.12.14 -
DrWeb 4.44.0.09170 2007.12.14 -
eSafe 7.0.15.0 2007.12.13 -
eTrust-Vet 31.3.5375 2007.12.14 -
Ewido 4.0 2007.12.14 -
FileAdvisor 1 2007.12.14 -
Fortinet 3.14.0.0 2007.12.14 -
F-Prot 4.4.2.54 2007.12.13 -
F-Secure 6.70.13030.0 2007.12.14 -
Ikarus T3.1.1.15 2007.12.14 -
Kaspersky 7.0.0.125 2007.12.14 -
McAfee 5186 2007.12.14 -
Microsoft 1.3109 2007.12.14 -
NOD32v2 2723 2007.12.14 -
Norman 5.80.02 2007.12.13 -
Panda 9.0.0.4 2007.12.14 -
Prevx1 V2 2007.12.14 Trojan.SystemPoser
Rising 20.22.41.00 2007.12.14 -
Sophos 4.24.0 2007.12.14 -
Sunbelt 2.2.907.0 2007.12.14 -
Symantec 10 2007.12.14 -
TheHacker 6.2.9.159 2007.12.14 -
VBA32 3.12.2.5 2007.12.14 -
VirusBuster 4.3.26:9 2007.12.13 -
Webwasher-Gateway 6.0.1 2007.12.14 -
Filename: kb1111p.dll
File size: 45056 bytes
Build: 13 December 2007 1:34:15 PM
MD5: 2a4d224c572cbbc63ad57bc4c29de07e
SHA1: 08ae9435b009caa63b22ac8b096e07478cb1d302
PEiD: Microsoft Visual C++ 6.0 DLL
QUOTEFile kb1111p.dll received on 12.14.2007 18:59:20 (CET)
AhnLab-V3 2007.12.15.10 2007.12.14 -
AntiVir 7.6.0.45 2007.12.14 -
Authentium 4.93.8 2007.12.13 -
Avast 4.7.1098.0 2007.12.13 -
AVG 7.5.0.503 2007.12.14 -
BitDefender 7.2 2007.12.14 -
CAT-QuickHeal 9.00 2007.12.14 -
ClamAV 0.91.2 2007.12.14 -
DrWeb 4.44.0.09170 2007.12.14 Trojan.PWS.Gamania.origin
eSafe 7.0.15.0 2007.12.13 -
eTrust-Vet 31.3.5375 2007.12.14 -
Ewido 4.0 2007.12.14 -
FileAdvisor 1 2007.12.14 -
Fortinet 3.14.0.0 2007.12.14 -
F-Prot 4.4.2.54 2007.12.13 -
F-Secure 6.70.13030.0 2007.12.14 -
Ikarus T3.1.1.15 2007.12.14 -
Kaspersky 7.0.0.125 2007.12.14 -
McAfee 5186 2007.12.14 -
Microsoft 1.3109 2007.12.14 -
NOD32v2 2723 2007.12.14 -
Norman 5.80.02 2007.12.13 -
Panda 9.0.0.4 2007.12.14 -
Prevx1 V2 2007.12.14 -
Rising 20.22.41.00 2007.12.14 -
Sophos 4.24.0 2007.12.14 -
Sunbelt 2.2.907.0 2007.12.14 -
Symantec 10 2007.12.14 -
TheHacker 6.2.9.159 2007.12.14 -
VBA32 3.12.2.5 2007.12.14 -
VirusBuster 4.3.26:9 2007.12.13 -
Webwasher-Gateway 6.0.1 2007.12.14 -
<h4>
Visible signs
</h4>None.
<h4>
Technical details
</h4>Registry changes.
Files added.QUOTEHKEY_CLASSES_ROOT\CLSID\{9C0ADB68-353A-61DD-ED09-1D8003A61111}\InProcServer32 "(Default)"
Type: REG_SZ
Data: C:\WINDOWS\system32\kb1111p.dll
HKEY_CLASSES_ROOT\CLSID\{9C0ADB68-353A-61DD-ED09-1D8003A61111}\InProcServer32 "ThreadingModel"
Type: REG_SZ
Data: Apartment
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks "{9C0ADB68-353A-61DD-ED09-1D8003A61111}"
Type: REG_SZ
Data:
Note: %Temp% is a variable that refers to C:\Documents and Settings\[UserName]\Local Settings\Temp\ (Windows NT/2000/XP).QUOTE%Temp%\htba
Date: 12/14/2007 6:51 PM
Size: 0 bytes
%System%\kb1111p.dll
Date: 12/14/2007 6:51 PM
Size: 45,056 bytes
%System% is a variable that refers to the System folder. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
Files deleted.
Note: %System% is a variable that refers to C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).QUOTE%System%\drivers\etc\hosts
Date: 8/4/2004 1:00 PM
Size: 734 bytes
wuauserv.exe is deleted from the computer once executed.
<h4>
Notes
</h4>%System%\kb1111p.dll loads into almost every running process in order to monitor keystrokes. Depending on the type of Host Intrusion Prevention System (HIPS) you are running, alerts may vary:
Associated links : http://wiki.castlecops.com/HIPS_FAQ
<h4>
Offending IP
</h4>Sonyrpm.com - 91.121.78.143
QUOTE
Server Type: Microsoft-IIS/6.0
IP Location - France - Ovh Sas
Response Code: 400
Blacklist Status: Clear
Domain Status: Registered And Active Website
ICANN Registrar: ENOM, INC.
Created: 2007-10-31
Expires: 2008-10-31
Registrar Status: clientTransferProhibited
Name Server: DNS1.NAME-SERVICES.COM (has 3,648,348 domains)
Name Server: DNS2.NAME-SERVICES.COM
Name Server: DNS3.NAME-SERVICES.COM
Name Server: DNS4.NAME-SERVICES.COM
Name Server: DNS5.NAME-SERVICES.COM
Domain name: sonyrpm.com
Registrant Contact:
Zhang san
Zhang san ()
+86.01012345678
Fax: +86.01012345678
Fujian province,Xiamen City
Xiamen, Beijing 000001
CN
Administrative Contact:
Zhang san
Zhang san ()
+86.01012345678
Fax: +86.01012345678
Fujian province,Xiamen City
Xiamen, Beijing 000001
CN
Technical Contact:
Zhang san
Zhang san ()
+86.01012345678
Fax: +86.01012345678
Fujian province,Xiamen City
Xiamen, Beijing 000001
CN
Creation date: 01 Nov 2007 03:28:18
Expiration date: 01 Nov 2008 03:28:18
IP Location - France - Ovh Sas
Response Code: 400
Blacklist Status: Clear
Domain Status: Registered And Active Website
ICANN Registrar: ENOM, INC.
Created: 2007-10-31
Expires: 2008-10-31
Registrar Status: clientTransferProhibited
Name Server: DNS1.NAME-SERVICES.COM (has 3,648,348 domains)
Name Server: DNS2.NAME-SERVICES.COM
Name Server: DNS3.NAME-SERVICES.COM
Name Server: DNS4.NAME-SERVICES.COM
Name Server: DNS5.NAME-SERVICES.COM
Domain name: sonyrpm.com
Registrant Contact:
Zhang san
Zhang san ()
+86.01012345678
Fax: +86.01012345678
Fujian province,Xiamen City
Xiamen, Beijing 000001
CN
Administrative Contact:
Zhang san
Zhang san ()
+86.01012345678
Fax: +86.01012345678
Fujian province,Xiamen City
Xiamen, Beijing 000001
CN
Technical Contact:
Zhang san
Zhang san ()
+86.01012345678
Fax: +86.01012345678
Fujian province,Xiamen City
Xiamen, Beijing 000001
CN
Creation date: 01 Nov 2007 03:28:18
Expiration date: 01 Nov 2008 03:28:18
Websites for 91.121.78.143
1. Bmwrpm.com
2. Citirpm.com
3. Sonyrpm.com