Submission Summary:

• Submission details:
• Submission received: 26 October 2012, 03:44:45
• Processing time: 9 min 34 sec
• Submitted sample:
• File MD5: 0x16C9FB110CB8AFED922A3982172BB0B7
• File SHA-1: 0xCA6BE78C791E3932520434D66DDAA7470DCCEB45
• Filesize: 485,277 bytes
• Alias & packer info:
• Trojan.Gen [Symantec]
• Backdoor.Win32.Bifrose [Ikarus]
• packed with: ASProtect [Kaspersky Lab]

• Summary of the findings:

What's been found	Severity Level
Produces outbound traffic.
Creates a startup registry entry.
Contains characteristics of an identified security risk.

Technical Details:

Possible Security Risk

• Attention! The following threat category was identified:

Threat Category	Description
	A malicious trojan horse or bot that may represent security risk for the compromised system and/or its network environment

File System Modifications

• The following files were created in the system:

#	Filename(s)	File Size	File Hash	Alias
1	%ProgramFiles%\jnoon\jnoon.exe [file and pathname of the sample #1]	485,277 bytes	MD5: 0x16C9FB110CB8AFED922A3982172BB0B7 SHA-1: 0xCA6BE78C791E3932520434D66DDAA7470DCCEB45	Trojan.Gen [Symantec] Backdoor.Win32.Bifrose [Ikarus] packed with ASProtect [Kaspersky Lab]
2	%ProgramFiles%\jnoon\logg.dat	0 bytes	MD5: 0xD41D8CD98F00B204E9800998ECF8427E SHA-1: 0xDA39A3EE5E6B4B0D3255BFEF95601890AFD80709	(not available)

• Note:
• %ProgramFiles% is a variable that refers to the Program Files folder. A typical path is C:\Program Files.

• The following directory was created:
• %ProgramFiles%\jnoon

Memory Modifications

• There were new processes created in the system:

• Attention! The following processes were intentionally hidden from the user:

Process Name	Main Module Size
IEXPLORE.EXE	102,400 bytes
IEXPLORE.EXE	102,400 bytes
IEXPLORE.EXE	102,400 bytes
IEXPLORE.EXE	102,400 bytes
IEXPLORE.EXE	102,400 bytes
IEXPLORE.EXE	102,400 bytes
IEXPLORE.EXE	102,400 bytes
IEXPLORE.EXE	102,400 bytes
IEXPLORE.EXE	102,400 bytes
IEXPLORE.EXE	102,400 bytes
IEXPLORE.EXE	102,400 bytes
IEXPLORE.EXE	102,400 bytes
IEXPLORE.EXE	102,400 bytes
IEXPLORE.EXE	102,400 bytes
IEXPLORE.EXE	102,400 bytes
IEXPLORE.EXE	102,400 bytes
IEXPLORE.EXE	102,400 bytes
IEXPLORE.EXE	102,400 bytes
IEXPLORE.EXE	102,400 bytes
IEXPLORE.EXE	102,400 bytes
IEXPLORE.EXE	102,400 bytes
IEXPLORE.EXE	102,400 bytes
IEXPLORE.EXE	102,400 bytes

• There was a new memory page created in the address space of the system process(es):

Registry Modifications

• The following Registry Keys were created:
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9B3F3F22-D02D-4910-766A-A153D0FA5121}
• HKEY_LOCAL_MACHINE\SOFTWARE\jnoon
• HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\MediaResources\msvideo
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\MediaResources\msvideo
• HKEY_CURRENT_USER\Software\jnoon

• The newly created Registry Values are:
• [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9B3F3F22-D02D-4910-766A-A153D0FA5121}]
• stubpath = "%ProgramFiles%\jnoon\jnoon.exe s"

so that jnoon.exe runs every time Windows starts

• [HKEY_LOCAL_MACHINE\SOFTWARE\jnoon]
• nck = D9 06 80 46 CC 44 A2 32 74 C3 CD 74 FA 93 5B 67
• [HKEY_CURRENT_USER\Software\jnoon]
• klg = 01

Other details

• To mark the presence in the system, the following Mutex object was created:
• jnoon

• The following Host Name was requested from a host database:
• nozhmh.no-ip.biz

• There was registered attempt to establish connection with the remote host. The connection details are:

• There was application-defined hook procedure installed into the hook chain (e.g. to monitor keystrokes). The installed hook is handled by the following module:
• %ProgramFiles%\Internet Explorer\iexplore.exe

Outbound traffic (potentially malicious)

• There was an outbound traffic produced on port 85: