home

msdcsc.exe

Remote Service Application

Microsoft Corp.

The executable msdcsc.exe has been detected as malware by 41 anti-virus scanners. It is set to automatically start when a user logs into Windows via the current user run registry key under the display name ‘MicroUpdate’. While running, it connects to the Internet address client-134-214.speedy-net.bg on port 200.
Publisher:
Microsoft Corp.

Product:
Remote Service Application

Version:
1, 0, 0, 1

MD5:
e7e5e904c73fd86cdc51b4435a15364d

SHA-1:
e96a97676544d71679224dcbdb1aa9905ba3e32a

SHA-256:
4d5a450bd826abec2ea5fb4a6f9bc9b668e90b64e1609fea9aaf8762b0bcdc55

Scanner detections:
41 / 68

Status:
Malware

Analysis date:
4/26/2024 8:48:35 PM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Trojan.Inject.AUZ
577

Agnitum Outpost
Trojan.Agent
7.1.1

AhnLab V3 Security
Win-Trojan/FCN.140610
2015.06.18

Arcabit
Trojan.Inject.AUZ
1.0.0.425

avast!
Win32:Agent-AWZS [Trj]
2014.9-150707

AVG
BackDoor.Generic15
2016.0.3055

Baidu Antivirus
Backdoor.Win32.DarkKomet
4.0.3.1577

Bitdefender
Trojan.Inject.AUZ
1.0.20.940

Bkav FE
W32.LebomeP.Trojan
1.3.0.6379

Clam AntiVirus
WIN.Trojan.DarkKomet
0.98/21511

Comodo Security
TrojWare.Win32.Fynloski.B
22490

Dr.Web
BackDoor.Comet.884
9.0.1.0188

Emsisoft Anti-Malware
Trojan.Inject.AUZ
8.15.07.07.02

ESET NOD32
Win32/Fynloski.AM (variant)
9.11804

Fortinet FortiGate
W32/DarkKomet.ID!tr.bdr
7/7/2015

F-Prot
W32/Downloader.C.gen
v6.4.7.1.166

F-Secure
Trojan.Inject.AUZ
11.2015-07-07_3

G Data
Trojan.Inject.AUZ
15.7.25

IKARUS anti.virus
Backdoor.Win32.DarkKomet
t3scan.1.9.5.0

K7 AntiVirus
Backdoor
13.205.16281

Kaspersky
Backdoor.Win32.DarkKomet
14.0.0.1772

Malwarebytes
Backdoor.Agent.DCRSAGen
v2015.07.07.02

McAfee
Generic.gj
5600.6711

Microsoft Security Essentials
Backdoor:Win32/Fynloski.A
1.1.11701.0

MicroWorld eScan
Trojan.Inject.AUZ
16.0.0.564

NANO AntiVirus
Trojan.Win32.DarkKomet.cssoim
0.30.24.2086

nProtect
Trojan.Inject.AUZ
15.06.17.01

Panda Antivirus
Trj/Genetic.gen
15.07.07.02

Qihoo 360 Security
HEUR/Malware.QVM11.Gen
1.0.0.1015

Quick Heal
Backdoor.Fynloski.A9
7.15.14.00

Reason Heuristics
Trojan.Backdoor.Meta (M)
15.7.7.14

Rising Antivirus
PE:Trojan.Win32.Generic.15972D1E!362229022
23.00.65.15705

Sophos
Troj/Backdr-ID
4.98

SUPERAntiSpyware
Trojan.Agent/Gen-Fynloski
9768

Total Defense
Win32/Fynloski.DY
37.1.62.1

Trend Micro House Call
TROJ_SPNR.0BGT13
7.2.188

Trend Micro
TROJ_SPNR.0BGT13
10.465.07

Vba32 AntiVirus
Backdoor.DarkKomet
3.12.26.4

VIPRE Antivirus
Backdoor.Win32.Fynloski.A
41236

ViRobot
Backdoor.Win32.Agent.674304.A[UPX][h]
2014.3.20.0

Zillya! Antivirus
Trojan.Fynloski.Win32.3191
2.0.0.2233

File size:
252 KB (258,048 bytes)

Product version:
4, 0, 0, 0

Copyright:
Copyright (C) 1999

Original file name:
MSRSAAP.EXE

File type:
Executable application (Win32 EXE)

Language:
English (United States)

File PE Metadata
Compilation timestamp:
6/7/2012 10:59:53 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
2.25

CTPH (ssdeep):
6144:7cNYS996KFifeVjBpeExgVTFSXFoMc5RhCaL37:7cW7KEZlPzCy37

Entry address:
0xB59B0

Entry point:
60, BE, 00, 80, 47, 00, 8D, BE, 00, 90, F8, FF, C7, 87, B8, 07, 09, 00, 3A, 02, 2E, 93, 57, 83, CD, FF, EB, 0E, 90, 90, 90, 90, 8A, 06, 46, 88, 07, 47, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 72, ED, B8, 01, 00, 00, 00, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 11, C0, 01, DB, 73, 0B, 75, 28, 8B, 1E, 83, EE, FC, 11, DB, 72, 1F, 48, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 11, C0, EB, D4, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 11, C9, EB, 52, 31, C9, 83, E8, 03, 72, 11, C1, E0, 08, 8A, 06, 46...
 
[+]

Packer / compiler:
UPX v0.89.6 - v1.02 / v1.05 -v1.22 (Delphi) stub

Code size:
248 KB (253,952 bytes)

Startup File (User Run)
Registry location:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
MicroUpdate

Command:
C:\users\{user}\documents\msdcsc\msdcsc.exe


The executing file has been seen to make the following network communications in live environments.

TCP:
Connects to m235.looho.men  (94.73.32.235:200)

TCP:
Connects to client-134-214.speedy-net.bg  (78.159.134.214:200)

Remove msdcsc.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.