ThreatExpert Report: Virus.Win32.Virut.ce, W32/Generic.m, Worm.Win32.VB, Mal/HckPk-A..

Visit ThreatExpert web site

Close Report

Submission Summary:

Submission details:

Submission received: 18 October 2011, 07:34:40
Processing time: 15 min 39 sec
Submitted sample:

File MD5: 0x14203362BE7D73BDC3E3B89C3C54EA00
File SHA-1: 0x65DF6BE5D9582175691B4D5406AF571F3A40885F
Filesize: 602,112 bytes
Alias:

Virus.Win32.Virut.ce [Kaspersky Lab]
W32/Generic.m [McAfee]
Worm.Win32.VB [Ikarus]

Summary of the findings:

What's been found	Severity Level
Hosts file modification that may block access to the security web sites.
Produces outbound traffic.
Downloads/requests other files from Internet.
Creates a startup registry entry.
Contains characteristics of an identified security risk.

Technical Details:

Possible Security Risk

Attention! Characteristics of the following security risks were identified in the system:

Security Risk	Description
Worm.IM.Sohanad	Worm.IM.Sohanad spreads via Yahoo Messenger and infects Windows. It sends a message to all Yahoo Messenger contacts of an infected user. The message contains a link enticing users to download the worm. The worm also disable certain Windows functionalities abd hijacks Internet Explorer homepage. It also downloads other maware and it will also attempt to propagate via the means of creating copies of itself onto removable devices such as USB flash and hard drives.
Adware.Component.Unrelated	These common components have files and keys that are in different threats but the threats are not related to one another in that the author of the signature is not the same. It is recommended that all these entries be removed.
Trojan-Downloader.Injecter.LR	Trojan-Downloader.Injecter.LR contacts a remote server in order to log an infection and attempts to download code and may install other malware.
Backdoor.Rbot.ADF	Backdoor.Rbot.ADF is a trojan which opens network ports and allows attackers to gain unauthorized access to the system. It also spreads to network shares by exploiting weak passwords.
Trojan-PWS.QQPass.AM	Trojan.PSW.QQPass.AM steals login information such as usernames and passwords and sends them via e-mail to a remote location.

Attention! The following threat categories were identified:

Threat Category	Description
	A virus capable to modify other files by infecting, prepending, or overwriting them them with its own body
	A network-aware worm that attempts to replicate across the existing network(s)

File System Modifications

The following files were created in the system:

#	Filename(s)	File Size	File Hash	Alias
1	%CommonPrograms%\Startup\explorer.exe %UserProfile%\Cookies.exe %UserProfile%\Desktop.exe %UserProfile%\Favorites.exe %UserProfile%\My Documents.exe %Programs%\Startup\explorer.exe %UserProfile%\Start Menu.exe c:\New Folder.exe %Windir%\svchost.exe %System%\1025.exe %System%\1028.exe %System%\1031.exe %System%\1033.exe %System%\1037.exe %System%\1041.exe %System%\1042.exe %System%\1054.exe %System%\2052.exe %System%\3076.exe %System%\3com_dmi.exe %System%\CatRoot.exe %System%\CatRoot2.exe %System%\Com.exe %System%\config.exe %System%\dhcp.exe %System%\DirectX.exe %System%\drivers.exe %System%\export.exe %System%\ias.exe %System%\icsxml.exe %System%\IME.exe %System%\inetsrv.exe %System%\Macromed.exe %System%\Microsoft.exe %System%\MsDtc.exe %System%\mui.exe %System%\npp.exe %System%\NtmsData.exe %System%\oobe.exe %System%\ras.exe %System%\ReinstallBackups.exe %System%\Restore.exe [file and pathname of the sample #1] %System%\Setup.exe %System%\ShellExt.exe %System%\spool.exe %System%\usmt.exe %System%\wbem.exe %System%\wins.exe %System%\xircom.exe	602,112 bytes	MD5: 0x14203362BE7D73BDC3E3B89C3C54EA00 SHA-1: 0x65DF6BE5D9582175691B4D5406AF571F3A40885F	Virus.Win32.Virut.ce [Kaspersky Lab] W32/Generic.m [McAfee] Worm.Win32.VB [Ikarus]
2	%AppData%\1787a.log	4,242 bytes	MD5: 0x4246D7CF93D4EF5FD4A551CA79388B52 SHA-1: 0xE284956F99FE9775D335BF2B85D045CDF9453ECA	(not available)
3	%AppData%\2bbmpql2.exe	61,952 bytes	MD5: 0x63840FAF38235F0102D6AF3C56B1729A SHA-1: 0x91FC5A30C2ABB195AAE88D183B79B64892F5913A	Virus.Win32.Virut.ce [Kaspersky Lab]
4	%AppData%\3kvq.exe	84,480 bytes	MD5: 0x7BE4A3C56DE72AABF385A9E4090A3244 SHA-1: 0x6364942FA3D38704F58881A96456F4D17A60B6D7	Virus.Win32.Virut.ce [Kaspersky Lab] Mal/HckPk-A [Sophos] Trojan-Spy.Win32.VB [Ikarus]
5	%AppData%\4Cuu8m23.bat %AppData%\weGhF2U1.bat	176 bytes	MD5: 0xD449E58D133AD0A4BDF980B0046550E7 SHA-1: 0x401FD03E377735D9D021DD962B250BAF3E9389F1	(not available)
6	%AppData%\998bsw1mv.exe	69,632 bytes	MD5: 0x3420DE55B8DE4B837C9CC61A8C7A3DD0 SHA-1: 0xD6B26EBBBE92459A2F57BA64CFEEFD169F21A1EB	Worm.Win32.WBNA.aot [Kaspersky Lab] packed with ASPack [Kaspersky Lab]
7	%AppData%\hq0nzpsa2.exe	425,984 bytes	MD5: 0x9EA93FD804FF13990BD36201DC1D29C2 SHA-1: 0xCE7AF68E337ECBC496F04840E914F229EAFA9F30	(not available)
8	%AppData%\LocalAccountAuthority.bat	108 bytes	MD5: 0x2C9B188DB3E8711956C33D9A699B0D7A SHA-1: 0x306B8FB221FB3FC452C4C74388A51B6EC268FFFA	(not available)
9	%AppData%\lssas.exe	101,376 bytes	MD5: 0x852DD411B88751AC39EB8C641FF32323 SHA-1: 0xE12895DF46782FBFECBA8489131D171A6C148F75	Virus.Win32.Virut.ce [Kaspersky Lab]
10	%AppData%\manager.exe	101,376 bytes	MD5: 0x41604131B4E67510AC5508254295D767 SHA-1: 0xA5DA25E9D7139FAD1559137F4EA77043B2ADB619	Virus.Win32.Virut.ce [Kaspersky Lab]
11	%AppData%\mlog	563 bytes	MD5: 0x1CC0DA3E24F5535E17E0907E6DF0E7C5 SHA-1: 0x0BB864C26510FE569ACD6A6D9503415768AFEE9B	(not available)
12	%AppData%\MouseDriver.bat	107 bytes	MD5: 0xACE80C78E3C3C47D6AA7BE4F89EFE692 SHA-1: 0x6F4ED2A55D025DEFEBE43A8AA63EF4D2ACCC36CF	(not available)
13	%AppData%\Plug.bat	110 bytes	MD5: 0xD3C617A5FEC470419DBE3A6C4168F433 SHA-1: 0x473D401A7FEB247851E20BF0E854DDE4915FEAB2	(not available)
14	%AppData%\vw2jfz1n.exe	101,376 bytes	MD5: 0x989C427650F284EE729CB45CC7331B91 SHA-1: 0x9ABB4E425ED2F6025773E2EF107A6314E0276557	Virus.Win32.Virut.ce [Kaspersky Lab]
15	%System%\mbkfvo8.exe	64,512 bytes	MD5: 0x01FBEAA5AAA2A13DA9E1AFF32C699FF6 SHA-1: 0x083BE8A37FF6C773C6C56AB6428A8B381D6085D2	Virus.Win32.Virut.ce [Kaspersky Lab] Mal/HckPk-A [Sophos]
16	%System%\mlog	14,158 bytes	MD5: 0xDC07FB37A67E02BBBD2732120823D141 SHA-1: 0xCCD41CFE4312A8688399DF62C336821334F4CF3F	(not available)
17	%System%\nwcwks.dll	8,192 bytes	MD5: 0x560F8147E9BB5A728D8715120D2F7E7F SHA-1: 0xBBE08F172EAE8F6E49A6E1B8BB121816C326F8E3	Troj/Inject-OJ [Sophos]
18	%Windir%\Temp\VRT1.tmp	55,808 bytes	MD5: 0x3084DF9C592FB1D87AA977FC30329453 SHA-1: 0xA41F9AAD842CF6DE2FF4738DA4458698FA1CA3ED	packed with UPX [Kaspersky Lab]

Notes:

%CommonPrograms% is a variable that refers to the file system directory that contains the directories for the common program groups that appear on the Start menu for all users. A typical path is C:\Documents and Settings\All Users\Start Menu\Programs (Windows NT/2000/XP).
%UserProfile% is a variable that specifies the current user's profile folder. By default, this is C:\Documents and Settings\[UserName] (Windows NT/2000/XP).
%Programs% is a variable that refers to the file system directory that contains the user's program groups. A typical path is C:\Documents and Settings\[UserName]\Start Menu\Programs.
%Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows or C:\Winnt.
%System% is a variable that refers to the System folder. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
%AppData% is a variable that refers to the file system directory that serves as a common repository for application-specific data. A typical path is C:\Documents and Settings\[UserName]\Application Data.

The following directory was created:

c:\New Folder

Memory Modifications

There was a new process created in the system:

Process Name	Process Filename	Main Module Size
[filename of the sample #1]	[file and pathname of the sample #1]	602,112 bytes

Registry Modifications

The following Registry Keys were created:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ESENT\Process\3kvq
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ESENT\Process\3kvq\DEBUG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ESENT\Process\VRT1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ESENT\Process\VRT1\DEBUG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\NOHIDORSYS
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tbsolute
HKEY_LOCAL_MACHINE\SOFTWARE\f6h45yhjqa
HKEY_LOCAL_MACHINE\SOFTWARE\skd3uf1wbd
HKEY_LOCAL_MACHINE\SOFTWARE\tgs90gv74r
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_LOCAL_ACCOUNT_AUTHORITY_SERVICE
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_LOCAL_ACCOUNT_AUTHORITY_SERVICE\0000
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_MOUSEDRIVER
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_MOUSEDRIVER\0000
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_NWCWORKSTATION
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_NWCWORKSTATION\0000
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_PLUG_MANAGER
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_PLUG_MANAGER\0000
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Local Account Authority Service
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Local Account Authority Service\Security
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\MouseDriver
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\MouseDriver\Security
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\NWCWorkstation
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\NWCWorkstation\Parameters
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\NWCWorkstation\Security
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Plug Manager
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Plug Manager\Security
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_LOCAL_ACCOUNT_AUTHORITY_SERVICE
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_LOCAL_ACCOUNT_AUTHORITY_SERVICE\0000
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_MOUSEDRIVER
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_MOUSEDRIVER\0000
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_NWCWORKSTATION
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_NWCWORKSTATION\0000
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_PLUG_MANAGER
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_PLUG_MANAGER\0000
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Local Account Authority Service
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Local Account Authority Service\Security
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\MouseDriver
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\MouseDriver\Security
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\NWCWorkstation
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\NWCWorkstation\Parameters
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\NWCWorkstation\Security
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Plug Manager
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Plug Manager\Security
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\P3P
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History

The newly created Registry Values are:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ESENT\Process\3kvq\DEBUG]

Trace Level = ""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ESENT\Process\VRT1\DEBUG]

Trace Level = ""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main]

Use FormSuggest = "yes"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\NOHIDORSYS]

CheckedValue = 0x00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run]

apps = "%System%\mbkfvo8.exe"

so that mbkfvo8.exe runs every time Windows starts

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

v0lut47 = "%AppData%\3kvq.exe"
Local Account Service = "%AppData%\lssas.exe"
Plug Manager = "%AppData%\manager.exe"

so that 3kvq.exe runs every time Windows starts

so that lssas.exe runs every time Windows starts

so that manager.exe runs every time Windows starts

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tbsolute]

values = 2A 3D F7 67 64 67 67 67 63 67 67 67 98 98 67 67 DF 67 67 67 67 67 67 67 27 67 67 67 67 67 67 67 67 67 67 67 67 67 67 67 67 67 67 67 67 67 67 67 67 67 67 67 67 67 67 67 67 67 67 67 67 66 67 67 69 78 DD 69 67 D3 6E AA 46 DF 66 2B AA 46 33 0F 0E 14 47 1

[HKEY_LOCAL_MACHINE\SOFTWARE\f6h45yhjqa]

f6h45yhjqapath = "%AppData%\"

[HKEY_LOCAL_MACHINE\SOFTWARE\skd3uf1wbd]

skd3uf1wbdpath = "%AppData%\"

[HKEY_LOCAL_MACHINE\SOFTWARE\tgs90gv74r]

tgs90gv74rexepath = "%AppData%\3kvq.exe"
tgs90gv74rpath = "%AppData%\"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_LOCAL_ACCOUNT_AUTHORITY_SERVICE\0000]

Service = "Local Account Authority Service"
Legacy = 0x00000001
ConfigFlags = 0x00000000
Class = "LegacyDriver"
ClassGUID = "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
DeviceDesc = "Local Account Authority Service"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_LOCAL_ACCOUNT_AUTHORITY_SERVICE]

NextInstance = 0x00000001

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_MOUSEDRIVER\0000]

Service = "MouseDriver"
Legacy = 0x00000001
ConfigFlags = 0x00000000
Class = "LegacyDriver"
ClassGUID = "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
DeviceDesc = "MouseDriver"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_MOUSEDRIVER]

NextInstance = 0x00000001

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_NWCWORKSTATION\0000]

Service = "NWCWorkstation"
Legacy = 0x00000001
ConfigFlags = 0x00000000
Class = "LegacyDriver"
ClassGUID = "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
DeviceDesc = "Client Service for NetWare"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_NWCWORKSTATION]

NextInstance = 0x00000001

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_PLUG_MANAGER\0000]

Service = "Plug Manager"
Legacy = 0x00000001
ConfigFlags = 0x00000000
Class = "LegacyDriver"
ClassGUID = "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
DeviceDesc = "Plug Manager"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_PLUG_MANAGER]

NextInstance = 0x00000001

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Local Account Authority Service\Security]

Security = 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 0

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Local Account Authority Service]

Type = 0x00000110
Start = 0x00000002
ErrorControl = 0x00000000
ImagePath = "%AppData%\LocalAccountAuthority.bat"
DisplayName = "Local Account Authority Service"
ObjectName = "LocalSystem"
Description = "Stores security information for local user accounts. Stopping or disabling this service will result in windows login failure."

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\MouseDriver\Security]

Security = 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 0

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\MouseDriver]

Type = 0x00000110
Start = 0x00000002
ErrorControl = 0x00000000
ImagePath = "%AppData%\MouseDriver.bat"
DisplayName = "MouseDriver"
ObjectName = "LocalSystem"
Description = "Enables a computer to use mouse from USB port. Stopping or disabling this service will result in system instability."

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\NWCWorkstation\Security]

Security = 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 0

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\NWCWorkstation\Parameters]

ServiceDll = "%System%\nwcwks.dll"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\NWCWorkstation]

Type = 0x00000020
Start = 0x00000002
ErrorControl = 0x00000001
ImagePath = "%System%\svchost.exe -k netsvcs"
DisplayName = "Client Service for NetWare"
ObjectName = "LocalSystem"
Description = "Provides access to file and print resources on NetWare networks."

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Plug Manager\Security]

Security = 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 0

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Plug Manager]

Type = 0x00000110
Start = 0x00000002
ErrorControl = 0x00000000
ImagePath = "%AppData%\Plug.bat"
DisplayName = "Plug Manager"
ObjectName = "LocalSystem"
Description = "Enables a computer to recognize and adapt to hardware changes with little or no user input. Stopping or disabling this service will result in system instability."

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_LOCAL_ACCOUNT_AUTHORITY_SERVICE\0000]

Service = "Local Account Authority Service"
Legacy = 0x00000001
ConfigFlags = 0x00000000
Class = "LegacyDriver"
ClassGUID = "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
DeviceDesc = "Local Account Authority Service"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_LOCAL_ACCOUNT_AUTHORITY_SERVICE]

NextInstance = 0x00000001

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_MOUSEDRIVER\0000]

Service = "MouseDriver"
Legacy = 0x00000001
ConfigFlags = 0x00000000
Class = "LegacyDriver"
ClassGUID = "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
DeviceDesc = "MouseDriver"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_MOUSEDRIVER]

NextInstance = 0x00000001

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_NWCWORKSTATION\0000]

Service = "NWCWorkstation"
Legacy = 0x00000001
ConfigFlags = 0x00000000
Class = "LegacyDriver"
ClassGUID = "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
DeviceDesc = "Client Service for NetWare"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_NWCWORKSTATION]

NextInstance = 0x00000001

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_PLUG_MANAGER\0000]

Service = "Plug Manager"
Legacy = 0x00000001
ConfigFlags = 0x00000000
Class = "LegacyDriver"
ClassGUID = "{8ECC055D-047F-11D1-A537-0000F8753ED1}"

Other details

Analysis of the file resources indicate the following possible country of origin:

China

The HOSTS file was updated with the following URL-to-IP mappings:

There were registered attempts to establish connection with the remote hosts. The connection details are:

Remote Host	Port Number
122.224.6.164	82
174.123.157.154	80
174.133.57.141	80
74.117.116.125	80
83.133.119.197	80
60.190.223.60	2011
60.190.223.60	2012
60.190.223.60	888
61.147.99.179	81

The data identified by the following URLs was then requested from the remote web server:

http://zeus.sunke.info:82/hn.gif?t=0.1700098
http://zeus.sunke.info:82/hn.gif?t=0.6401026
http://a.95622.com/p6.asp?MAC=00-0C-29-EC-86-5C&Publicer=dc99
http://ru.letmedo.net:2011/myck.jpg?t=0.4501612
http://sb.letmedo.net:2012/p/out/kp.exe
http://w.nucleardiscover.com:888/list.php?c=B4AC885F94224AE64DAAC6EE0346C213D049B58E0B3969C0DCE4CA8D5FF5F6CFDFE10E13F3845D3386FFC45E0D4897B5778D4CBB9FE6A5FF432C&v=2&t=0.517193
http://w.nucleardiscover.com:888/list.php?c=B4AC885F94224AE64DAAC6EE0346C213D049B58E0B3969C0DCE4CA8D5FF5F6CFDFE10E13F3845D3386FFC45E0D4897B5778D4CBB9FE6A5FF432C&v=2&t=0.4773828
http://w.nucleardiscover.com:888/list.php?c=B4AC885F94224AE64DAAC6EE0346C213D049B58E0B3969C0DCE4CA8D5FF5F6CFDFE10E13F3845D3386FFC45E0D4897B5778D4CBB9FE6A5FF432C&v=2&t=0.298916
http://61.147.99.179:81/gggg_r.jpg?t=0.5335352
http://www.searchnut.com/?domain=garminhandheldgpsunits.com
http://www.searchnut.com/style/style1_20.css
http://www.searchnut.com/img/default/s.gif
http://www.searchnut.com/images/gps/gps_250x251.jpg
http://www.searchnut.com/is.php?ipua_id=d20ae4b07583b0ff7fc5c1f55a567b47&search_id=24457684&time=

Outbound traffic (potentially malicious)

There was an outbound traffic produced on port 80:

All content ("Information") contained in this report is the copyrighted work of Threat Expert Ltd and its associated companies ("ThreatExpert") and may not be copied without the express permission of ThreatExpert.

The Information is provided on an "as is" basis. ThreatExpert disclaims all warranties, whether express or implied, to the maximum extent permitted by law, including the implied warranties that the Information is merchantable, of satisfactory quality, accurate, fit for a particular purpose or need, or non-infringing, unless such implied warranties are legally incapable of exclusion. Further, ThreatExpert does not warrant or make any representations regarding the use or the results of the use of the Information in terms of their correctness, accuracy, reliability, or otherwise.