ThreatExpert Report: Trojan-Spy.Win32.Agent.cbot, BackDoor-FGQ, Backdoor:Win32/Morix.B..

Visit ThreatExpert web site

Close Report

Submission Summary:

Submission details:

Submission received: 30 September 2012, 07:41:23
Processing time: 7 min 48 sec
Submitted sample:

File MD5: 0x0C5B629473E4BFE16C5AF5243B596AA4
File SHA-1: 0xEE7BA3BC60118FCD329B6648F372D9E7152D6024
Filesize: 1,059,080 bytes
Alias:

Trojan-Spy.Win32.Agent.cbot [Kaspersky Lab]
BackDoor-FGQ [McAfee]
Backdoor:Win32/Morix.B [Microsoft]
Backdoor.Win32.Morix [Ikarus]

Technical Details:

Possible Security Risk

Attention! The following threat category was identified:

Threat Category	Description
	A keylogger program that can capture all user keystrokes (including confidential details such username, password, credit card number, etc.)

File System Modifications

The following files were created in the system:

#	Filename(s)	File Size	File Hash	Alias
1	%Windir%\21AC4CCC\svchsot.exe [file and pathname of the sample #1]	1,059,080 bytes	MD5: 0x0C5B629473E4BFE16C5AF5243B596AA4 SHA-1: 0xEE7BA3BC60118FCD329B6648F372D9E7152D6024	Trojan-Spy.Win32.Agent.cbot [Kaspersky Lab] BackDoor-FGQ [McAfee] Backdoor:Win32/Morix.B [Microsoft] Backdoor.Win32.Morix [Ikarus]
2	%Windir%\Tasks\At1.job	348 bytes	MD5: 0x2199ABDC28118B2D057F10AD16C639AA SHA-1: 0x9D6B057C6B0AF815D89992225B96F97FCCF3FE78	(not available)
3	%Windir%\Tasks\At10.job	348 bytes	MD5: 0xF69FA78C95FF6B0C3776D05EFFB53F3B SHA-1: 0xA97672E4280BEF253644CC42A18CA8CB9B751658	(not available)
4	%Windir%\Tasks\At11.job	348 bytes	MD5: 0xC4B081245695154675D8858B438D9BC1 SHA-1: 0x81F0BC342DFC5B910936F8C1B20318CD876A5105	(not available)
5	%Windir%\Tasks\At12.job	348 bytes	MD5: 0xA7B3161029E78E19F5FA189716F6412C SHA-1: 0x9B583CF9CB74DBBFFDF821A3016D7B5A7EB36BA7	(not available)
6	%Windir%\Tasks\At13.job	348 bytes	MD5: 0xD97AC2FC12207EDFC9E4F42F5D869FDF SHA-1: 0x8D51AE49B2AD702043E57758048AABEEBF4ED1F3	(not available)
7	%Windir%\Tasks\At14.job	348 bytes	MD5: 0x17FA39309048E55D21C084AE4DA7DB96 SHA-1: 0x62B9592F1E04AAAB6B415A104CA07318CE345AA9	(not available)
8	%Windir%\Tasks\At15.job	348 bytes	MD5: 0xAE4F8C2479612A599E2759985AF70DE6 SHA-1: 0xDB582DFD80F73AB41368F9A86E31DAD333CE1F40	(not available)
9	%Windir%\Tasks\At16.job	348 bytes	MD5: 0x9C987F3BAC581C3240F193B31E9BBE5A SHA-1: 0xF4CDA438708D2BD3A6FB926AB60CE1622986334E	(not available)
10	%Windir%\Tasks\At17.job	348 bytes	MD5: 0xFA1871EBB0DD6BF1C9CAD523F5ADB643 SHA-1: 0x678B43CE0CAC21430CB2913ED1120F62838A2617	(not available)
11	%Windir%\Tasks\At18.job	348 bytes	MD5: 0x40BE4663C3F528CCA19EF522615C3A5F SHA-1: 0x0DD05776A78B952FBE096659673614DF22CF423E	(not available)
12	%Windir%\Tasks\At19.job	348 bytes	MD5: 0x4B762BE6DA59AECD9D2B71BF3066F918 SHA-1: 0x02344F5C05AFE4A0B16F23F86121D1AEE70E5BB2	(not available)
13	%Windir%\Tasks\At2.job	348 bytes	MD5: 0x30C349A7495E4416AD1FEBE16F1BD63C SHA-1: 0xF7FFF2BDA9AD6BAC20E46140970BA4092F3C6633	(not available)
14	%Windir%\Tasks\At20.job	348 bytes	MD5: 0x2423179059AE1C1A4E11A10F255DE94D SHA-1: 0x549ECE48C087A3386CE84AD3C5284F05B2E0EC9D	(not available)
15	%Windir%\Tasks\At21.job	348 bytes	MD5: 0xFB7E8DC7BAD5F207C72C5A8730770B24 SHA-1: 0xD684E65E6D6E11BED89DC70CB6E1BF7DC909B99D	(not available)
16	%Windir%\Tasks\At22.job	348 bytes	MD5: 0x1ED73DE5F60128FE47E66553C3EF0DE8 SHA-1: 0xD0FD82B8D209E8B71A1D25893D9A88A71AB962CE	(not available)
17	%Windir%\Tasks\At23.job	348 bytes	MD5: 0xAEA1F24AD8A79E9402E9BE21632C3896 SHA-1: 0xC56852D1EBA85B4D39A7834CDBA35020F02D1BDB	(not available)
18	%Windir%\Tasks\At24.job	348 bytes	MD5: 0xD10AB0A412A8A4FDE6344938FED37D10 SHA-1: 0x3479BBAAE8950FD51854D15FA2E24B98A90C6F83	(not available)
19	%Windir%\Tasks\At3.job	348 bytes	MD5: 0x4AE7FCF6A1FBA9AE880546FE9DD5C9E1 SHA-1: 0x9470DE0B3F39AA48FD46BC6F9B0CF8C130E6B130	(not available)
20	%Windir%\Tasks\At4.job	348 bytes	MD5: 0x566DF33556A885208A93309E94A1C5E7 SHA-1: 0x883A0A9B2E5A9EB84D4CB6C3FBE5B2CC846E19DF	(not available)
21	%Windir%\Tasks\At5.job	348 bytes	MD5: 0xA1082196D17C04656676AFBEFFED8652 SHA-1: 0x564FCBF1B3CFB27AFDC701438065CF5576CE1BE8	(not available)
22	%Windir%\Tasks\At6.job	348 bytes	MD5: 0x9B068E1B8555FACBB65B4330EB7B2E96 SHA-1: 0x2C93367AA9A89C3FCA7540F93F3C83974E0C8BA9	(not available)
23	%Windir%\Tasks\At7.job	348 bytes	MD5: 0x01B125B2D86C628C95F63C23B9880819 SHA-1: 0xF6D7695140992EBC72CC56C3D23BF87E8A1FE243	(not available)
24	%Windir%\Tasks\At8.job	348 bytes	MD5: 0x51A3BB1289F7CF5D7B3C5D08ACAC6F7F SHA-1: 0x3BD7AA07C1C1E5ED272EC027B7C244662DC47278	(not available)
25	%Windir%\Tasks\At9.job	348 bytes	MD5: 0x770DE4C7CBC1B60B53582C1F1B1D134C SHA-1: 0x9A28CB82135E74DC7896780B490FA5B2C8E7A36E	(not available)

Note:

%Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows or C:\Winnt.

The following directory was created:

%Windir%\21AC4CCC

Memory Modifications

There was a new process created in the system:

Process Name	Process Filename	Main Module Size
[filename of the sample #1]	[file and pathname of the sample #1]	1,060,864 bytes

Registry Modifications

The newly created Registry Value is:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

21AC4CCC = "%Windir%\21AC4CCC\svchsot.exe"

so that svchsot.exe runs every time Windows starts

Other details

Analysis of the file resources indicate the following possible countries of origin:

	China
	Taiwan

To mark the presence in the system, the following Mutex object was created:

caolily1211.gnway.net:8000127.0.0.1:2012127.0.0.1:2012

The following Host Name was requested from a host database:

caolily1211.gnway.net

There were registered attempts to establish connection with the remote hosts. The connection details are:

Remote Host	Port Number
caolily1211.gnway.net	8000
caolily1211.gnway.net	2012

All content ("Information") contained in this report is the copyrighted work of Threat Expert Ltd and its associated companies ("ThreatExpert") and may not be copied without the express permission of ThreatExpert.

The Information is provided on an "as is" basis. ThreatExpert disclaims all warranties, whether express or implied, to the maximum extent permitted by law, including the implied warranties that the Information is merchantable, of satisfactory quality, accurate, fit for a particular purpose or need, or non-infringing, unless such implied warranties are legally incapable of exclusion. Further, ThreatExpert does not warrant or make any representations regarding the use or the results of the use of the Information in terms of their correctness, accuracy, reliability, or otherwise.