ThreatExpert Report: Mal/FakeDouf-B, Trojan:Win32/Alureon.CO, Rootkit.Win32.Agent.akgh..

Submission Summary:

Submission details:

Submission received: 12 February 2010, 15:02:47
Processing time: 10 min 18 sec
Submitted sample:

File MD5: 0x035A0D07466E0351E08700C5DB12820F
File SHA-1: 0xE60D3A54C87A65A9FCA5CD802E5D71E260BF2630
Filesize: 152,064 bytes
Alias: Mal/FakeDouf-B [Sophos]

Summary of the findings:

What's been found	Severity Level
Downloads/requests other files from Internet.
Creates a startup registry entry.
Contains characteristics of an identified security risk.

Technical Details:

Possible Security Risk

Attention! Characteristics of the following security risk was identified in the system:

Security Risk	Description
Trojan.FakeAlert	Trojan.FakeAlert will hijack the desktop background with an image alerting the user that their computer system has been infected with spyware. It also changes some settings of windows which include:- disabling permissions for the user to change the background image and setting the active desktop to 'show web content'. It is usually installed in conjunction with a rogue anti-spyware application.

Attention! The following threat category was identified:

Threat Category	Description
	A code with the rootkit-specific techniques designed to hide the software presence in the system

File System Modifications

The following files were created in the system:

#	Filename(s)	File Size	File Hash	Alias
1	%Temp%\000005cd	86,016 bytes	MD5: 0x92DBBCBC5565302A724FB2D0F42ADF94 SHA-1: 0xB860CE20A1A982C36B00C0DBE2336ECBCC20517C	Trojan:Win32/Alureon.CO [Microsoft]
2	%Temp%\a.dat	22,168 bytes	MD5: 0x8853B80928C70D90B02E8CD066948DA0 SHA-1: 0xFD129FEB1084EA01DDBDDEB40D4FBC5B9C264790	(not available)
3	%Temp%\Alf.exe %Windir%\msa.exe	215,040 bytes	MD5: 0x7B4EAB4536A35EFB819A97D683E352B5 SHA-1: 0xA875DB9505166AE347F8180FCEC92EB47825E595	Mal/FakeDouf-B [Sophos]
4	%Temp%\Alg.exe	216,576 bytes	MD5: 0x229C38F0520D662976E10F624A4B3B8C SHA-1: 0xD7E53DEF17FB49AC83562DE485471E2A2F2ADDE3	Mal/FakeDouf-B [Sophos]
5	%System%\spool\prtprocs\w32x86\00005495.tmp	86,016 bytes	MD5: 0xE754548482656327A2949155714BE388 SHA-1: 0xFFE322A0CA1993AB736C4BCE3DAA8662D3872AE4	Trojan:Win32/Alureon.CO [Microsoft]
6	%Windir%\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job	334 bytes	MD5: 0x25035EC7C914D1C46D2929854A5358DA SHA-1: 0xB93B2A6ABB5E726C11BB5CE0536507A1E0DBF937	(not available)
7	%Windir%\Tasks\{66BA574B-1E11-49b8-909C-8CC9E0E8E015}.job	294 bytes	MD5: 0xE216D79B3D6CCDA8473BDDF635E6C0DB SHA-1: 0x965289179E770A7BF7F097DB4A9C2155F5790DF6	(not available)
8	%Windir%\Temp\00005dd1.sys	29,184 bytes	MD5: 0xFCA53E3D28357DF3A647D4C2E188B471 SHA-1: 0xAACDF955D79F348212A6562C3F60FDCF24C5C96B	Rootkit.Win32.Agent.akgh [Kaspersky Lab] Trojan:WinNT/Alureon.G [Microsoft] Trojan.WinNT.Alureon [Ikarus]

Notes:

%Temp% is a variable that refers to the temporary folder in the short path form. By default, this is C:\Documents and Settings\[UserName]\Local Settings\Temp\ (Windows NT/2000/XP).
%Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows or C:\Winnt.
%System% is a variable that refers to the System folder. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

Memory Modifications

There were new processes created in the system:

Process Name	Process Filename	Main Module Size
Alg.exe	%Temp%\alg.exe	622,592 bytes
msa.exe	%Windir%\msa.exe	520,192 bytes

Registry Modifications

The following Registry Keys were created:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\CA\Certificates\12D4872BC3EF019E7E0B6F132480AE29DB5B1CA3
HKEY_CURRENT_USER\Software\ROUA3O12PW
HKEY_CURRENT_USER\Software\TOY5KNQ8OC
HKEY_CURRENT_USER\Software\XML

The newly created Registry Values are:

[HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\CA\Certificates\12D4872BC3EF019E7E0B6F132480AE29DB5B1CA3]

Blob = 03 00 00 00 01 00 00 00 14 00 00 00 12 D4 87 2B C3 EF 01 9E 7E 0B 6F 13 24 80 AE 29 DB 5B 1C A3 14 00 00 00 01 00 00 00 14 00 00 00 97 D0 6B A8 26 70 C8 A1 3F 94 1F 08 2D C4 35 9B A4 A1 1E F2 04 00 00 00 01 00 00 00 10 00 00 00 56 10 5F 6D 97 18 DE 7

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]

TOY5KNQ8OC = "%Temp%\Alg.exe"
ROUA3O12PW = "%Windir%\msa.exe"

so that Alg.exe runs every time Windows starts

so that msa.exe runs every time Windows starts

[HKEY_CURRENT_USER\Software\ROUA3O12PW]

Azy3 = "FOqnU9HLTRbc+g=="
Azy0 = "Gbv+C4eSExjnyIpWf4+pYXAo/2QGxA/X94OiMMEM3fg20bvg2lIH4I0SSBgUTuqf3fYxYYGgq646p4fQ0BKrrEqQmaTQyIWqoOGOMOR4MoH3sbitDgpFNd6HxZeCxMZEGF6iVtfwyKQ0agFQ1SzbUq43Q7Tpdhtm4U0ZRBNS6KYvkV2YzEwrOYxvFG4Qb8nrZPgjFnZJlNiNMc7X3BcE8gHKumxx8LYriVQTDzdu3czzeElaBVyMVp60T
Avi2 = 0x0000000F
Avi5 = 0x00000E10
Avi3 = 0x000000FA
Avi4 = 0x00000064
Avi6 = 0x00000009
Avi14 = 0x00000000
Avi0 = 0x01CAAD00
Avi1 = 0xC0866980
Azy1 = ""
Azy2 = "ZuLNIa64IWuvvLI2X46gM04m4XVnqi/6lPGZOoQgs7J0x4Dgk1NI9w=="
Avi6 = 0x0000000A

[HKEY_CURRENT_USER\Software\TOY5KNQ8OC]

Aq2 = "xC7aKZ+O6wyPlq1krRM4sG7m2LFGsYtHjHOagBf10Uk/n4gL8s8xs9LeD5KQVh3/j+XFa0mnr175UElKKyciA2gn6tUEA721Fj4P"
Aq0 = "tSLPLpWL7R22spR48AI743bz2Kge8sEPy1iosXy2iAog1s0v9M0gqMzCQfK0HljtkauXVCGbnnfra35yNQwaJTgv68pHV/XrSWpKvD4YfL3BUK2YmKdwy0wP+mREmBu3qeV4TyHp6lc/8xIj6ehCR1T2ygeXbopFSi+wcuZzVX7WA8yjo9XhuJU5/pNqmcfKB2V7Y7qn2tZwrqT3eKKXPIf9sbxy38uNoUF1xYIsnQ3hFA=="
Aq1 = "tSbFNJuL/h22spR48AI743bz2Kge8sEeyVi7rDe7ghMhx8cxtMM6rsHIXa/qBkChgvGQSnOomXTeInlsZ1oGJTxl/soFQ//uV2wIsDIefbzBT+aPj6cx11ELryRfxAfh1NNeBib3uHpWiFcm77lAS0ithBveOJURRz6rY+ZxCjaQEduyrdTmo4559JNpxYvGGmwxY6z6xdJ15uLtZODZWf39sa5lx53p30M="
Aj4 = 0x00015180
Aj5 = 0x00000002
Aj2 = 0x01CAAD00
Aj3 = 0xB9E4DF30
Aj6 = 0x00000001
Aj0 = 0x01CAAC39
Aj1 = 0xDA42BA80

Other details

The following ports were open in the system:

Port	Protocol	Process
1064	UDP	msa.exe (%Windir%\msa.exe)
1085	TCP	msa.exe (%Windir%\msa.exe)
1095	TCP	msa.exe (%Windir%\msa.exe)
1096	TCP	msa.exe (%Windir%\msa.exe)
1099	TCP	msa.exe (%Windir%\msa.exe)
1100	TCP	msa.exe (%Windir%\msa.exe)
1101	TCP	msa.exe (%Windir%\msa.exe)
1108	TCP	msa.exe (%Windir%\msa.exe)
1109	TCP	msa.exe (%Windir%\msa.exe)
1110	TCP	msa.exe (%Windir%\msa.exe)
1116	TCP	msa.exe (%Windir%\msa.exe)
1120	TCP	msa.exe (%Windir%\msa.exe)
1122	TCP	msa.exe (%Windir%\msa.exe)
1123	TCP	msa.exe (%Windir%\msa.exe)
1125	TCP	msa.exe (%Windir%\msa.exe)
1127	TCP	msa.exe (%Windir%\msa.exe)
1128	TCP	msa.exe (%Windir%\msa.exe)
1134	TCP	msa.exe (%Windir%\msa.exe)
1139	TCP	msa.exe (%Windir%\msa.exe)
1141	TCP	msa.exe (%Windir%\msa.exe)

There were registered attempts to establish connection with the remote hosts. The connection details are:

Remote Host	Port Number
174.129.243.250	80
174.37.204.176	80
199.7.48.190	80
208.19.38.17	80
208.19.38.42	80
208.19.38.50	80
208.19.38.8	80
212.150.147.46	80
64.120.144.86	80
64.120.164.41	80

The data identified by the following URLs was then requested from the remote web server:

http://ad1.adsovo.com/st?ad_type=iframe&ad_size=468x60&section=758786
http://ad1.adsovo.com/st?ad_type=iframe&ad_size=160x600&section=758786
http://fgage.com/ad_type.php
http://csc3-2009-2-aia.verisign.com/CSC3-2009-2.cer
http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
http://cdn.ipromote.com/ad/script/js/flash4.js
http://cheaptous.com/k.php
http://sgfax.com/resolution.php
http://befreenet.com/borders.php
http://tangoartsshow.com/perce/10701c6d81fa04f004a00eab846b28ed9ec2babcd6c77e883658518286342f92bc34fb393c0e3c30a/30d/qwerce.gif
http://content.yieldmanager.com/ak/q.gif
http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
http://ad.yieldmanager.com/imp?Z=120x600&s=800481&_salt=1608377094&B=10&u=http%3A%2F%2Fad.reduxmedia.com%2F&r=0&SIG=10v724hic;x-cookie=qe6rai55aou0s&o=4&f=oo
http://ad.yieldmanager.com/imp?Z=468x60&s=756348&_salt=1532879516&B=10&u=http%3A%2F%2Fad.scanmedios.com%2F&r=0
http://ad.yieldmanager.com/imp?Z=120x600&s=800485&_salt=439598888&B=10&u=http%3A%2F%2Fad.reduxmedia.com%2F&r=0
http://ad.yieldmanager.com/imp?Z=468x60&fil=gw&s=758786&_salt=72360661&B=10&u=http%3A%2F%2Fbollywoodondemand.com%2F&r=0
http://ad.yieldmanager.com/imp?Z=160x600&s=785719&_salt=2949130450&B=10&u=http%3A%2F%2Fad.reduxmedia.com%2F&r=0
http://ad.yieldmanager.com/imp?Z=120x600&s=800481&_salt=1608377094&B=10&u=http%3A%2F%2Fad.reduxmedia.com%2F&r=0
http://ad.scanmedios.com/st?ad_type=iframe&ad_size=468x60&section=756348
http://ad.scanmedios.com/imp?Z=468x60&s=756348&_salt=1532879516&B=10&u=http%3A%2F%2Fad.scanmedios.com%2F&r=0
http://ad2.adsovo.com/st?ad_size=468x60&ad_type=iframe&fil=gw&section=758786
http://ad2.adsovo.com/imp?Z=468x60&fil=gw&s=758786&_salt=72360661&B=10&u=http%3A%2F%2Fbollywoodondemand.com%2F&r=0
http://ad2.adsovo.com/st?ad_size=160x600&ad_type=iframe&fil=gw&section=758786
http://cookex.amp.yahoo.com/v2/cexposer/SIG=13josfmm8/*http%3A//ad.yieldmanager.com/imp?Z=120x600&s=800481&_salt=1608377094&B=10&u=http%3A%2F%2Fad.reduxmedia.com%2F&r=0
http://multiartshouse.com/werber/402/217.gif
http://ad.reduxmedia.com/st?ad_type=iframe&ad_size=120x600&section=800485
http://ad.reduxmedia.com/imp?Z=120x600&s=800485&_salt=439598888&B=10&u=http%3A%2F%2Fad.reduxmedia.com%2F&r=0
http://ad.reduxmedia.com/st?ad_type=iframe&ad_size=160x600&section=785719
http://ad.reduxmedia.com/imp?Z=160x600&s=785719&_salt=2949130450&B=10&u=http%3A%2F%2Fad.reduxmedia.com%2F&r=0
http://ad.reduxmedia.com/st?ad_type=iframe&ad_size=120x600&section=800481
http://ad.reduxmedia.com/imp?Z=120x600&s=800481&_salt=1608377094&B=10&u=http%3A%2F%2Fad.reduxmedia.com%2F&r=0

All content ("Information") contained in this report is the copyrighted work of Threat Expert Ltd and its associated companies ("ThreatExpert") and may not be copied without the express permission of ThreatExpert.

The Information is provided on an "as is" basis. ThreatExpert disclaims all warranties, whether express or implied, to the maximum extent permitted by law, including the implied warranties that the Information is merchantable, of satisfactory quality, accurate, fit for a particular purpose or need, or non-infringing, unless such implied warranties are legally incapable of exclusion. Further, ThreatExpert does not warrant or make any representations regarding the use or the results of the use of the Information in terms of their correctness, accuracy, reliability, or otherwise.