ThreatExpert Report: Trojan.Usuge!gen3

Submission Summary:

Submission details:

Submission received: 5 October 2012, 15:24:50
Processing time: 8 min 29 sec
Submitted sample:

File MD5: 0x06FFA3EF779DC17F902877035459A3E9
File SHA-1: 0x64715552C4759FEEF86B4B51C24D7BD72D4034D1
Filesize: 385,024 bytes
Alias: Trojan.Usuge!gen3 [Symantec]

Summary of the findings:

What's been found	Severity Level
Downloads/requests other files from Internet.
Creates a startup registry entry.
Contains characteristics of an identified security risk.

Technical Details:

Possible Security Risk

Attention! The following threat category was identified:

Threat Category	Description
	A malicious trojan horse or bot that may represent security risk for the compromised system and/or its network environment

File System Modifications

The following files were created in the system:

#	Filename(s)	File Size	File Hash	Alias
1	%AppData%\Udetok\meoxi.oko	1,277 bytes	MD5: 0xC5F83A3CEFF2CD8F2AC9016B1A7F7E61 SHA-1: 0x3ED0182A0CEF0BD4A41AC71E23BE64C0A56D716A	(not available)
2	%AppData%\Udetok\meoxi.tmp	0 bytes	MD5: 0xD41D8CD98F00B204E9800998ECF8427E SHA-1: 0xDA39A3EE5E6B4B0D3255BFEF95601890AFD80709	(not available)
3	%AppData%\Ziqua\uclis.exe	385,024 bytes	MD5: 0x5C3530A3D802B5AFFA3103F03C62FBCE SHA-1: 0xD7FF4F411637A56168DC584F99D254D20DB0F3E6	Trojan.Usuge!gen3 [Symantec]
4	%Temp%\tmpea8efca0.bat	168 bytes	MD5: 0x53649A0F9397EBBF7A51CEB937766D30 SHA-1: 0xB8641F4E78795D4B97DC4631D1E7420080208131	(not available)
5	[file and pathname of the sample #1]	385,024 bytes	MD5: 0x06FFA3EF779DC17F902877035459A3E9 SHA-1: 0x64715552C4759FEEF86B4B51C24D7BD72D4034D1	Trojan.Usuge!gen3 [Symantec]

Notes:

%AppData% is a variable that refers to the file system directory that serves as a common repository for application-specific data. A typical path is C:\Documents and Settings\[UserName]\Application Data.
%Temp% is a variable that refers to the temporary folder in the short path form. By default, this is C:\Documents and Settings\[UserName]\Local Settings\Temp\ (Windows NT/2000/XP).

The following directories were created:

%AppData%\Udetok
%AppData%\Ziqua

Memory Modifications

There were new processes created in the system:

Process Name	Process Filename	Main Module Size
[filename of the sample #1]	[file and pathname of the sample #1]	393,216 bytes
uclis.exe	%AppData%\Ziqua\uclis.exe	393,216 bytes

There were new memory pages created in the address space of the system process(es):

Process Name	Process Filename	Allocated Size
cmd.exe	%System%\cmd.exe	159,744 bytes
uclis.exe	%AppData%\ziqua\uclis.exe	159,744 bytes

Notes:

%System% is a variable that refers to the System folder. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

Registry Modifications

The following Registry Keys were created:

HKEY_LOCAL_MACHINE\SOFTWARE\Avg
HKEY_LOCAL_MACHINE\SOFTWARE\Avg\AVG IDS
HKEY_LOCAL_MACHINE\SOFTWARE\Avg\AVG IDS\IDS
HKEY_LOCAL_MACHINE\SOFTWARE\Avg\AVG IDS\IDS\Ui
HKEY_LOCAL_MACHINE\SOFTWARE\BullGuard Ltd.
HKEY_LOCAL_MACHINE\SOFTWARE\BullGuard Ltd.\BullGuard
HKEY_LOCAL_MACHINE\SOFTWARE\BullGuard Ltd.\BullGuard\Antivirus
HKEY_LOCAL_MACHINE\SOFTWARE\BullGuard Ltd.\BullGuard\Update
HKEY_LOCAL_MACHINE\SOFTWARE\BullGuard Ltd.\BullGuard\Update\Settings
HKEY_LOCAL_MACHINE\SOFTWARE\ESET
HKEY_LOCAL_MACHINE\SOFTWARE\ESET\ESET Security
HKEY_LOCAL_MACHINE\SOFTWARE\ESET\ESET Security\CurrentVersion
HKEY_LOCAL_MACHINE\SOFTWARE\ESET\ESET Security\CurrentVersion\Plugins
HKEY_LOCAL_MACHINE\SOFTWARE\ESET\ESET Security\CurrentVersion\Plugins\01000600
HKEY_LOCAL_MACHINE\SOFTWARE\ESET\ESET Security\CurrentVersion\Plugins\01000600\Profiles
HKEY_LOCAL_MACHINE\SOFTWARE\ESET\ESET Security\CurrentVersion\Plugins\01000600\Profiles\@My profile
HKEY_LOCAL_MACHINE\SOFTWARE\G DATA
HKEY_LOCAL_MACHINE\SOFTWARE\G DATA\AVKProxy
HKEY_LOCAL_MACHINE\SOFTWARE\G DATA\AVKWaechter
HKEY_LOCAL_MACHINE\SOFTWARE\G DATA\AVStatus
HKEY_LOCAL_MACHINE\SOFTWARE\KasperskyLab
HKEY_LOCAL_MACHINE\SOFTWARE\KasperskyLab\protected
HKEY_LOCAL_MACHINE\SOFTWARE\KasperskyLab\protected\AVP11
HKEY_LOCAL_MACHINE\SOFTWARE\KasperskyLab\protected\AVP11\settings
HKEY_LOCAL_MACHINE\SOFTWARE\KasperskyLab\protected\AVP12
HKEY_LOCAL_MACHINE\SOFTWARE\KasperskyLab\protected\AVP12\settings
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Privacy
HKEY_CURRENT_USER\Software\Microsoft\Esymer

The newly created Registry Values are:

[HKEY_LOCAL_MACHINE\SOFTWARE\Avg\AVG IDS\IDS\Ui]

AutoSubmissions = 0x00000000
AutoRemoveMalware = 0x00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\BullGuard Ltd.\BullGuard\Update\Settings]

AutomaticUpdates = 0x00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\BullGuard Ltd.\BullGuard\Antivirus]

EnableFalsePositiveSendToVirusLab = 0x00000000
OnAccessEnabled = 0x00000000
BehaviourEnabled = 0x00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\ESET\ESET Security\CurrentVersion\Plugins\01000600\Profiles\@My profile]

SampleEnable = 0x00000000
StatisticsEnabled = 0x00000000
QuarantineUpdateScan = 0x00000000
CloudEnabled = 0x00000000
CloudFlags = 0x00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\G DATA\AVStatus]

OnAccessEnabled = 0x00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\G DATA\AVKWaechter]

AccessDenyInfected = 0x00000000
Heuristic = 0x00000000
ProcessIM_AIM = 0x00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\G DATA\AVKProxy]

AntiSpy = 0x00000000
ReportInfections = 0x00000000
HttpPhishingState = 0x00000000
ProcessHTTP = 0x00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\KasperskyLab\protected\AVP11\settings]

UseKSN = 0x00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\KasperskyLab\protected\AVP12\settings]

UseKSN = 0x00000000

[HKEY_CURRENT_USER\Identities]

Identity Login = 0x00098053

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Privacy]

CleanCookies = 0x00000000

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]

{4B0A5CFA-014F-E12F-AC09-4B9B7BF98839} = ""%AppData%\Ziqua\uclis.exe""

so that uclis.exe runs every time Windows starts

[HKEY_CURRENT_USER\Software\Microsoft\Esymer]

Azvec = E8 00 5C 10 FD 8E A7 B3 7A 11 C3 00 55 A8 5B F9 2D EB 0F 37 67 0E 9F A9 D0 5A 18 E3 8E 54 7F 67 9F F4 E2 C5 08 68 D0 A6 F1 33 66 0E AB B9 29 AF E0 39 24 CD 06 4B 17 19 AB E3 98 5B 5D 58 B2 B1 92 59 BE F4 9A A9 A2 B2 A6 6B 54 52 69 7B D8 27 2E 5E F3 C

The following Registry Values were modified:

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0]

1609 =

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1]

1406 =
1609 =

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2]

1609 =

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3]

1406 =
1609 =

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4]

1406 =
1609 =

Other details

To mark the presence in the system, the following Mutex object was created:

Local\{86B845E3-1856-2C9D-AC09-4B9B7BF98839}

The following Host Name was requested from a host database:

192.5.5.241

The following Internet Connection was established:

Server Name	Server Port	Connect as User	Connection Password
178.63.175.107	80	(null)	(null)

The following GET request was made:

wupos/send/form/gif.bin

All content ("Information") contained in this report is the copyrighted work of Threat Expert Ltd and its associated companies ("ThreatExpert") and may not be copied without the express permission of ThreatExpert.

The Information is provided on an "as is" basis. ThreatExpert disclaims all warranties, whether express or implied, to the maximum extent permitted by law, including the implied warranties that the Information is merchantable, of satisfactory quality, accurate, fit for a particular purpose or need, or non-infringing, unless such implied warranties are legally incapable of exclusion. Further, ThreatExpert does not warrant or make any representations regarding the use or the results of the use of the Information in terms of their correctness, accuracy, reliability, or otherwise.