ThreatExpert Report: Worm.Win32.AutoRun.hht, Generic.dx, Mal/Behav-285, Worm:Win32/Hupigon.D..

Visit ThreatExpert web site

Close Report

Submission Summary:

Submission details:

Submission received: 18 September 2012, 05:05:58
Processing time: 13 min 53 sec
Submitted sample:

File MD5: 0x0FE7CCC1BD00FC8736D8E41CD80993FD
File SHA-1: 0xB16916C7D84C4A5861D439D47E02A603071CA261
Filesize: 3,364,864 bytes
Alias:

Worm.Win32.AutoRun.hht [Kaspersky Lab]
Generic.dx [McAfee]
Mal/Behav-285 [Sophos]
Worm:Win32/Hupigon.D [Microsoft]
Backdoor.Win32.Hupigon [Ikarus]
Win-Trojan/Xema.variant [AhnLab]

Summary of the findings:

What's been found	Severity Level
Sets the drive to autoplay by creating autorun.inf file in its root directory. If the drive is shared across the network then other remote computers can be infected any time they try to access this share.
Contains characteristics of an identified security risk.

Technical Details:

Possible Security Risk

Attention! The following threat category was identified:

Threat Category	Description
	A network-aware worm that attempts to replicate across the existing network(s)

File System Modifications

The following files were created in the system:

#	Filename(s)	File Size	File Hash	Alias
1	c:\AutoRun.inf	96 bytes	MD5: 0x707B59268E54ADB13B5382F0DF8334C1 SHA-1: 0x39F0095FB690FAB4E679920A58E3C49201C2DE78	Worm.Win32.AutoRun.awsk [Kaspersky Lab] W32/Autorun-APW [Sophos]
2	c:\backupuser.exe [pathname with a string SHARE]\backupuser.exe [pathname with a string SHARE]\_backupuser.exe [file and pathname of the sample #1]	3,364,864 bytes	MD5: 0x0FE7CCC1BD00FC8736D8E41CD80993FD SHA-1: 0xB16916C7D84C4A5861D439D47E02A603071CA261	Worm.Win32.AutoRun.hht [Kaspersky Lab] Generic.dx [McAfee] Mal/Behav-285 [Sophos] Worm:Win32/Hupigon.D [Microsoft] Backdoor.Win32.Hupigon [Ikarus] Win-Trojan/Xema.variant [AhnLab]
3	%System%\drivers\oreans32.sys	33,824 bytes	MD5: 0x21DC5B289DCE2D32A32BAAB7BCF29A6A SHA-1: 0xB843FE0E71B4475EE390D133FA14AA1D68D1AC0D	(not available)

Note:

%System% is a variable that refers to the System folder. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

Memory Modifications

There was a new process created in the system:

Process Name	Process Filename	Main Module Size
[filename of the sample #1]	[file and pathname of the sample #1]	3,899,392 bytes

Registry Modifications

The following Registry Keys were created:

HKEY_LOCAL_MACHINE\SOFTWARE\WinLicense
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_OREANS32
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_OREANS32\0000
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_WINDOWS_XP
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_WINDOWS_XP\0000
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\oreans32
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\oreans32\Security
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Windows_XP
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Windows_XP\Security
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_OREANS32
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_OREANS32\0000
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_WINDOWS_XP
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_WINDOWS_XP\0000
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\oreans32
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\oreans32\Security
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Windows_XP
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Windows_XP\Security

The newly created Registry Values are:

[HKEY_LOCAL_MACHINE\SOFTWARE\WinLicense]

CheckIN = 0x00000001

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_OREANS32\0000]

Service = "oreans32"
Legacy = 0x00000001
ConfigFlags = 0x00000000
Class = "LegacyDriver"
ClassGUID = "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
DeviceDesc = "oreans32"
Capabilities = 0x00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_OREANS32]

NextInstance = 0x00000001

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_WINDOWS_XP\0000]

Service = "Windows_XP"
Legacy = 0x00000001
ConfigFlags = 0x00000000
Class = "LegacyDriver"
ClassGUID = "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
DeviceDesc = "Windows_XP"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_WINDOWS_XP]

NextInstance = 0x00000001

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\oreans32\Security]

Security = 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 0

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\oreans32]

Type = 0x00000001
Start = 0x00000001
ErrorControl = 0x00000001
ImagePath = "%System%\drivers\oreans32.sys"
DisplayName = "oreans32"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Windows_XP\Security]

Security = 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 0

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Windows_XP]

Type = 0x00000110
Start = 0x00000002
ErrorControl = 0x00000000
ImagePath = [pathname with a string SHARE]\backupuser.exe"
DisplayName = "Windows_XP"
ObjectName = "LocalSystem"
Description = "Windows Server"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_OREANS32\0000]

Service = "oreans32"
Legacy = 0x00000001
ConfigFlags = 0x00000000
Class = "LegacyDriver"
ClassGUID = "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
DeviceDesc = "oreans32"
Capabilities = 0x00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_OREANS32]

NextInstance = 0x00000001

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_WINDOWS_XP\0000]

Service = "Windows_XP"
Legacy = 0x00000001
ConfigFlags = 0x00000000
Class = "LegacyDriver"
ClassGUID = "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
DeviceDesc = "Windows_XP"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_WINDOWS_XP]

NextInstance = 0x00000001

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\oreans32\Security]

Security = 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 0

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\oreans32]

Type = 0x00000001
Start = 0x00000001
ErrorControl = 0x00000001
ImagePath = "%System%\drivers\oreans32.sys"
DisplayName = "oreans32"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Windows_XP\Security]

Security = 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 0

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Windows_XP]

Type = 0x00000110
Start = 0x00000002
ErrorControl = 0x00000000
ImagePath = [pathname with a string SHARE]\backupuser.exe"
DisplayName = "Windows_XP"
ObjectName = "LocalSystem"
Description = "Windows Server"

Other details

Analysis of the file resources indicate the following possible country of origin:

China

The following Host Name was requested from a host database:

mysguser.3322.org

There was registered attempt to establish connection with the remote host. The connection details are:

Remote Host	Port Number
mysguser.3322.org	8672

All content ("Information") contained in this report is the copyrighted work of Threat Expert Ltd and its associated companies ("ThreatExpert") and may not be copied without the express permission of ThreatExpert.

The Information is provided on an "as is" basis. ThreatExpert disclaims all warranties, whether express or implied, to the maximum extent permitted by law, including the implied warranties that the Information is merchantable, of satisfactory quality, accurate, fit for a particular purpose or need, or non-infringing, unless such implied warranties are legally incapable of exclusion. Further, ThreatExpert does not warrant or make any representations regarding the use or the results of the use of the Information in terms of their correctness, accuracy, reliability, or otherwise.