ThreatExpert Report: Application.Ardamax_Keylogger, Trojan-PWS.Bancos.PWN, Win-Trojan/Avenger.61440

Submission Summary:

Submission details:

Submission received: 3 April 2009, 01:49:05
Processing time: 6 min 49 sec
Submitted sample:

File MD5: 0x16D7EABC8F245E1E2AB6D107988ED072
File SHA-1: 0xC8D347B0E2AC5B5635EC34FF4B7568E9495B6987
Filesize: 815,049 bytes
Alias: Application.Ardamax_Keylogger [PCTools]

Summary of the findings:

What's been found	Severity Level
Creates a startup registry entry.
Contains characteristics of an identified security risk.

Technical Details:

Possible Security Risk

Attention! Characteristics of the following security risks were identified in the system:

Security Risk	Description
Trojan-PWS.Bancos.PWN	Trojan-PSW.Bancos.PWN monitors users Internet usage to capture all login information on banking or financial websites and sends them back to the author of the trojan via email. It also hijacks banking websites by redirecting the users to a malicious website.
Application.Ardamax_Keylogger	Ardamax Keylogger is a keystroke recorder that captures user's activity and saves it to an encrypted log file. The log file can be viewed with the powerful Log Viewer.

File System Modifications

The following files were created in the system:

#	Filename(s)	File Size	File Hash	Alias
1	c:\cleanup.exe	19,286 bytes	MD5: 0xD5816BDDD4382975C1693CCE68547FCC SHA-1: 0x619E67D565BB4E5CE9557AFF4E0A3BDF8D11B74D	(not available)
2	%ProgramFiles%\auto\carrega.bat	172 bytes	MD5: 0xB83C2BBFBB7B4A0D3BB953FCE1DE269D SHA-1: 0xB861925CB2629BB87316777AEFB3A430D6BC7894	(not available)
3	%ProgramFiles%\bjyodjar.txt	5,524 bytes	MD5: 0x4DADAD510C6FD513AA99944FCD895BCE SHA-1: 0x01D8EF52F0145612410EEFBDA379C00B49E0AE67	(not available)
4	%System%\drivers\sexfgu.sys	61,440 bytes	MD5: 0x589312A3B46721C5A751E4D5222A89BE SHA-1: 0x3A497D3968A4F6E3C648D196DA38E5F98E75EC30	Trojan-PWS.Bancos.PWN [PCTools] Win-Trojan/Avenger.61440 [AhnLab]
5	[file and pathname of the sample #1]	815,049 bytes	MD5: 0x16D7EABC8F245E1E2AB6D107988ED072 SHA-1: 0xC8D347B0E2AC5B5635EC34FF4B7568E9495B6987	Application.Ardamax_Keylogger [PCTools]

Notes:

%ProgramFiles% is a variable that refers to the Program Files folder. A typical path is C:\Program Files.
%System% is a variable that refers to the System folder. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

The following directory was created:

%ProgramFiles%\auto

Memory Modifications

There were new processes created in the system:

Process Name	Process Filename	Main Module Size
omc.exe	%ProgramFiles%\auto\omc.exe	2,834,432 bytes
[filename of the sample #1]	[file and pathname of the sample #1]	114,688 bytes
cleanup.exe	C:\cleanup.exe	28,672 bytes

There was a new kernel-mode driver installed in the system:

Driver Name	Driver Filename
sexfgu.sys	%System%\Drivers\sexfgu.sys

Registry Modifications

The following Registry Keys were created:

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\pzbf
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\pzbf

The newly created Registry Values are:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

Cleanup = "C:\cleanup.exe"

so that cleanup.exe runs every time Windows starts

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\pzbf]

ImagePath = "%System%\Drivers\sexfgu.sys"
Start = 0x00000000
Type = 0x00000001
ErrorControl = 0x00000001
zvhkdq = "\??\%ProgramFiles%\bjyodjar.txt"
vawz = "C:\WINDOWS"
niwahfz = 0x0003BEC2
Group = "oucsp"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\pzbf]

ImagePath = "%System%\Drivers\sexfgu.sys"
Start = 0x00000000
Type = 0x00000001
ErrorControl = 0x00000001
zvhkdq = "\??\%ProgramFiles%\bjyodjar.txt"
vawz = "C:\WINDOWS"
niwahfz = 0x0003BEC2
Group = "oucsp"

The following Registry Values were modified:

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\ServiceGroupOrder]

List = "oucsp System Reserved Boot Bus Extender System Bus Extender SCSI miniport Port Primary Disk SCSI Class SCSI CDROM Class FSFilter Infrastructure FSFilter System FSFilter Bottom FSFilter Copy Protection FSFilter Security Enhancer FSFilter Open File FS

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ServiceGroupOrder]

List = "oucsp System Reserved Boot Bus Extender System Bus Extender SCSI miniport Port Primary Disk SCSI Class SCSI CDROM Class FSFilter Infrastructure FSFilter System FSFilter Bottom FSFilter Copy Protection FSFilter Security Enhancer FSFilter Open File FS

Other details

Analysis of the file resources indicate the following possible country of origin:

Russian Federation

There was application-defined hook procedure installed into the hook chain (e.g. to monitor keystrokes). The installed hook is handled by the following module:

%ProgramFiles%\auto\omc.exe

All content ("Information") contained in this report is the copyrighted work of Threat Expert Ltd and its associated companies ("ThreatExpert") and may not be copied without the express permission of ThreatExpert.

The Information is provided on an "as is" basis. ThreatExpert disclaims all warranties, whether express or implied, to the maximum extent permitted by law, including the implied warranties that the Information is merchantable, of satisfactory quality, accurate, fit for a particular purpose or need, or non-infringing, unless such implied warranties are legally incapable of exclusion. Further, ThreatExpert does not warrant or make any representations regarding the use or the results of the use of the Information in terms of their correctness, accuracy, reliability, or otherwise.