Submission Summary:

• Submission details:
• Submission received: 11 September 2012, 18:04:25
• Processing time: 7 min 35 sec
• Submitted sample:
• File MD5: 0x02D26CBF766F583EF5EBE23344573ECE
• File SHA-1: 0xCA00330A9F1591C2697690B87D1F0540F8621897
• Filesize: 52,736 bytes
• Alias & packer info:
• Trojan Horse [Symantec]
• Backdoor.Win32.Agent.tnr [Kaspersky Lab]
• generic!bg.evs [McAfee]
• Trojan-Dropper.Agent [Ikarus]
• Dropper/Agent.87552.G [AhnLab]
• packed with: UPX [Kaspersky Lab]

• Summary of the findings:

What's been found	Severity Level
Produces outbound traffic.
Contains characteristics of an identified security risk.

Technical Details:

Possible Security Risk

• Attention! Characteristics of the following security risk was identified in the system:

Security Risk	Description
Rootkit.Agent	Rootkit.Agent is a trojan that hijack browser in order to produce popup advertisements from known badsites and also have rootkit functionality in order to hide itself as system driver.

• Attention! The following threat categories were identified:

Threat Category	Description
	A malicious backdoor trojan that runs in the background and allows remote access to the compromised system
	A malicious trojan horse or bot that may represent security risk for the compromised system and/or its network environment

File System Modifications

• The following files were created in the system:

#	Filename(s)	File Size	File Hash	Alias
1	%System%\RymttiC.dll	74,752 bytes	MD5: 0xDB6691495C04919E7468E9871D6B6DA1 SHA-1: 0xC16C7A15205DA26D581CD9E35F1B828427335D29	Backdoor.Trojan [Symantec] Backdoor.Win32.Agent.ajbw [Kaspersky Lab] BackDoor-CKB.gen.ap [McAfee] Troj/Bckdr-QWZ [Sophos] Backdoor:Win32/PcClient.ZL [Microsoft] Backdoor.Win32.Venik [Ikarus] Win-Trojan/Agent.74752.AN [AhnLab]
2	[file and pathname of the sample #1]	52,736 bytes	MD5: 0x02D26CBF766F583EF5EBE23344573ECE SHA-1: 0xCA00330A9F1591C2697690B87D1F0540F8621897	Trojan Horse [Symantec] Backdoor.Win32.Agent.tnr [Kaspersky Lab] generic!bg.evs [McAfee] Trojan-Dropper.Agent [Ikarus] Dropper/Agent.87552.G [AhnLab] packed with UPX [Kaspersky Lab]

• Note:
• %System% is a variable that refers to the System folder. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

Memory Modifications

• There was a new process created in the system:

• The following module was loaded into the address space of other process(es):

Module Name	Module Filename	Address Space Details
rymttic.dll	%System%\rymttic.dll	Process name: svchost.exe Process filename: %System%\svchost.exe Address space: 0x5A0000 - 0x5B7000

• There was a new service created in the system:

Registry Modifications

• The following Registry Keys were created:
• HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\MediaResources\msvideo
• HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_MEDIACENTER
• HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_MEDIACENTER\0000
• HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_MEDIACENTER\0000\Control
• HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\MediaCenter
• HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\MediaCenter\Parameters
• HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\MediaCenter\Security
• HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\MediaCenter\Enum
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\MediaResources\msvideo
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MEDIACENTER
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MEDIACENTER\0000
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MEDIACENTER\0000\Control
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MediaCenter
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MediaCenter\Parameters
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MediaCenter\Security
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MediaCenter\Enum

• The newly created Registry Values are:
• [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost]
• krnlsrvc = 4D 65 64 69 61 43 65 6E 74 65 72 00
• [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_MEDIACENTER\0000\Control]
• *NewlyCreated* = 0x00000000
• ActiveService = "MediaCenter"
• [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_MEDIACENTER\0000]
• Service = "MediaCenter"
• Legacy = 0x00000001
• ConfigFlags = 0x00000000
• Class = "LegacyDriver"
• ClassGUID = "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
• DeviceDesc = "MS Media Control Center"
• [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_MEDIACENTER]
• NextInstance = 0x00000001
• [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\MediaCenter\Enum]
• 0 = "Root\LEGACY_MEDIACENTER\0000"
• Count = 0x00000001
• NextInstance = 0x00000001
• [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\MediaCenter\Security]
• Security = 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 0
• [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\MediaCenter\Parameters]
• ServiceDll = "%System%\RymttiC.dll"
• [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\MediaCenter]
• Type = 0x00000010
• Start = 0x00000002
• ErrorControl = 0x00000000
• ImagePath = "%System%\svchost.exe -k krnlsrvc"
• DisplayName = "MS Media Control Center"
• ObjectName = "LocalSystem"
• Description = "Provides support for media palyer. This service can't be stoped."
• [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MEDIACENTER\0000\Control]
• *NewlyCreated* = 0x00000000
• ActiveService = "MediaCenter"
• [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MEDIACENTER\0000]
• Service = "MediaCenter"
• Legacy = 0x00000001
• ConfigFlags = 0x00000000
• Class = "LegacyDriver"
• ClassGUID = "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
• DeviceDesc = "MS Media Control Center"
• [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MEDIACENTER]
• NextInstance = 0x00000001
• [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MediaCenter\Enum]
• 0 = "Root\LEGACY_MEDIACENTER\0000"
• Count = 0x00000001
• NextInstance = 0x00000001
• [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MediaCenter\Security]
• Security = 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 0
• [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MediaCenter\Parameters]
• ServiceDll = "%System%\RymttiC.dll"
• [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MediaCenter]
• Type = 0x00000010
• Start = 0x00000002
• ErrorControl = 0x00000000
• ImagePath = "%System%\svchost.exe -k krnlsrvc"
• DisplayName = "MS Media Control Center"
• ObjectName = "LocalSystem"
• Description = "Provides support for media palyer. This service can't be stoped."

• The following Registry Values were modified:
• [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\ServiceCurrent]
• (Default) =
• [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ServiceCurrent]
• (Default) =

Other details

• Analysis of the file resources indicate the following possible country of origin:

	China

• The following Host Names were requested from a host database:
• 192.5.5.241
• xlgzshi.vicp.net

• There was registered attempt to establish connection with the remote host. The connection details are:

Outbound traffic (potentially malicious)

• There was an outbound traffic produced on port 2013: