ThreatExpert Report: Backdoor.Win32.Plugx

Submission Summary:

Submission details:

Submission received: 5 August 2012, 20:42:38
Processing time: 9 min 31 sec
Submitted sample:

File MD5: 0x0F05907F8FDBE9EBF8F19C9CFFF0D8BF
File SHA-1: 0x36E546CF53A6B7FDCF4EAA4CD8D62FC38D7F853D
Filesize: 168,568 bytes
Alias: Backdoor.Win32.Plugx [Ikarus]

Summary of the findings:

What's been found	Severity Level
Downloads/requests other files from Internet.

Technical Details:

File System Modifications

The following files were created in the system:

#	Filename(s)	File Size	File Hash	Alias
1	%AllUsersProfile%\bug.log	238 bytes	MD5: 0x6472DD191CD09855117C5D807F87441D SHA-1: 0x437B82AE44D99763437EA65729EACC4F59AA5E88	(not available)
2	%AllUsersProfile%\Microsoft PA\AudieSvc.exe [file and pathname of the sample #1]	168,568 bytes	MD5: 0x0F05907F8FDBE9EBF8F19C9CFFF0D8BF SHA-1: 0x36E546CF53A6B7FDCF4EAA4CD8D62FC38D7F853D	Backdoor.Win32.Plugx [Ikarus]

Note:

%AllUsersProfile% is a variable that specifies the all users' profile folder. By default, this is C:\Documents and Settings\All Users (Windows NT/2000/XP).

The following directory was created:

%AllUsersProfile%\Microsoft PA

Memory Modifications

There was a new process created in the system:

Process Name	Process Filename	Main Module Size
audiesvc.exe	%AllUsersProfile%\microsoft pa\audiesvc.exe	176,128 bytes

Registry Modifications

The following Registry Keys were created:

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\FAST
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_AUDIESVC
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_AUDIESVC\0000
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_AUDIESVC\0000\Control
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\AudieSvc
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\AudieSvc\Security
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\AudieSvc\Enum
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_AUDIESVC
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_AUDIESVC\0000
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_AUDIESVC\0000\Control
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AudieSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AudieSvc\Security
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AudieSvc\Enum
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform

The newly created Registry Values are:

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\FAST]

CLSID = 39 00 33 00 41 00 38 00 41 00 36 00 34 00 44 00 32 00 36 00 43 00 38 00 37 00 37 00 36 00 37 00 00 00

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_AUDIESVC\0000\Control]

*NewlyCreated* = 0x00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_AUDIESVC\0000]

Service = "AudieSvc"
Legacy = 0x00000001
ConfigFlags = 0x00000000
Class = "LegacyDriver"
ClassGUID = "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
DeviceDesc = "Windows Audie Service"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_AUDIESVC]

NextInstance = 0x00000001

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\AudieSvc\Enum]

0 = "Root\LEGACY_AUDIESVC\0000"
Count = 0x00000001
NextInstance = 0x00000001

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\AudieSvc\Security]

Security = 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 0

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\AudieSvc]

Type = 0x00000110
Start = 0x00000002
ErrorControl = 0x00000000
ImagePath = ""%AllUsersProfile%\Microsoft PA\AudieSvc.exe" 200 0"
DisplayName = "Windows Audie Service"
ObjectName = "LocalSystem"
Description = "Windows Audie from Windows Management Instrumentation"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_AUDIESVC\0000\Control]

*NewlyCreated* = 0x00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_AUDIESVC\0000]

Service = "AudieSvc"
Legacy = 0x00000001
ConfigFlags = 0x00000000
Class = "LegacyDriver"
ClassGUID = "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
DeviceDesc = "Windows Audie Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_AUDIESVC]

NextInstance = 0x00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AudieSvc\Enum]

0 = "Root\LEGACY_AUDIESVC\0000"
Count = 0x00000001
NextInstance = 0x00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AudieSvc\Security]

Security = 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AudieSvc]

Type = 0x00000110
Start = 0x00000002
ErrorControl = 0x00000000
ImagePath = ""%AllUsersProfile%\Microsoft PA\AudieSvc.exe" 200 0"
DisplayName = "Windows Audie Service"
ObjectName = "LocalSystem"
Description = "Windows Audie from Windows Management Instrumentation"

The following Registry Values were modified:

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\ServiceCurrent]

(Default) =

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ServiceCurrent]

(Default) =

Other details

The following Host Names were requested from a host database:

bot.dongevil.info
255.255.255.255
192.168.0.255

The following Internet Connection was established:

Server Name	Server Port	Connect as User	Connection Password
bot.dongevil.info	53	(null)	(null)

All content ("Information") contained in this report is the copyrighted work of Threat Expert Ltd and its associated companies ("ThreatExpert") and may not be copied without the express permission of ThreatExpert.

The Information is provided on an "as is" basis. ThreatExpert disclaims all warranties, whether express or implied, to the maximum extent permitted by law, including the implied warranties that the Information is merchantable, of satisfactory quality, accurate, fit for a particular purpose or need, or non-infringing, unless such implied warranties are legally incapable of exclusion. Further, ThreatExpert does not warrant or make any representations regarding the use or the results of the use of the Information in terms of their correctness, accuracy, reliability, or otherwise.