ThreatExpert Report: Trojan.ADH.2, not-a-virus:AdWare.Win32.FakeInstaller.hl, Program:Win32/Ircfast..

Visit ThreatExpert web site

Close Report

Submission Summary:

Submission details:

Submission received: 13 August 2012, 04:49:22
Processing time: 8 min 5 sec
Submitted sample:

File MD5: 0x12B72E53F0B188F81AFC80868DFED17B
File SHA-1: 0x8DD417A5878CD823378A3EDAAA34AE9E5F0DEFEB
Filesize: 1,577,944 bytes
Alias:

Trojan.ADH.2 [Symantec]
not-a-virus:AdWare.Win32.FakeInstaller.hl [Kaspersky Lab]
Program:Win32/Ircfast [Microsoft]
Trojan.Win32.StartPage [Ikarus]

Summary of the findings:

What's been found	Severity Level
Downloads/requests other files from Internet.
Contains characteristics of an identified security risk.

Technical Details:

The new window was created, as shown below:

NOTICE: The content shown in the above window is captured automatically and is not controlled or endorsed by ThreatExpert.
Please contact us on this link should any material be offensive or inappropriate and we will ensure any such content is blocked from future viewers of the report.

Possible Security Risk

Attention! Characteristics of the following security risk was identified in the system:

Security Risk	Description
Trojan-Downloader.Agent.DUJ	Trojan-Downloader.Agent.DUJ is a threat that attempts to download and connect from certain websites other malicious files. It also changes the internet browser main page.

Attention! The following threat categories were identified:

Threat Category	Description
	A potentially unwanted adware program designed to deliver various advertisements to the users' systems
	A malicious trojan horse or bot that may represent security risk for the compromised system and/or its network environment

File System Modifications

The following files were created in the system:

#	Filename(s)	File Size	File Hash	Alias
1	%DesktopDir%\Download programs.url %Favorites%\Download programs.url %Programs%\Download programs.url	320 bytes	MD5: 0x8D2C1FF64A2AE5D032148CF100DC0B3C SHA-1: 0x07CE035B845D937CDB1673233627F8AC6F64BCA9	(not available)
2	%DesktopDir%\Games.url %Favorites%\Games.url %Programs%\Games.url	394 bytes	MD5: 0x0D2343869F059A0D7B3BB2F71E8946FF SHA-1: 0x6CF7BC9299C3C7AD41DD408AA988C6E3846EDD95	(not available)
3	%DesktopDir%\Translator.url	412 bytes	MD5: 0x04B7CE316BC68C9F4883E2A178105CD3 SHA-1: 0xA684701D76644C057590782B91243F0D778929A7	(not available)
4	%DesktopDir%\Videos.url %Favorites%\Videos.url %Programs%\Videos.url	398 bytes	MD5: 0x0B5FF5E3B437D8AE7485683BA2185689 SHA-1: 0x796FD99E526C2523ADC179FE48407D1D961D5557	(not available)
5	%Favorites%\Translator.url %Programs%\Translator.url	410 bytes	MD5: 0x8A2FC76F71AB0F6C2FDCC56652C88478 SHA-1: 0x2A148E502DE1F214CF27C97ABB5AE62C3FB5193F	(not available)
6	%Temp%\log.tmp	243 bytes	MD5: 0x0013C98B891B5E2D12BDD73C28AFC015 SHA-1: 0xBA755F0C92C6451F721B3DCFC2878BD6C87BEA01	(not available)
7	[file and pathname of the sample #1]	1,577,944 bytes	MD5: 0x12B72E53F0B188F81AFC80868DFED17B SHA-1: 0x8DD417A5878CD823378A3EDAAA34AE9E5F0DEFEB	Trojan.ADH.2 [Symantec] not-a-virus:AdWare.Win32.FakeInstaller.hl [Kaspersky Lab] Program:Win32/Ircfast [Microsoft] Trojan.Win32.StartPage [Ikarus]

Notes:

%DesktopDir% is a variable that refers to the file system directory used to physically store file objects on the desktop. A typical path is C:\Documents and Settings\[UserName]\Desktop.
%Favorites% is a variable that refers to the file system directory that serves as a common repository for the user's favorite items. A typical path is C:\Documents and Settings\[UserName]\Favorites.
%Programs% is a variable that refers to the file system directory that contains the user's program groups. A typical path is C:\Documents and Settings\[UserName]\Start Menu\Programs.
%Temp% is a variable that refers to the temporary folder in the short path form. By default, this is C:\Documents and Settings\[UserName]\Local Settings\Temp\ (Windows NT/2000/XP).

Memory Modifications

There was a new process created in the system:

Process Name	Process Filename	Main Module Size
[filename of the sample #1]	[file and pathname of the sample #1]	1,581,056 bytes

Registry Modifications

The following Registry Value was modified:

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]

Start Page =

Other details

Analysis of the file resources indicate the following possible country of origin:

Spain

To mark the presence in the system, the following Mutex object was created:

_!SHMSFTHISTORY!_

The following Internet Connection was established:

Server Name	Server Port	Connect as User	Connection Password
english.ircfast2.com	80	(null)	(null)

The following GET requests were made:

index.php?mid=13441588&sid=34225&c=US&fw=y
index.jpg

The following HTTP URL was started reading:

http://download.divx.com/divx/DivXInstaller.exe

The data identified by the following URLs was then requested from the remote web server:

http://english.ircfast2.com/lv/software/info.htm?sid=34225&v=2
http://english.ircfast2.com/terms_raw.php?sid=0

Downloaded File Summary:

Download details:

Download retrieved: 13 August 2012 04:57:28
Processing time: 8 min 2 sec
Downloaded sample:

File MD5: 0x832C686183E29661949BB9AB483F525B
File SHA-1: 0xF03DE812AE880E987FA29DF038F6AB9EA5688751
Filesize: 933,256 bytes

Summary of the findings:

What's been found	Severity Level
Downloads/requests other files from Internet.

Technical Details:

The new window was created, as shown below:

File System Modifications

The following files were created in the system:

#	Filename(s)	File Size	File Hash
1	%CommonAppData%\DivX\Setup\DivXSetup.log	335 bytes	MD5: 0xBBDC63484724938623233478E70D5F82 SHA-1: 0x32C234D66CF6737E6994072B68E3CCC439373DBF
2	[file and pathname of the sample #1]	933,256 bytes	MD5: 0x832C686183E29661949BB9AB483F525B SHA-1: 0xF03DE812AE880E987FA29DF038F6AB9EA5688751

Note:

%CommonAppData% is a variable that refers to the file system directory containing application data for all users. A typical path is C:\Documents and Settings\All Users\Application Data.

The following directories were created:

%CommonAppData%\DivX
%CommonAppData%\DivX\Setup

Memory Modifications

There was a new process created in the system:

Process Name	Process Filename	Main Module Size
[filename of the sample #1]	[file and pathname of the sample #1]	26,161,152 bytes

Registry Modifications

The following Registry Keys were created:

HKEY_LOCAL_MACHINE\SOFTWARE\DivX
HKEY_LOCAL_MACHINE\SOFTWARE\DivX\Install
HKEY_LOCAL_MACHINE\SOFTWARE\DivX\Install\Setup

The newly created Registry Value is:

[HKEY_LOCAL_MACHINE\SOFTWARE\DivX\Install\Setup]

ResourceDLL = "%Temp%\div1.tmp\div2.tmp"

Other details

To mark the presence in the system, the following Mutex objects were created:

E713B767-8C16-4231-89DD-CF5277C9E3FE
E349B238-94F5-4ded-A224-72226652AEE0

The data identified by the following URL was then requested from the remote web server:

http://dist.divx.com/divx/setup/DivXSetupRes_dpi96.dll

Downloaded File Summary (Generation #2):

Download details:

Download retrieved: 13 August 2012 05:08:27
Processing time: 7 min 30 sec
Downloaded sample:

File MD5: 0xA79390E3E75AD1D674EC59063DD2B502
File SHA-1: 0x80B3F4C494B2EDBD30ECA29C8BA58EB1EF318E07
Filesize: 1,709,936 bytes

Technical Details:

File System Modifications

The following file was created in the system:

#	Filename(s)	File Size	File Hash
1	[file and pathname of the sample #1]	1,709,936 bytes	MD5: 0xA79390E3E75AD1D674EC59063DD2B502 SHA-1: 0x80B3F4C494B2EDBD30ECA29C8BA58EB1EF318E07

Memory Modifications

There was a new process created in the system:

Process Name	Process Filename	Main Module Size
[generic host process]	[generic host process filename]	20,480 bytes

Note:

[generic host process filename] is a full path filename of [generic host process].

The following module was loaded into the address space of other process(es):

Module Name	Module Filename	Address Space Details
[filename of the sample #1]	[file and pathname of the sample #1]	Process name: [generic host process] Process filename: [generic host process filename] Address space: 0x10000000 - 0x101A0000

All content ("Information") contained in this report is the copyrighted work of Threat Expert Ltd and its associated companies ("ThreatExpert") and may not be copied without the express permission of ThreatExpert.

The Information is provided on an "as is" basis. ThreatExpert disclaims all warranties, whether express or implied, to the maximum extent permitted by law, including the implied warranties that the Information is merchantable, of satisfactory quality, accurate, fit for a particular purpose or need, or non-infringing, unless such implied warranties are legally incapable of exclusion. Further, ThreatExpert does not warrant or make any representations regarding the use or the results of the use of the Information in terms of their correctness, accuracy, reliability, or otherwise.