ThreatExpert Report: Trojan-Dropper.Win32.Delf, Win-Trojan/Fraudload.4660..

Visit ThreatExpert web site

Close Report

Submission Summary:

Submission details:

Submission received: 16 October 2009, 15:26:50
Processing time: 5 min 44 sec
Submitted sample:

File MD5: 0x0FBF1A9F8E6E305138151440DA58B4F1
File SHA-1: 0x4A2296EE8B8E628C7A35BA666BEEB2B5451C1452
Filesize: 33,792 bytes
Alias & packer info:

Trojan-Dropper.Win32.Delf [Ikarus]
packed with: PE_Patch.UPX [Kaspersky Lab]

Summary of the findings:

What's been found	Severity Level
Hosts file modification that may block access to the security web sites.
Downloads/requests other files from Internet.
Creates a startup registry entry.
Registers a 32-bit in-process server DLL.
Registers a Browser Helper Object (Microsoft's Internet Explorer plugin module).
Contains characteristics of an identified security risk.

Technical Details:

Possible Security Risk

Attention! Characteristics of the following security risk was identified in the system:

Security Risk	Description
RogueAntiSpyware.PrivacyCenter.AJ	RogueAntiSpyware.PrivacyCenter.AJ displays fake alerts in malware payloads in order to persuade users into buying the rogue antispyware products.

Attention! The following threat category was identified:

Threat Category	Description
	A malicious trojan horse or bot that may represent security risk for the compromised system and/or its network environment

File System Modifications

The following files were created in the system:

#	Filename(s)	File Size	File Hash	Alias
1	%Temp%\abc.bat	354 bytes	MD5: 0x58AB4CF67404EA9D08DAD33DD305AD2B SHA-1: 0x1327CF14FE47A9521069E7D18D618DCA9E0C2086	(not available)
2	%Temp%\first.exe	4,640 bytes	MD5: 0xAF40555F69DA106ABD8544C015D6616C SHA-1: 0xDAB2BBE6BDFAD2D659A54F074985B9C47FE082B8	Win-Trojan/Fraudload.4660 [AhnLab]
3	%Temp%\second.dll	213,504 bytes	MD5: 0x01508BDAF8E02C5E4E004BC1152F1E9E SHA-1: 0x16DA7792137B1DDBB5C99FDB2B4BD6CA5D3B4C1B	packed with PE_Patch.UPX [Kaspersky Lab]
4	%Temp%\thi.exe %ProgramFiles%\SafetyCenter\new.exe %ProgramFiles%\SafetyCenter\protector.exe %ProgramFiles%\SafetyCenter\start.exe %ProgramFiles%\SafetyCenter\uninstall.exe	980,480 bytes	MD5: 0x8562A9071513F4FB9554185827890CD2 SHA-1: 0xFAD1C67E157B6D4522A200FA984DBE070EFF8BDE	Trojan.Win32.FraudPack.wfu [Kaspersky Lab]
5	%ProgramFiles%\SafetyCenter\main.ico	126,348 bytes	MD5: 0xA93354C61F128C3E96EA27D5C23D7CAD SHA-1: 0xE7A0CAAAC2C9D07A8F8638DB81394EEC658BEDB2	(not available)
6	%ProgramFiles%\SafetyCenter\sound.wav	241,372 bytes	MD5: 0xD62B212F9A5376CB14E85CACBEC6776D SHA-1: 0xC08ADF25A5ECD8CFE641FBF03BEAEB301CD26A15	(not available)
7	c:\v9hY.bat	2,198 bytes	MD5: 0xF57852B7C8C582AC809FEADDCBC8CBE9 SHA-1: 0x72750C0BE61B71A2F6BE6E7F4A856D4AD25B0908	Trojan.BAT.Agent.tf [Kaspersky Lab] BAT/Agent [AhnLab]
8	[file and pathname of the sample #1]	33,792 bytes	MD5: 0x0FBF1A9F8E6E305138151440DA58B4F1 SHA-1: 0x4A2296EE8B8E628C7A35BA666BEEB2B5451C1452	Trojan-Dropper.Win32.Delf [Ikarus] packed with PE_Patch.UPX [Kaspersky Lab]
9	%Windir%\Tasks\At1.job	394 bytes	MD5: 0x2C6BCCA35B4D5053185B7262EDD8EA6D SHA-1: 0x56AF1798B6B4223A7CD89C7A1473232EE3B512EF	(not available)
10	%Windir%\Tasks\At10.job	394 bytes	MD5: 0x47E743CF343A78B1C9421691C8EB42B0 SHA-1: 0x244DFB90753840E68C44C5C59BC8B42CDCDE41A3	(not available)
11	%Windir%\Tasks\At11.job	394 bytes	MD5: 0x698DC32562B6FD97FB1350180746E09B SHA-1: 0x35E8054D2F5EB992DDDF8C77BAD300F18A8D75D0	(not available)
12	%Windir%\Tasks\At12.job	394 bytes	MD5: 0x2A1DA98971D2137CB31CB47F637EE459 SHA-1: 0x6CD3517759D6EAB3B1B3F38B02422A4CD135F49A	(not available)
13	%Windir%\Tasks\At13.job	394 bytes	MD5: 0x8CC7A93312D2FD91EB05408CBE4EDF54 SHA-1: 0x479B821ABDFABF69DB89737BF7EB63249AF40E87	(not available)
14	%Windir%\Tasks\At14.job	394 bytes	MD5: 0x91E616E5970077D2E944465FA446D4B7 SHA-1: 0x519EF8AB36199E343D187FA4EFBD97EE051D2D07	(not available)
15	%Windir%\Tasks\At15.job	394 bytes	MD5: 0xBCCB7E533A5CAFDD33E1E85FE746009B SHA-1: 0xB81B1E9412E7F61C7135B8192FDEA1808C84DB1D	(not available)
16	%Windir%\Tasks\At16.job	394 bytes	MD5: 0xF6F19CD1290EA0999AF73E4CA45868C8 SHA-1: 0xEDE9A5F64F46D8BBF40C4BF618EF14D35604D10F	(not available)
17	%Windir%\Tasks\At17.job	394 bytes	MD5: 0xBD39267B5D5D82E6DE094218F166F49B SHA-1: 0x5BF5376548232048859BEFDB45D9D718B67EDC99	(not available)
18	%Windir%\Tasks\At18.job	394 bytes	MD5: 0x74FC534A7657DF1DF96D78B23D61B628 SHA-1: 0xB38AE536DB74F63DB6058C0190564AA3836EF9D8	(not available)
19	%Windir%\Tasks\At19.job	394 bytes	MD5: 0xB6F6EA1A3F2218769505E2804521FC6F SHA-1: 0x3B2A9B71AE6797B9169BBCC8CCE8FAC97449A6C3	(not available)
20	%Windir%\Tasks\At2.job	394 bytes	MD5: 0xD0C3DB4C5889E1BF1173CECE9525A122 SHA-1: 0x75B87AA5D5E9EA82E14AB463F9FC724B335260B7	(not available)
21	%Windir%\Tasks\At20.job	394 bytes	MD5: 0x61DAA6B8E7653CB4C56B5DAC4F5E6AB2 SHA-1: 0xE674313C66B296C0A013C65620223EDA517964F6	(not available)
22	%Windir%\Tasks\At21.job	394 bytes	MD5: 0x684C99C60CF5019AAD36313B06AF689B SHA-1: 0x1D2E9657B431D2A42BD4757993C7CB4FD7213F15	(not available)
23	%Windir%\Tasks\At22.job	394 bytes	MD5: 0xE4A581E376FBB672AD8D011C8E89CB7F SHA-1: 0x41505D82621ED1E6474FEE057C9F9D3FDE92731E	(not available)
24	%Windir%\Tasks\At23.job	394 bytes	MD5: 0x916575A46CD0BA45CFEA219F425594B9 SHA-1: 0x42FB453778776631B18075DEC88DD5744948EB62	(not available)
25	%Windir%\Tasks\At24.job	394 bytes	MD5: 0x79204C2E8B882B50C51B2F0172395213 SHA-1: 0x9571FD8124944DD0B210A913B06FBA34476E30F4	(not available)
26	%Windir%\Tasks\At3.job	394 bytes	MD5: 0x4882ECFF25D8796D27DB0BD2541C1D31 SHA-1: 0x8845B6418911B2D617B6E443D3E6847AC7B12120	(not available)
27	%Windir%\Tasks\At4.job	394 bytes	MD5: 0xD1CA4838264F902C35E67BA30ED3AC5E SHA-1: 0x9A691D91355FEAB0AC63C30EA54DC839A57633EE	(not available)
28	%Windir%\Tasks\At5.job	394 bytes	MD5: 0x290C55F4F79C9EC46C848B6E6A18A744 SHA-1: 0x1F09F47E7BE9D67F11ACC97E50ACF34E8CC60490	(not available)
29	%Windir%\Tasks\At6.job	394 bytes	MD5: 0x028A9788758B3C908D5A45ACCF7B0D22 SHA-1: 0x03DEDED003D3CD13C9AA1E0AFD68811992C68BF2	(not available)
30	%Windir%\Tasks\At7.job	394 bytes	MD5: 0x3E1C0D3970F6651BC09747BB011A6180 SHA-1: 0x5C53C1B3ACB8086365059E9811FA1FCC8163F6B0	(not available)
31	%Windir%\Tasks\At8.job	394 bytes	MD5: 0xBA9EA2497D9F06D3E0AE018D7B587247 SHA-1: 0x3BA377A7575C85BB3052E9C107D34932DF7200D3	(not available)
32	%Windir%\Tasks\At9.job	394 bytes	MD5: 0x1C0C4AF3A87C2EBB0F5242339AEFA482 SHA-1: 0x203812961053717EA0A8FBA8F2CF085FF93435DD	(not available)

Notes:

%Temp% is a variable that refers to the temporary folder in the short path form. By default, this is C:\Documents and Settings\[UserName]\Local Settings\Temp\ (Windows NT/2000/XP).
%ProgramFiles% is a variable that refers to the Program Files folder. A typical path is C:\Program Files.
%Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows or C:\Winnt.

The following file was modified:

%System%\drivers\etc\hosts

Notes:

%System% is a variable that refers to the System folder. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

The following directory was created:

%ProgramFiles%\SafetyCenter

Memory Modifications

There were new processes created in the system:

Process Name	Process Filename	Main Module Size
thi.exe	%Temp%\thi.exe	2,174,976 bytes
[filename of the sample #1]	[file and pathname of the sample #1]	106,496 bytes

Registry Modifications

The following Registry Keys were created:

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{25ecc7c8-331f-4758-8371-1d34c1e6a983}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{25ecc7c8-331f-4758-8371-1d34c1e6a983}\DefaultIcon
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{25ecc7c8-331f-4758-8371-1d34c1e6a983}\Shell
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{25ecc7c8-331f-4758-8371-1d34c1e6a983}\Shell\Open
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{25ecc7c8-331f-4758-8371-1d34c1e6a983}\Shell\Open\Command
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{DD1984BA-25E1-4F56-B124-A07ED6B2A87F}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{DD1984BA-25E1-4F56-B124-A07ED6B2A87F}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DD1984BA-25E1-4F56-B124-A07ED6B2A87F}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ControlPanel\NameSpace\{25ecc7c8-331f-4758-8371-1d34c1e6a983}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{25ecc7c8-331f-4758-8371-1d34c1e6a983}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace\{25ecc7c8-331f-4758-8371-1d34c1e6a983}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\NetworkNeighborhood\NameSpace\{25ecc7c8-331f-4758-8371-1d34c1e6a983}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SafetyCenter
HKEY_LOCAL_MACHINE\SOFTWARE\SafetyCenter

The newly created Registry Values are:

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{25ecc7c8-331f-4758-8371-1d34c1e6a983}\Shell\Open\Command]

(Default) = "%ProgramFiles%\SafetyCenter\protector.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{25ecc7c8-331f-4758-8371-1d34c1e6a983}\DefaultIcon]

(Default) = "%ProgramFiles%\SafetyCenter\main.ico"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{25ecc7c8-331f-4758-8371-1d34c1e6a983}]

(Default) = "Safety Center"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{DD1984BA-25E1-4F56-B124-A07ED6B2A87F}\InprocServer32]

(Default) = "%Temp%\second.dll"
ThreadingModel = "Apartment"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{DD1984BA-25E1-4F56-B124-A07ED6B2A87F}]

(Default) = ""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ControlPanel\NameSpace\{25ecc7c8-331f-4758-8371-1d34c1e6a983}]

(Default) = "Safety Center"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{25ecc7c8-331f-4758-8371-1d34c1e6a983}]

(Default) = "Safety Center"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace\{25ecc7c8-331f-4758-8371-1d34c1e6a983}]

(Default) = "Safety Center"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\NetworkNeighborhood\NameSpace\{25ecc7c8-331f-4758-8371-1d34c1e6a983}]

(Default) = "Safety Center"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

SafetyCenter = "%ProgramFiles%\SafetyCenter\start.exe"

so that start.exe runs every time Windows starts

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SafetyCenter]

DisplayName = "SafetyCenter"
UninstallString = "%ProgramFiles%\SafetyCenter\uninstall.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\SafetyCenter]

Unreal = "02979"
Exename = "%ProgramFiles%\SafetyCenter\protector.exe"
Sound = "%ProgramFiles%\SafetyCenter\sound.wav"
Startup = "%ProgramFiles%\SafetyCenter\start.exe"
New = "%ProgramFiles%\SafetyCenter\new.exe"
boot = "4"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SchedulingAgent]

LastTaskRun = D9 07 0A 00 05 00 10 00 0F 00 1D 00 01 00 00 00

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]

ProxyEnable = 0x00000000

Other details

Analysis of the file resources indicate the following possible country of origin:

Russian Federation

The HOSTS file was updated with the following URL-to-IP mappings:

There were registered attempts to establish connection with the remote hosts. The connection details are:

Remote Host	Port Number
122.224.9.67	80
212.117.160.18	80
91.207.116.44	80

The data identified by the following URLs was then requested from the remote web server:

http://urodinam.net/8732489273.php
http://212.117.160.18/install.php?id=02979
http://91.207.116.44/u5.exe

All content ("Information") contained in this report is the copyrighted work of Threat Expert Ltd and its associated companies ("ThreatExpert") and may not be copied without the express permission of ThreatExpert.

The Information is provided on an "as is" basis. ThreatExpert disclaims all warranties, whether express or implied, to the maximum extent permitted by law, including the implied warranties that the Information is merchantable, of satisfactory quality, accurate, fit for a particular purpose or need, or non-infringing, unless such implied warranties are legally incapable of exclusion. Further, ThreatExpert does not warrant or make any representations regarding the use or the results of the use of the Information in terms of their correctness, accuracy, reliability, or otherwise.