ThreatExpert Report: Virus.Win32.Trojan, possible-Threat.Keygen, Trojan.Script, Generic.grp!jc..

Visit ThreatExpert web site

Close Report

Submission Summary:

Submission details:

Submission received: 18 August 2012, 06:54:12
Processing time: 9 min 16 sec
Submitted sample:

File MD5: 0x16F79345C2C21D65DF988F40CDC82CB8
File SHA-1: 0x3A0AC53964155F70C74B5084EF0A0B17D47C7A32
Filesize: 658,171 bytes
Alias: Virus.Win32.Trojan [Ikarus]

Technical Details:

The new window was created, as shown below:

NOTICE: The content shown in the above window is captured automatically and is not controlled or endorsed by ThreatExpert.
Please contact us on this link should any material be offensive or inappropriate and we will ensure any such content is blocked from future viewers of the report.

File System Modifications

The following files were created in the system:

#	Filename(s)	File Size	File Hash	Alias
1	%Temp%\1.exe	148,480 bytes	MD5: 0x50B8C1FA69908E152753151CD5E2AB3F SHA-1: 0x8E042E9DEA6EFCEDF8BAAE8E3ED97F002E78AD7E	possible-Threat.Keygen [Ikarus] packed with UPX [Kaspersky Lab]
2	%Temp%\10.COM	14,863 bytes	MD5: 0xE772C3C9443062A4E65CF53C4D0F65A6 SHA-1: 0xC3EC762D0F1B879F4F5847E39CB2EC766700A7F9	Trojan.Script [Ikarus]
3	%Temp%\11.EXE	66,431 bytes	MD5: 0xF4D07B6D465ED2F398DABCDB2F426E24 SHA-1: 0xFE03940D06ECDD2E665D24579BEEC0F5918CC247	Generic.grp!jc [McAfee] Mal/Agent-ACC [Sophos] Virus.Win32.Trojan [Ikarus] Win-Trojan/Downloader.65991 [AhnLab]
4	%Temp%\12.exe	35,328 bytes	MD5: 0xB9BA6739962B937B554CF936D848D35E SHA-1: 0x5150FF81E96EC87DC565433ABDA9AD3D9F06C15D	(not available)
5	%Temp%\13.exe	400,896 bytes	MD5: 0xD06C08CE149192482927D23A2911ABE3 SHA-1: 0x5F61E22BC2F25B5AB7F8E93B006FAD36F05F17EE	(not available)
6	%Temp%\14.exe	12,800 bytes	MD5: 0x00692B4089656AD15B4DC6CFCD2B08E5 SHA-1: 0x9433EB74B8100ACA118B7076AFC96FAF74AF340C	Trojan.Win32.Spy [Ikarus]
7	%Temp%\15.EXE	14,336 bytes	MD5: 0x39BD52B247B8EC8C041CFC2F1493E332 SHA-1: 0x06C25C05D8B75EA7EF0577C19D660200A90CADA2	(not available)
8	%Temp%\2.exe	181,248 bytes	MD5: 0x05C7F3948CE0F6727F06165DE7F8061D SHA-1: 0x2175BB07BE99DD3DBA89E41044279516C3C8F907	possible-Threat.Keygen [Ikarus]
9	%Temp%\3.DLL	21,504 bytes	MD5: 0x49013D4A972545182787722175FFDE10 SHA-1: 0x1A04826A4208EA9DDD0F8A79ABC1E66B0962B44E	(not available)
10	%Temp%\4.DLL	39,936 bytes	MD5: 0xF2D7ED3D8B28A9D85114448DDE3253B8 SHA-1: 0x2B005AFC51E37F48147E044E910D1D9614D1F158	packed with UPX [Kaspersky Lab]
11	%Temp%\5.exe	22,528 bytes	MD5: 0x7BC3424F1332D1AF46142E7620F5AE90 SHA-1: 0x4AC3F7F2C4D7A127A7C546214D02F205E2A5A56C	Troj/KeyGen-BP [Sophos] packed with Petite [Kaspersky Lab]
12	%Temp%\6.EXE	3,584 bytes	MD5: 0xF44C377A53C9AF7AE8B03433F7E09F93 SHA-1: 0xEDC820C7A42D63FC61B95B8A19F917E3C10A3306	Trojan.Offend [Ikarus]
13	%Temp%\7.COM	1,691 bytes	MD5: 0xC18EAD1EFDAC68E8AA26B0CF22E65013 SHA-1: 0xC28BD030CBC6FD54701DA9CB90086F07258C036C	Trojan.Script [Ikarus] packed with Com2Txt.HPA [Kaspersky Lab]
14	%Temp%\8.COM	12,611 bytes	MD5: 0xC1D6F31E4C7CB74BA5BA6695232E3CEF SHA-1: 0xABDC502240B1C77192484B9AD2FF1AED079FF565	packed with Com2Txt.HPA [Kaspersky Lab]
15	%Temp%\9.COM	1,756 bytes	MD5: 0xDA06D83B6C455679F085936507BA32EF SHA-1: 0xAC19571FFA511E693C5FFBB6340E2479280B84D6	packed with Com2Txt.HPA [Kaspersky Lab]
16	[file and pathname of the sample #1]	658,171 bytes	MD5: 0x16F79345C2C21D65DF988F40CDC82CB8 SHA-1: 0x3A0AC53964155F70C74B5084EF0A0B17D47C7A32	Virus.Win32.Trojan [Ikarus]

Note:

%Temp% is a variable that refers to the temporary folder in the short path form. By default, this is C:\Documents and Settings\[UserName]\Local Settings\Temp\ (Windows NT/2000/XP).

Memory Modifications

There were new processes created in the system:

Process Name	Process Filename	Main Module Size
11.EXE	%Temp%\11.exe	65,536 bytes
12.exe	%Temp%\12.exe	81,920 bytes
13.exe	%Temp%\13.exe	421,888 bytes
15.EXE	%Temp%\15.exe	40,960 bytes
1.exe	%Temp%\1.exe	360,448 bytes
2.exe	%Temp%\2.exe	331,776 bytes
5.exe	%Temp%\5.exe	57,344 bytes
[generic host process]	[generic host process filename]	20,480 bytes

Notes:

[generic host process filename] is a full path filename of [generic host process].

Other details

Analysis of the file resources indicate the following possible countries of origin:

	Russian Federation
	Germany

To mark the presence in the system, the following Mutex objects were created:

Y93PE3uH
oleacc-msaa-loaded

The following Host Name was requested from a host database:

192.5.5.241

All content ("Information") contained in this report is the copyrighted work of Threat Expert Ltd and its associated companies ("ThreatExpert") and may not be copied without the express permission of ThreatExpert.

The Information is provided on an "as is" basis. ThreatExpert disclaims all warranties, whether express or implied, to the maximum extent permitted by law, including the implied warranties that the Information is merchantable, of satisfactory quality, accurate, fit for a particular purpose or need, or non-infringing, unless such implied warranties are legally incapable of exclusion. Further, ThreatExpert does not warrant or make any representations regarding the use or the results of the use of the Information in terms of their correctness, accuracy, reliability, or otherwise.