Submission Summary:

• Submission details:
• Submission received: 16 August 2009, 09:16:52
• Processing time: 5 min 52 sec
• Submitted sample:
• File MD5: 0x131098D54E4C5FFC47E577FD1B45805C
• File SHA-1: 0x60D723F542369B0ED1A7682F9080843336880DE9
• Filesize: 12,800 bytes
• Alias:
• Trojan.Dropper [Symantec]
• Trojan.Win32.Agent2.chmt [Kaspersky Lab]
• Mal/Behav-112 [Sophos]
• TrojanDropper:Win32/OnLineGames.FK [Microsoft]
• Trojan.Win32.Agent2 [Ikarus]
• Win-Trojan/OnlineGameHack.12800.HF [AhnLab]

• Summary of the findings:

What's been found	Severity Level
Downloads/requests other files from Internet.
Creates a startup registry entry.
Contains characteristics of an identified security risk.

Technical Details:

Possible Security Risk

• Attention! The following threat categories were identified:

Threat Category	Description
	A keylogger program that can capture all user keystrokes (including confidential details such username, password, credit card number, etc.)
	A program that downloads files to the local computer that may represent security risk
	A malicious trojan horse or bot that may represent security risk for the compromised system and/or its network environment

File System Modifications

• The following files were created in the system:

#	Filename(s)	File Size	File Hash	Alias
1	%Temp%\2907501658don.dll	6,144 bytes	MD5: 0xD4F8A263A0D2B3648228720FC8BC2D77 SHA-1: 0xD71FFDD39AC64559A983ED723F7C397E55FB2B17	Downloader [Symantec] Trojan-Spy.Win32.Gologger.20.n [Kaspersky Lab] Downloader-BGO [McAfee] Trojan-Spy.Win32.Gologger [Ikarus] Win-Trojan/Gologger.6144.C [AhnLab]
2	%Temp%\d.bat	106 bytes	MD5: 0x15C40C44E7BD1D8F2DE38D9185F0B3F0 SHA-1: 0x59B3B619ED9B8F4A06AA5A09E81714049820855A	(not available)
3	[file and pathname of the sample #1]	12,800 bytes	MD5: 0x131098D54E4C5FFC47E577FD1B45805C SHA-1: 0x60D723F542369B0ED1A7682F9080843336880DE9	Trojan.Dropper [Symantec] Trojan.Win32.Agent2.chmt [Kaspersky Lab] Mal/Behav-112 [Sophos] TrojanDropper:Win32/OnLineGames.FK [Microsoft] Trojan.Win32.Agent2 [Ikarus] Win-Trojan/OnlineGameHack.12800.HF [AhnLab]

• Note:
• %Temp% is a variable that refers to the temporary folder in the short path form. By default, this is C:\Documents and Settings\[UserName]\Local Settings\Temp\ (Windows NT/2000/XP).

Memory Modifications

• There was a new process created in the system:

Registry Modifications

• The newly created Registry Value is:
• [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
• hivew = "%System%\rundll32.exe %Temp%\2907501658don.dll,Set1"

so that 2907501658don.dll runs every time Windows starts

Other details

• Analysis of the file resources indicate the following possible country of origin:

	China

• The following Internet Connection was established:

• The following GET request was made:
• tongji/get.asp

• The following HTTP URL was started reading:
• http://ahthja.info/za.exe;http://74.52.164.210/pk/axa0727.exe;http://ahthja.info/win.exe;http://ahthja.info/fox.exe;http://ahthja.info/jcin02.exe;http://ahthja.info/mj.exe;http://car741.info/s5.exe;

• The data identified by the following URL was then requested from the remote web server:
• http://htsrh.info/1.txt