Submission Summary:

• Submission details:
• Submission received: 31 August 2012, 09:17:16
• Processing time: 8 min 10 sec
• Submitted sample:
• File MD5: 0x0524D8FEC9CF70115EDFEC87A3B593DE
• File SHA-1: 0x539868EAE4340213958C6A981B529A1A201B6B48
• Filesize: 311,296 bytes
• Alias:
• Infostealer.Refest [Symantec]
• Trojan.Win32.Swisyn.bfua [Kaspersky Lab]
• Mal/Behav-105, Mal/Behav-105 [Sophos]

• Summary of the findings:

What's been found	Severity Level
Downloads/requests other files from Internet.
Creates a startup registry entry.
Contains characteristics of an identified security risk.

Technical Details:

Possible Security Risk

• Attention! The following threat categories were identified:

Threat Category	Description
	A malicious trojan horse or bot that may represent security risk for the compromised system and/or its network environment
	A keylogger program that can capture all user keystrokes (including confidential details such username, password, credit card number, etc.)

File System Modifications

• The following files were created in the system:

#	Filename(s)	File Size	File Hash	Alias
1	%AppData%\dir	32 bytes	MD5: 0x46525D5665EB34AD79F2B75FF27A8659 SHA-1: 0x83C7AA2AF8CCD12F45D116ADDF7295EB3217FB0A	(not available)
2	%AppData%\dir3	42 bytes	MD5: 0x51A77559A21B464324F38766C417240E SHA-1: 0xF1622AD012533C23D524EEA1C61396AFB574F8AA	(not available)
3	%AppData%\taskmgr.exe %UserProfile%\tmp.exe	253,952 bytes	MD5: 0x5A18B38B5423246EB263380BD96DB154 SHA-1: 0xE43CE258A17A31E692F514622E863909D583B69E	Infostealer.Refest [Symantec] Trojan.Win32.Swisyn.bfub [Kaspersky Lab] RemoteAccess:Win32/Vbrat.A [Microsoft] Worm.Win32.VBNA [Ikarus]
4	%AppData%\wuauclt.exe [file and pathname of the sample #1]	311,296 bytes	MD5: 0x0524D8FEC9CF70115EDFEC87A3B593DE SHA-1: 0x539868EAE4340213958C6A981B529A1A201B6B48	Infostealer.Refest [Symantec] Trojan.Win32.Swisyn.bfua [Kaspersky Lab] Mal/Behav-105, Mal/Behav-105 [Sophos]

• Notes:
• %AppData% is a variable that refers to the file system directory that serves as a common repository for application-specific data. A typical path is C:\Documents and Settings\[UserName]\Application Data.
• %UserProfile% is a variable that specifies the current user's profile folder. By default, this is C:\Documents and Settings\[UserName] (Windows NT/2000/XP).

Memory Modifications

• There were new processes created in the system:

Process Name	Process Filename	Main Module Size
wuauclt.exe	%AppData%\wuauclt.exe	315,392 bytes
taskmgr.exe	%AppData%\taskmgr.exe	262,144 bytes
tmp.exe	%UserProfile%\tmp.exe	262,144 bytes
[filename of the sample #1]	[file and pathname of the sample #1]	315,392 bytes

Registry Modifications

• The newly created Registry Values are:
• [HKEY_CURRENT_USER\Software]
• 1 = "VICTIMAS_JESUS-AO5zp2D"
• [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
• Dato = "%AppData%\wuauclt.exe"
• Administrador de Tareas = "%AppData%\taskmgr.exe"

so that wuauclt.exe runs every time Windows starts
so that taskmgr.exe runs every time Windows starts

Other details

• Analysis of the file resources indicate the following possible country of origin:

	Spain

• The following port was open in the system:

• The following Host Names were requested from a host database:
• 192.5.5.241
• mrxxx.no-ip.biz

• There was registered attempt to establish connection with the remote host. The connection details are:

• The data identified by the following URLs was then requested from the remote web server:
• http://mitienda-online.com/runakay.com/blog/archivos/file/read.php?pass=resertconexion&section=Form1&key=Text1
• http://mitienda-online.com/runakay.com/blog/archivos/file/read.php?pass=conserjeriadeestatutbtotal&section=Form1&key=Text1
• http://mitienda-online.com/runakay.com/blog/archivos/file/write.php?pass=conserjeriadeestatutbtotal&section=Form1&key=Text1&value=1