× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: 860a1d9eeba0ef47475ae28b3ad7228ceb9dec518f41a832616d4b10000ddd9b
File name: csrss.exe
Detection ratio: 39 / 43
Analysis date: 2010-09-24 23:47:55 UTC ( 8 years, 2 months ago ) View latest
Antivirus Result Update
AhnLab-V3 Win32/Palevo4.worm.Gen 20100924
AntiVir Worm/Palevo.oxi 20100924
Antiy-AVL Worm/Win32.Palevo.gen 20100924
Authentium W32/Rimecud.I.gen!Eldorado 20100924
Avast Win32:MalOb-AI 20100924
Avast5 Win32:MalOb-AI 20100924
AVG SHeur3.HAO 20100925
BitDefender Gen:Variant.Bredo.3 20100925
CAT-QuickHeal Worm.Palevo 20100924
Comodo MalCrypt.Indus! 20100924
DrWeb Trojan.Packed.20312 20100925
Emsisoft P2P-Worm.Win32.Palevo!IK 20100924
eSafe Win32.WormPalevo.Oxi 20100921
F-Prot W32/Rimecud.I.gen!Eldorado 20100924
F-Secure Gen:Variant.Bredo.3 20100925
Fortinet W32/Kryptik.ANQ!tr 20100924
GData Gen:Variant.Bredo.3 20100925
Ikarus P2P-Worm.Win32.Palevo 20100924
Jiangmin Worm/Palevo.qtx 20100921
K7AntiVirus EmailWorm 20100924
Kaspersky P2P-Worm.Win32.Palevo.yiy 20100924
McAfee W32/Palevo.gen.a 20100925
McAfee-GW-Edition W32/Palevo.gen.a 20100925
Microsoft VirTool:Win32/Obfuscator.IJ 20100924
NOD32 a variant of Win32/Peerfrag.GJ 20100924
Norman W32/Suspicious_Gen2.AKXHS 20100924
nProtect Gen:Variant.Bredo.3 20100924
Panda W32/P2PWorm.HX.worm 20100924
PCTools RogueAntiSpyware.SpywareStrike 20100925
Prevx High Risk Cloaked Malware 20100925
Rising Trojan.Win32.Nodef.zhg 20100921
Sophos AV Mal/Palevo-A 20100924
Sunbelt Trojan.Win32.Generic!BT 20100925
Symantec SpywareStrike 20100925
TheHacker Trojan/Peerfrag.gj 20100925
TrendMicro WORM_PALEVO.SMJJ 20100924
TrendMicro-HouseCall WORM_PALEVO.SMJJ 20100925
VBA32 Malware-Cryptor.Win32.Limpopo 20100924
VirusBuster Worm.Palevo.Gen!Pac.6 20100924
ClamAV 20100925
eTrust-Vet 20100925
SUPERAntiSpyware 20100925
ViRobot 20100924
The file being studied is a Portable Executable file! More specifically, it is a Win32 EXE file for the Windows GUI subsystem.
FileVersionInfo properties
Copyright
D4oz2Uyk

Product ,QLWeisJO
Original name ZptFVTaZx
Internal name KeQDB630a
File version Hf1Og.sjg
Description hrubeCRwI
PE header basic information
Target machine Intel 386 or later processors and compatible processors
Compilation timestamp 2007-05-22 12:55:29
Entry Point 0x00009976
Number of sections 4
PE sections
PE imports
DeleteCriticalSection
CreateThread
GetFileSize
lstrcatA
HeapDestroy
GetCPInfo
GlobalFindAtomA
GetTickCount
IsBadWritePtr
GetStringTypeExA
GetModuleFileNameA
InterlockedCompareExchange
GetUserDefaultLCID
SetLastError
ResetEvent
ImageList_ReplaceIcon
PropertySheetA
CreatePropertySheetPageW
OffsetViewportOrgEx
CreateICA
TextOutW
GetWindowOrgEx
FrameRgn
GetTextFaceW
GetTextExtentPoint32A
OffsetRgn
GetNearestColor
GetTextExtentExPointW
SetMetaFileBitsEx
ScaleWindowExtEx
SetTextJustification
CreateICW
GetRegionData
FillPath
GetCharWidthA
BeginPath
SHGetFolderPathW
SHBrowseForFolderA
DragAcceptFiles
Shell_NotifyIconW
DragQueryFileA
FindExecutableW
SHGetFolderPathA
SHGetSpecialFolderPathW
EmptyClipboard
SetWindowPlacement
GetForegroundWindow
RedrawWindow
GetScrollRange
EndDialog
GetScrollPos
RegisterWindowMessageA
ShowWindow
MessageBeep
DrawFrameControl
GetWindowThreadProcessId
SetWindowLongA
RegisterClipboardFormatA
IntersectRect
MessageBoxA
DestroyCursor
GetKeyState
UnregisterClassA
SetForegroundWindow
DrawMenuBar
CallNextHookEx
InsertMenuA
GetMenuItemCount
IsRectEmpty
ScrollWindow
GetWindowTextA
SetCursor
Number of PE resources by type
RT_ICON 4
RT_VERSION 1
RT_GROUP_ICON 1
Number of PE resources by language
RUSSIAN 5
NEUTRAL 1
PE resources
ExifTool file metadata
SubsystemVersion
4.0

LinkerVersion
6.26

ImageVersion
0.0

FileSubtype
0

FileVersionNumber
0.0.0.0

UninitializedDataSize
0

LanguageCode
Neutral

FileFlagsMask
0x003f

CharacterSet
ASCII

InitializedDataSize
122368

EntryPoint
0x9976

OriginalFileName
ZptFVTaZx

MIMEType
application/octet-stream

LegalCopyright
D4oz2Uyk

FileVersion
Hf1Og.sjg

TimeStamp
2007:05:22 13:55:29+01:00

FileType
Win32 EXE

PEType
PE32

InternalName
KeQDB630a

ProductVersion
.LRlHlwRv

FileDescription
hrubeCRwI

OSVersion
4.0

FileOS
Windows NT 32-bit

Subsystem
Windows GUI

MachineType
Intel 386 or later, and compatibles

CompanyName
ZQmrOXQb,

CodeSize
90624

ProductName
,QLWeisJO

ProductVersionNumber
0.0.0.0

FileTypeExtension
exe

ObjectFileType
Executable application

File identification
MD5 39c87b2ee68ee96fbeced5b2a73a5dc5
SHA1 2988ae4f47bcbf6e4ea205aaa3ba6bbbda2cabb2
SHA256 860a1d9eeba0ef47475ae28b3ad7228ceb9dec518f41a832616d4b10000ddd9b
ssdeep
6144:eP3E/8wqa4jttg0qX2RDsgzUTw+3FVeGxB:iU/P4jtRvs/9FMYB

authentihash e995263a3069b5fb763ad5e1d92c8d2405b6f4a8dc75725b371de824b6e826d8
imphash 6d4d5fd69c053fae1c89ece284093250
File size 209.0 KB ( 214016 bytes )
File type Win32 EXE
Magic literal
PE32 executable for MS Windows (GUI) Intel 80386 32-bit

TrID Win32 Dynamic Link Library (generic) (38.4%)
Win32 Executable (generic) (26.3%)
OS/2 Executable (generic) (11.8%)
Generic Win/DOS Executable (11.6%)
DOS Executable Generic (11.6%)
Tags
peexe

VirusTotal metadata
First submission 2010-03-20 18:21:52 UTC ( 8 years, 8 months ago )
Last submission 2018-05-22 18:34:48 UTC ( 6 months, 3 weeks ago )
File names csrss.ex
ZptFVTaZx
KeQDB630a
otRmVdE.bz2
Advanced heuristic and reputation engines
ClamAV
Possibly Unwanted Application. While not necessarily malicious, the scanned file presents certain characteristics which depending on the user policies and environment may or may not represent a threat. For full details see: https://www.clamav.net/documents/potentially-unwanted-applications-pua .

Behaviour characterization
No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!
Condensed report! The following is a condensed report of the behaviour of the file when executed in a controlled environment. The actions and events described were either performed by the file itself or by any other process launched by the executed file or subjected to code injection by the executed file.
Runtime DLLs
DNS requests
UDP communications