Submission Summary:

• Submission details:
• Submission received: 11 November 2009, 23:18:39
• Processing time: 7 min 2 sec
• Submitted sample:
• File MD5: 0x08BA612F05B0433A4A5CA2DF4DA38DEB
• File SHA-1: 0xBCDAFAABC91615255532111D4672FCEF7AEB9593
• Filesize: 56,320 bytes

• Summary of the findings:

What's been found	Severity Level
Produces outbound traffic.
Communication with a remote SMTP server and sending out email.
Creates a startup registry entry.
Contains characteristics of an identified security risk.

Technical Details:

Possible Security Risk

• Attention! Characteristics of the following security risk was identified in the system:

Security Risk	Description
Trojan.Agent	Trojan.Agent will spy on the browsing habits of users, modify Internet Explorer settings and download malicious files.

• Attention! The following threat category was identified:

Threat Category	Description
	A malicious trojan horse or bot that may represent security risk for the compromised system and/or its network environment

File System Modifications

• The following files were created in the system:

#	Filename(s)	File Size	File Hash	Alias
1	%UserProfile%\reader_s.exe %System%\reader_s.exe [file and pathname of the sample #1]	56,320 bytes	MD5: 0x08BA612F05B0433A4A5CA2DF4DA38DEB SHA-1: 0xBCDAFAABC91615255532111D4672FCEF7AEB9593	(not available)
2	%System%\dllcache\ndis.sys	212,480 bytes	MD5: 0xA329EADC3E525324566E8B70A7068B04 SHA-1: 0x689374F942835C06F472D9BCA1E5D5C6CF784FA0	Trojan.Neprodoor!inf [Symantec] Troj/Pushu-Gen, Mal/Fakedis-A [Sophos] Virus:Win32/Cutwail.F [Microsoft] Virus.Win32.Protector [Ikarus] Win32/Dnis.C [AhnLab]

• Notes:
• %UserProfile% is a variable that specifies the current user's profile folder. By default, this is C:\Documents and Settings\[UserName] (Windows NT/2000/XP).
• %System% is a variable that refers to the System folder. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

• The following file was modified:
• %System%\drivers\ndis.sys

Memory Modifications

• There were new processes created in the system:

Process Name	Process Filename	Main Module Size
reader_s.exe	%System%\reader_s.exe	49,152 bytes
reader_s.exe	%UserProfile%\reader_s.exe	49,152 bytes

• There was a new memory page created in the address space of the system process(es):

Process Name	Process Filename	Allocated Size
svchost.exe	%System%\svchost.exe	5,124,096 bytes

Registry Modifications

• The following Registry Key was created:
• HKEY_LOCAL_MACHINE\SOFTWARE\AGProtect

• The newly created Registry Values are:
• [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
• reader_s = "%System%\reader_s.exe"

so that reader_s.exe runs every time Windows starts

• [HKEY_LOCAL_MACHINE\SOFTWARE\AGProtect]
• Cfg = 09 00 00 00 A6 4A 00 00 26 66 47 19 BF A0 A0 A0 A9 A0 BD A0 A0 A0 A0 A0 70 A0 5E 5F 58 52 5A 5F 52 59 52 67 A0 BA A0 A0 A0 A0 A0 70 A0 5A 5F 52 5F 5B 58 52 5F 5A 59 52 5B 67 A0 B8 A0 A0 A0 A0 A0 70 A0 5F 59 5C 52 5F 5D 5D 52 5F 50 5C 52 5E 5F 50 A0 B
• [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
• reader_s = "%UserProfile%\reader_s.exe"

so that reader_s.exe runs every time Windows starts

Other details

• There were registered attempts to establish connection with the remote hosts. The connection details are:

Outbound traffic (potentially malicious)

• There was an outbound traffic produced on port 25:

• There was an outbound traffic produced on port 38811:

Generated SMTP traffic

• Email Senders:
• <oxygenating110@ramicohen.com>
• <blinkersyzg8@reso.com>
• <swelledpiz9@rasdig.com>
• <janinesfw042@rgare.com>
• <specifykkf0@rotopass.com>
• <hakem@rothrockfamily.com>
• <microfiches@rotor.com>
• <gnawn@resindistributors.com>
• <flybo@roundabe.com>
• <notifyy@rogers-young.com>
• <anacing94@rostoni.com>
• <customization7@rodac.com>
• <polkasgvt4@rdd.renesas.com>
• <attachmentsj@romanelectric.com>
• <shackle68@rotecafood.com>
• <refineriesex502@royaloakslife.com>
• <reprintingnmx63@ralvm29.vnet.ibm.com>
• <intermediatesl@rotopass.com>
• <sciatica72@rowlandco.com>
• <despairinglyct4@royalphone.com>
• <uplandqh21@ring.com>
• <gynecologists552@rowhillgrange.com>
• <beyond5@retail.emap.com>
• <brisbane974@rhesa.com>
• <skiddedve@rovershoppe.com>
• <pyxdsq31@rowersworld.com>
• <homestead28@rmburdencpa.com>
• <versifysp0@rothcocpa.com>
• <childishdgvg126@radiocbs.com>
• <straintye58@royalblunts.com>
• <homagesi659@robertfalls.com>
• <discopym94@rostad.com>
• <constipatedxcb38@rdmpumps.com>
• <commentaryuvj@route66rydz.com>
• <rumbanv@riverwire.com>

• Email Recipients:
• <bingyi@iccas.ac.cn>
• <heminhui@iccas.ac.cn>
• <jpzhang@iccas.ac.cn>
• <jnyao@iccas.ac.cn>
• <huaxs@iccas.ac.cn>
• <cxm@iccas.ac.cn>
• <lihuijing@iccas.ac.cn>
• <library@iccas.ac.cn>
• <juanp@laanita.com>
• <juanm@laanita.com>
• <juancam@laanita.com>
• <abbyluv@eurotechnology.com>
• <giannial@eurotechnology.com>
• <info@dpinspect.com>
• <618934739.39138783915159@kelgor.com>
• <331702236.20301348047273@kelgor.com>
• <24145@kelgor.com>
• <541925295.00372168645397@kelgor.com>
• <561635416.68178363117743@kelgor.com>
• <675623878.15850200793910@kelgor.com>
• <556911060.63787024483421@kelgor.com>
• <146378300.85305359773420@kelgor.com>
• <379548882.26693080905960@kelgor.com>
• <104815718.02643047623061@kelgor.com>
• <282259756.77257268806307@kelgor.com>
• <518097685.97953642486983@kelgor.com>
• <087630709.42403719295077@kelgor.com>
• <063865659.03896287971747@kelgor.com>
• <179125393.81944220497299@kelgor.com>
• <774354194.20249079766529@kelgor.com>
• <202038012.25107628583019@kelgor.com>
• <leon.yoderfolivern@kelgor.com>
• <217506378.97475651587636@kelgor.com>
• <168658865.15425709429475@kelgor.com>
• <639620511.46002360218350@kelgor.com>
• <675471567.11873964362015@kelgor.com>
• <368347807.12450291232175@kelgor.com>
• <jectiolulsd@kelgor.com>
• <379253660.39499177728227@kelgor.com>
• <chrisr@kelgor.com>
• <2.73647656302927@kelgor.com>
• <auwois@kelgor.com>
• <john@yourrecipefortoday.com>
• <kim@yourrecipefortoday.com>
• <ctaber@yourrecipefortoday.com>
• <cutty@yourrecipefortoday.com>
• <bitinglynn@sylow.washington.com>
• <lars.berghem@kebolab.com>
• <lennart.grankvist@kebolab.com>
• <advertising@aviacon.com>
• <accounts@biblechatroom.com>
• <bizjointn@bizjoint.com>
• <koshkinb@tnkracing.com>
• <koshkinnn@tnkracing.com>
• <firi@eran.cellos.com>
• <bishop@weddingnet.com>
• <46da833b.3050806@weddingnet.com>
• <johnsmithsvt@phsycosis.com>
• <athompson@cherrycreekschools.com>
• <kgloisten@cherrycreekschools.com>
• <chernandez6@cherrycreekschools.com>
• <egomez@cherrycreekschools.com>
• <hamiltonmbbhwia@bachelor.com>
• <info@bachelor.com>
• <arredondo6simmons@bachelor.com>
• <806c599v.8761194@bachelor.com>
• <6a600d0b76fddd5dd092f@cpex2.channelpoint.com>
• <6a600d0b76fddd54b29c0@cpex2.channelpoint.com>
• <billing@appraisalsfast.com>
• <gagnon@internetdatastorage.com>
• <dickens@internetdatastorage.com>
• <grove@internetdatastorage.com>
• <daileyd@internetdatastorage.com>
• <felton@internetdatastorage.com>
• <crump@internetdatastorage.com>
• <boykin@internetdatastorage.com>
• <crouch@internetdatastorage.com>
• <diamond@internetdatastorage.com>
• <delarosa@internetdatastorage.com>
• <er@internetdatastorage.com>
• <gene@mail.web-connect.com>
• <extremeflying@green-pia.com>
• <jauderho@green-pia.com>
• <goodman@green-pia.com>
• <cying@green-pia.com>
• <extremmaso@green-pia.com>
• <hlcifebmiemmcjaa.mazv@green-pia.com>
• <johnh@green-pia.com>
• <extraounce@green-pia.com>
• <gordon@green-pia.com>
• <f.s@green-pia.com>
• <greenpia@green-pia.com>
• <flnvi@green-pia.com>
• <kinjo@green-pia.com>
• <greenpiadd@green-pia.com>
• <emailibusuki@green-pia.com>
• <extrastepv@green-pia.com>
• <castla@green-pia.com>
• <hgomez@green-pia.com>
• <jolsondd@ci.cypress.ca.us>