home

drvs3.exe

The executable drvs3.exe has been detected as malware by 10 anti-virus scanners. This is a setup program which is used to install the application. Accoriding to the detections, it is a variant of Zbot (Zeus), a trojan that attempts to steal confidential information (online credentials, and banking details) from a compromised computer and send it to online criminals via a command-and-control server. The file has been seen being downloaded from dc165.2shared.com and multiple other hosts.
Description:
FreeSkyCD.Cn

Version:
3.0.4.3

MD5:
ad684a6986833c1029ad5dfb2115d79a

SHA-1:
ca5ef16e2865083286ac69b78467a9fdfc1ce69d

SHA-256:
920208a0ef606ca923e2925521890c63fffc86dd20f86127d0ec3d903d0040bb

Scanner detections:
10 / 68

Status:
Malware

Analysis date:
11/27/2024 3:41:39 AM UTC  (today)

Scan engine
Detection
Engine version

Agnitum Outpost
Worm.Autoit.Gen
7.1.1

AVG
Worm/Autoit
2015.0.3579

Bkav FE
W32.Clod6d6.Trojan
1.3.0.4613

IKARUS anti.virus
Worm.Win32.AutoIt
t3scan.2.2.29

McAfee
Artemis!AD684A698683
5600.7235

Reason Heuristics
Unnamed.Threat.32
14.3.4.3

Sophos
Disabled System File Check DLL
4.96

Vba32 AntiVirus
Trojan.Autoit.F
3.12.24.3

VIPRE Antivirus
Trojan.Win32.Generic
25002

ViRobot
Trojan.Win32.A.Zbot.3944446
2011.4.7.4223

File size:
3.8 MB (3,944,446 bytes)

Copyright:
Skyfree

File type:
Executable application (Win32 EXE)

Common path:
C:\users\{user}\appdata\local\temp\{random}.tmp\all drivers by sarout10\drvs3.exe

File PE Metadata
Compilation timestamp:
12/24/2008 9:00:07 AM

OS version:
5.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
9.0

CTPH (ssdeep):
98304:qGRufdn5DNFaTPoDkJGXSlazhUbNSwCLWWgwD/:qHjFV6GCchCN8oy

Entry address:
0x4449B0

Entry point:
60, BE, 00, A0, 66, 00, 8D, BE, 00, 70, D9, FF, 57, 83, CD, FF, EB, 10, 90, 90, 90, 90, 90, 90, 8A, 06, 46, 88, 07, 47, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 72, ED, B8, 01, 00, 00, 00, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 11, C0, 01, DB, 73, 0B, 75, 28, 8B, 1E, 83, EE, FC, 11, DB, 72, 1F, 48, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 11, C0, EB, D4, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 11, C9, EB, 52, 31, C9, 83, E8, 03, 72, 11, C1, E0, 08, 8A, 06, 46, 83, F0, FF, 74, 75, D1, F8, 89...
 
[+]

Entropy:
7.9511

Packer / compiler:
UPX 2.90LZMA]

Code size:
1.9 MB (1,945,600 bytes)

The file drvs3.exe has been seen being distributed by the following 2 URLs.

http://dc165.2shared.com/download/.../DrvS3.exe

ftp://202.62.224.27/.../DrvS3.exe

Remove drvs3.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.