ThreatExpert Report: Packed.Win32.Tdss.w, Trojan:Win32/Alureon.gen!J, Suspicious.Vundo.2..

Visit ThreatExpert web site

Close Report

Submission Summary:

Submission details:

Submission received: 9 July 2009, 09:52:36
Processing time: 6 min 22 sec
Submitted sample:

File MD5: 0x174AA8777D77426485747D6DE4D0039B
File SHA-1: 0xB8EAAE5BACCEFC7A59072F90571086547016630F
Filesize: 38,912 bytes
Alias:

Packed.Win32.Tdss.w [Kaspersky Lab]
Trojan:Win32/Alureon.gen!J [Microsoft]

Summary of the findings:

What's been found	Severity Level
Contains characteristics of an identified security risk.

Technical Details:

Possible Security Risk

Attention! Characteristics of the following security risks were identified in the system:

Security Risk	Description
Trojan.TDSServ	Trojan.TDSServ is a trojan horse that may represent security risk for the compromised system and/or its network environment. The program uses rootkit-specific techniques designed to hide the software presence in the system. This trojan also blocks user access to security website such as pctools.com.
Backdoor.Tidserv!sd6	Backdoor.Tidserv!sd6 is a malicious application that runs in the background and allows remote access to your system, giving the attacker full control of your system.

Attention! The following threat categories were identified:

Threat Category	Description
	A malicious trojan horse or bot that may represent security risk for the compromised system and/or its network environment
	A malicious backdoor trojan that runs in the background and allows remote access to the compromised system

File System Modifications

The following files were created in the system:

#	Filename(s)	File Size	File Hash	Alias
1	%Temp%\tmp1.tmp	26,624 bytes	MD5: 0x54E93C5BDB57B1C1BC4907813175AB83 SHA-1: 0xBE001441CC6AAED75A1E7A0453D23BF0E4A40360	Suspicious.Vundo.2 [Symantec] Packed.Win32.Tdss.w [Kaspersky Lab] Trojan:Win32/Alureon.BH [Microsoft] Packed.Win32.Tdss [Ikarus]
2	%Temp%\tmp2.tmp	343,040 bytes	MD5: 0xE3E1EEA147AE7707C7EB0608DCA2CC44 SHA-1: 0xD431A090C8144FB7E3A6087550725489BA51A57C	Backdoor.Tidserv!sd6 [PCTools] Backdoor.Tidserv [Symantec] Trojan.Win32.Patched.go [Kaspersky Lab] W32/Autorun-AFM [Sophos] Trojan:Win32/Alureon.BP [Microsoft] Win-Trojan/DNSChanger.343040 [AhnLab]
3	%Windir%\pchealth\ERRORREP\UserDumps\spoolsv.exe.20090709-175348-00.hdmp	2,501,604 bytes	MD5: 0x4D8E8095E4CBF71E322F573856223EC8 SHA-1: 0xCB0CA65860F5E942B530E072E405F8CA9CBFA422	(not available)
4	%Windir%\pchealth\ERRORREP\UserDumps\spoolsv.exe.20090709-175348-00.mdmp	51,199 bytes	MD5: 0xF3A2CEB3135130485B3460CF88A7FB83 SHA-1: 0xA00D0496CBBA6C53E02DA03A43511AAE15EEAEC0	(not available)
5	[file and pathname of the sample #1]	38,912 bytes	MD5: 0x174AA8777D77426485747D6DE4D0039B SHA-1: 0xB8EAAE5BACCEFC7A59072F90571086547016630F	Packed.Win32.Tdss.w [Kaspersky Lab] Trojan:Win32/Alureon.gen!J [Microsoft]

Notes:

%Temp% is a variable that refers to the temporary folder in the short path form. By default, this is C:\Documents and Settings\[UserName]\Local Settings\Temp\ (Windows NT/2000/XP).
%Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows or C:\Winnt.

The following directory was created:

%Windir%\pchealth\ERRORREP\UserDumps

Memory Modifications

There was a new process created in the system:

Process Name	Process Filename	Main Module Size
[filename of the sample #1]	[file and pathname of the sample #1]	94,208 bytes

The following system service was modified:

Service Name	Display Name	New Status	Service Filename
Spooler	Print Spooler	"Stopped"	%System%\spoolsv.exe

Notes:

%System% is a variable that refers to the System folder. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

Registry Modifications

The following Registry Keys were created:

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\videoshow
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\videoshow\CLSID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PCHealth\ErrorReporting\UserFaults

The newly created Registry Values are:

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\videoshow\CLSID]

(Default) = "{6BF52A52-394A-11D3-B153-00C04F79FAA6}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PCHealth\ErrorReporting\UserFaults]

%Windir%\PCHealth\ErrorRep\UserDumps\spoolsv.exe.20090709-175348-00.mdmp = DA 00 00 00 60 00 00 00 60 00 00 00 A0 00 00 00 5F 1D 00 00 00 00 00 00 05 00 01 00 28 0A 84 08 00 00 00 00 00 00 00 00 00 00 00 00 D9 07 07 00 04 00 09 00 11 00 35 00 30 00 4D 00 30 00 30 00 05 00 00 C0 31 00 38 00 00 00 00 00 00 00 00 00 B4 7E 10 4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

UserFaultCheck = "%System%\dumprep 0 -u"

The following Registry Values were modified:

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\ServiceCurrent]

(Default) = 0x0000000C

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ServiceCurrent]

(Default) = 0x0000000C

Other details

There was registered attempt to establish connection with the remote host. The connection details are:

Remote Host	Port Number
213.163.66.241	80

All content ("Information") contained in this report is the copyrighted work of Threat Expert Ltd and its associated companies ("ThreatExpert") and may not be copied without the express permission of ThreatExpert.

The Information is provided on an "as is" basis. ThreatExpert disclaims all warranties, whether express or implied, to the maximum extent permitted by law, including the implied warranties that the Information is merchantable, of satisfactory quality, accurate, fit for a particular purpose or need, or non-infringing, unless such implied warranties are legally incapable of exclusion. Further, ThreatExpert does not warrant or make any representations regarding the use or the results of the use of the Information in terms of their correctness, accuracy, reliability, or otherwise.