» screensaverpro.scr
Overview
Analysis
File Details
Behaviors (1)
Network (1)

screensaverpro.scr

Pidgin Portable

PortableApps.com

The file screensaverpro.scr has been detected as malware by 38 anti-virus scanners. It is set to automatically start when a user logs into Windows via the current user run registry key under the display name ‘Screen Saver Pro 3.1’. This worm can steal user names and passwords by monitoring network communication, block websites, and launch a denial of service (DoS) attack. While running, it connects to the Internet address starz.stoatch.com on port 80 using the HTTP protocol.

File name:

screensaverpro.scr

Publisher:

PortableApps.com

Product:

Pidgin Portable

Version:

1.6.9.0

MD5:

26e4d2a1a80b78a37864d3a5de25ff53

SHA-1:

2c9a620d1a2a8af04aeb9196234d59f2d3ee8a10

Scanner detections:

38 / 68

Status:

Malware

Analysis date:

4/27/2024 1:41:07 AM UTC (today)

Scan engine

Detection

Engine version

Lavasoft Ad-Aware

Trojan.GenericKD.1171398

864

Agnitum Outpost

Backdoor.Androm

7.1.1

AhnLab V3 Security

Trojan/Win32.Inject

2014.09.18

Avira AntiVirus

TR/Dropper.Gen

7.11.173.16

avast!

Win32:Ransom-AOX [Trj]

2014.9-140923

AVG

BackDoor.Generic17

2015.0.3342

Baidu Antivirus

Backdoor.Win32.Androm

4.0.3.14923

Bitdefender

Trojan.GenericKD.1171398

1.0.20.1330

Clam AntiVirus

Win.Trojan.Generickd-245

0.98/21411

Comodo Security

TrojWare.Win32.Injector.AKXT

19546

Dr.Web

Trojan.Winlock.8811

9.0.1.0266

Emsisoft Anti-Malware

Trojan.GenericKD.1171398

8.14.09.23.01

ESET NOD32

Win32/Dorkbot

8.10434

Fortinet FortiGate

W32/Androm.AJKL!tr.bdr

9/23/2014

F-Prot

W32/Trojan2.NXHW

v6.4.7.1.166

F-Secure

Trojan.GenericKD.1171398

11.2014-23-09_3

G Data

Trojan.GenericKD.1171398

14.9.24

IKARUS anti.virus

Backdoor.Win32.Androm

t3scan.1.7.8.0

K7 AntiVirus

Trojan

13.183.13407

Kaspersky

Backdoor.Win32.Androm

14.0.0.3207

Malwarebytes

Trojan.Agent.ED

v2014.09.23.01

McAfee

Ainslot.b

5600.6998

Microsoft Security Essentials

Worm:Win32/Dorkbot.I

1.11005

MicroWorld eScan

Trojan.GenericKD.1171398

15.0.0.798

NANO AntiVirus

Trojan.Win32.Winlock.ccvhlg

0.28.2.62151

Norman

Kryptik.CCKO

11.20140923

nProtect

Trojan.GenericKD.1171398

14.09.17.01

Panda Antivirus

Trj/Agent.IVN

14.09.23.01

Qihoo 360 Security

HEUR/Malware.QVM10.Gen

1.0.0.1015

Quick Heal

Trojan.Lethic.B5

9.14.14.00

Rising Antivirus

PE:Trojan.Win32.Generic.15938EEA!361991914

23.00.65.14921

Sophos

Troj/Agent-AIEA

4.98

SUPERAntiSpyware

Trojan.Agent/Gen-Malagent

10342

Trend Micro House Call

TROJ_SPNR.03I213

7.2.266

Trend Micro

TROJ_SPNR.03I213

10.465.23

VIPRE Antivirus

Worm.Win32.Dorkbot

33212

ViRobot

Trojan.Win32.S.Inject.162816.AA

2011.4.7.4223

Zillya! Antivirus

Worm.Dorkbot.Win32.1041

2.0.0.1926

File size:

159 KB (162,816 bytes)

Product version:

1.6.9.0

John T. Haller

Trademarks:

PortableApps.com is a Trademark of Rare Ideas, LLC.

Original file name:

PidginPortable.exe

Language:

Language Neutral

Common path:

C:\Documents and Settings\{user}\Application data\screensaverpro.scr

File PE Metadata

Compilation timestamp:

8/10/2013 11:00:17 PM

OS version:

5.0

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

9.0

CTPH (ssdeep):

3072:GauOcOaPA7yrevHm10HT0JS2tMgVcp8t41N1:GmcOaPA7yIfYJvtMU4h

Entry address:

0x18A9

Entry point:

E8, D0, 36, 00, 00, E9, 89, FE, FF, FF, 8B, FF, 55, 8B, EC, 68, 94, E0, 40, 00, FF, 15, 80, D0, 40, 00, 85, C0, 74, 15, 68, 84, E0, 40, 00, 50, FF, 15, 7C, D0, 40, 00, 85, C0, 74, 05, FF, 75, 08, FF, D0, 5D, C3, 8B, FF, 55, 8B, EC, FF, 75, 08, E8, C8, FF, FF, FF, 59, FF, 75, 08, FF, 15, 84, D0, 40, 00, CC, 6A, 08, E8, FE, 1C, 00, 00, 59, C3, 6A, 08, E8, 1C, 1C, 00, 00, 59, C3, 8B, FF, 56, E8, FA, 31, 00, 00, 8B, F0, 56, E8, 3D, 05, 00, 00, 56, E8, 17, 15, 00, 00, 56, E8, 53, 39, 00, 00, 56, E8, 3E, 39, 00... 
[+]

Code size:

46 KB (47,104 bytes)

Startup File (User Run)

Registry location:

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:

Screen Saver Pro 3.1

Command:

C:\Documents and Settings\{user}\Application data\screensaverpro.scr

The executing file has been seen to make the following network communication in live environments.

TCP (HTTP):

Connects to starz.stoatch.com (212.83.138.221:80)

Remove screensaverpro.scr - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.