Submission Summary:

• Submission details:
• Submission received: 29 September 2012, 21:32:54
• Processing time: 8 min 40 sec
• Submitted sample:
• File MD5: 0x1392B23D078B390841EF0999B40B344E
• File SHA-1: 0x67E5CCAE2C7FD9F543CA64DAC008C03B5B56DCC2
• Filesize: 97,792 bytes
• Alias & packer info:
• Rootkit.Win32.Agent.delg [Kaspersky Lab]
• Trojan.SuspectCRC [Ikarus]
• packed with: UPX [Kaspersky Lab]

• Summary of the findings:

What's been found	Severity Level
Produces outbound traffic.
Downloads/requests other files from Internet.
Creates a startup registry entry.
Contains characteristics of an identified security risk.

Technical Details:

Possible Security Risk

• Attention! Characteristics of the following security risk was identified in the system:

Security Risk	Description
Adware.Component.Unrelated	These common components have files and keys that are in different threats but the threats are not related to one another in that the author of the signature is not the same. It is recommended that all these entries be removed.

• Attention! The following threat categories were identified:

Threat Category	Description
	A code with the rootkit-specific techniques designed to hide the software presence in the system
	A hacktool that could be used by attackers to break into a system

File System Modifications

• The following files were created in the system:

#	Filename(s)	File Size	File Hash	Alias
1	%ProgramFiles%\orale.exe %System%\orale.exe	65,536 bytes	MD5: 0x88E34C4C90981E632E2C8482D6E06D49 SHA-1: 0xB95BF38FF7F3EF63A6DC4E3569C8BBA596A94213	Mal/Emogen-F [Sophos]
2	%ProgramFiles%\tcount.bak %ProgramFiles%\tcount2.bak %System%\Google.gif	0 bytes	MD5: 0xD41D8CD98F00B204E9800998ECF8427E SHA-1: 0xDA39A3EE5E6B4B0D3255BFEF95601890AFD80709	(not available)
3	%System%\baidu.gif	260 bytes	MD5: 0xBFD4F3F518D771ED1E163A74360C8782 SHA-1: 0xF8C4F6058B251325BD0B2AC674C91B98A2A206DC	(not available)
4	%System%\iexplorer.exe	105,984 bytes	MD5: 0x4FD94762450983B8630D8AD060535755 SHA-1: 0x8C5CD81CEADB3981C75BD3FE441AD8A00D532608	(not available)
5	[file and pathname of the sample #1]	97,792 bytes	MD5: 0x1392B23D078B390841EF0999B40B344E SHA-1: 0x67E5CCAE2C7FD9F543CA64DAC008C03B5B56DCC2	Rootkit.Win32.Agent.delg [Kaspersky Lab] Trojan.SuspectCRC [Ikarus] packed with UPX [Kaspersky Lab]
6	[file and pathname of the sample #1].bat	134 bytes	MD5: 0xF2E46222DB8530DF7AAF257291B96CFC SHA-1: 0x18B966E9597F1C63A0058937DE0440D3F2749DC8	(not available)
7	%System%\SSDT01.sys	17,664 bytes	MD5: 0xF1FDC51E4DB595B235346260DCEAADD1 SHA-1: 0x04FD7C1A98032E1B4E2670439832ACA43EE7AE06	Hacktool.Rootkit [Symantec] Rootkit.Win32.Agent.delg [Kaspersky Lab] Generic Rootkit.d [McAfee] Mal/Generic-L [Sophos] Trojan:Win32/Pabueri [Microsoft] Trojan.SuspectCRC [Ikarus]

• Notes:
• %ProgramFiles% is a variable that refers to the Program Files folder. A typical path is C:\Program Files.
• %System% is a variable that refers to the System folder. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

Memory Modifications

• There were new processes created in the system:

Process Name	Process Filename	Main Module Size
iexplorer.exe	%System%\iexplorer.exe	122,880 bytes
[filename of the sample #1]	[file and pathname of the sample #1]	339,968 bytes
orale.exe	%System%\orale.exe	73,728 bytes
orale.exe	%ProgramFiles%\orale.exe	73,728 bytes

• Attention! The following processes were intentionally hidden from the user:

Registry Modifications

• The following Registry Keys were created:
• HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_S
• HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_S\0000
• HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_S\0000\Control
• HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\S
• HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\S\Security
• HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\S\Enum
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_S
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_S\0000
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_S\0000\Control
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\S
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\S\Security
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\S\Enum

• The newly created Registry Values are:
• [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
• macxg = "%ProgramFiles%\orale.exe"

so that orale.exe runs every time Windows starts

• [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_S\0000\Control]
• *NewlyCreated* = 0x00000000
• ActiveService = "S"
• [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_S\0000]
• Service = "S"
• Legacy = 0x00000001
• ConfigFlags = 0x00000000
• Class = "LegacyDriver"
• ClassGUID = "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
• DeviceDesc = "S"
• [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_S]
• NextInstance = 0x00000001
• [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\S\Enum]
• 0 = "Root\LEGACY_S\0000"
• Count = 0x00000001
• NextInstance = 0x00000001
• [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\S\Security]
• Security = 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 0
• [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\S]
• Type = 0x00000001
• Start = 0x00000004
• ErrorControl = 0x00000001
• ImagePath = "%System%\SSDT01.sys"
• DisplayName = "S"
• DeleteFlag = 0x00000001
• [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_S\0000\Control]
• *NewlyCreated* = 0x00000000
• ActiveService = "S"
• [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_S\0000]
• Service = "S"
• Legacy = 0x00000001
• ConfigFlags = 0x00000000
• Class = "LegacyDriver"
• ClassGUID = "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
• DeviceDesc = "S"
• [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_S]
• NextInstance = 0x00000001
• [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\S\Enum]
• 0 = "Root\LEGACY_S\0000"
• Count = 0x00000001
• NextInstance = 0x00000001
• [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\S\Security]
• Security = 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 0
• [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\S]
• Type = 0x00000001
• Start = 0x00000004
• ErrorControl = 0x00000001
• ImagePath = "%System%\SSDT01.sys"
• DisplayName = "S"
• DeleteFlag = 0x00000001

Other details

• Analysis of the file resources indicate the following possible country of origin:

	China

• The following ports were open in the system:

• The following Host Names were requested from a host database:
• 192.5.5.241
• 121.12.170.42

• There was registered attempt to establish connection with the remote host. The connection details are:

• The following Internet Connection was established:

• The following GET requests were made:
• index.html
• hezuo/wlj_qd3_tj.HTM?807
• hezuo/ad_zhanshi2.html
• hezuo/index.jpg
• hezuo/wlj_qd3_2tj.HTM?807

Outbound traffic (potentially malicious)

• There was an outbound traffic produced on port 58375:

• There was an outbound traffic produced on port 1034:

• There was an outbound traffic produced on port 1040: