ThreatExpert Report: Mal/Emogen-F, Trojan.ATRAPS, Mal/Behav-034, Mal/Emogen-F

Submission Summary:

Submission details:

Submission received: 7 October 2009, 08:59:16
Processing time: 8 min 11 sec
Submitted sample:

File MD5: 0x17622D3C015B5CFE0F45516CAC62705F
File SHA-1: 0xD9CC1811FF327DCE84F46159A709A337876DD177
Filesize: 2,625,439 bytes
Alias: Mal/Emogen-F [Sophos]

Summary of the findings:

What's been found	Severity Level
Downloads/requests other files from Internet.

Technical Details:

The new window was created, as shown below:

NOTICE: The content shown in the above window is captured automatically and is not controlled or endorsed by ThreatExpert.
Please contact us on this link should any material be offensive or inappropriate and we will ensure any such content is blocked from future viewers of the report.

File System Modifications

The following files were created in the system:

#	Filename(s)	File Size	File Hash	Alias
1	%CommonPrograms%\ï¿½ï¿½È¤--VIP\ï¿½ï¿½È¤Ð¡ï¿½ï¿½Ï·.lnk	631 bytes	MD5: 0x016B6E6C5DD56B38CF4E2050B28CE2A2 SHA-1: 0x2F77F6A626B9F7CECDF98DDC083172FC2281D82F	(not available)
2	%DesktopDir%\369????.lnk	0 bytes	MD5: 0xD41D8CD98F00B204E9800998ECF8427E SHA-1: 0xDA39A3EE5E6B4B0D3255BFEF95601890AFD80709	(not available)
3	%DesktopDir%\ï¿½ï¿½È¤Ð¡ï¿½ï¿½Ï·.lnk	619 bytes	MD5: 0x6A0356C8505260F5DB7491C09D225BC1 SHA-1: 0xBA00C9ABB81C05C75E0548E8AB045CFD346581D7	(not available)
4	%Temp%\JET4B38.tmp	0 bytes	MD5: 0xD41D8CD98F00B204E9800998ECF8427E SHA-1: 0xDA39A3EE5E6B4B0D3255BFEF95601890AFD80709	(not available)
5	%ProgramFiles%\HenQu\Flash.ldb	64 bytes	MD5: 0xAB33D2B2DBC1868BD7E84FDD4015C9F9 SHA-1: 0xEAD301FA3060B320EA04EE6221059C79D403E876	(not available)
6	%ProgramFiles%\HenQu\Flash.mdb	229,376 bytes	MD5: 0xD810288FAED71109F2C86C0BDF241D05 SHA-1: 0xCF5B47B6179C81380C344C845435D105BD83BA22	(not available)
7	%ProgramFiles%\HenQu\Flash10b.ocx	3,866,528 bytes	MD5: 0x8AFC17155ED5AB60B7C52D7F553D579C SHA-1: 0xFC3087D8ACB839E4CFCF14C9982C0E4D8A1C7109	(not available)
8	%ProgramFiles%\HenQu\mscomctl.ocx	1,081,616 bytes	MD5: 0xECC7D7F0D3446DE36045D1D9E964FAFE SHA-1: 0xDA6B0EC081D628C33B150327F3BD16D3B7FA4729	(not available)
9	%ProgramFiles%\HenQu\MSINET.OCX	132,880 bytes	MD5: 0x90A39346E9B67F132EF133725C487FF6 SHA-1: 0x9CD22933F628465C863BED7895D99395ACAA5D2A	(not available)
10	%ProgramFiles%\HenQu\SetInfo.exe	90,112 bytes	MD5: 0x9443C51FB7D839FBA0EEC5EDCB81D60A SHA-1: 0xE1ABFCEB20A3619FCF5C7FA391533D2746B1F4C3	Mal/Emogen-F [Sophos] Trojan.ATRAPS [Ikarus]
11	%ProgramFiles%\HenQu\unins000.dat	1,933 bytes	MD5: 0x8537ABFB22EB6F06D8DFD260A65AFF01 SHA-1: 0x3AAACF8F554FC713C05FB71B361F89288B29A607	(not available)
12	%ProgramFiles%\HenQu\unins000.exe	637,205 bytes	MD5: 0xFDF7C0484021EBD4FB8B719ABC41EF28 SHA-1: 0xBACD043D7DDE6DDABB9F40F403F59E94B655234C	(not available)
13	%ProgramFiles%\HenQu\Update.exe	88,064 bytes	MD5: 0x362D7F34D84ACB0D65201019751A8B0B SHA-1: 0x1F94458CFEF5BD2E41D5C2607568FD5FBAEDC112	Mal/Behav-034, Mal/Emogen-F [Sophos] packed with UPX [Kaspersky Lab]
14	%ProgramFiles%\HenQu\ï¿½ï¿½È¤Ð¡ï¿½ï¿½Ï·.exe	1,835,008 bytes	MD5: 0x93E211219F6642E5CBA158A144E1DB1F SHA-1: 0x3D9299083A6EB245B6C5C2AF6748DC11205BFBE2	(not available)
15	[file and pathname of the sample #1]	2,625,439 bytes	MD5: 0x17622D3C015B5CFE0F45516CAC62705F SHA-1: 0xD9CC1811FF327DCE84F46159A709A337876DD177	Mal/Emogen-F [Sophos]

Notes:

%CommonPrograms% is a variable that refers to the file system directory that contains the directories for the common program groups that appear on the Start menu for all users. A typical path is C:\Documents and Settings\All Users\Start Menu\Programs (Windows NT/2000/XP).
%DesktopDir% is a variable that refers to the file system directory used to physically store file objects on the desktop. A typical path is C:\Documents and Settings\[UserName]\Desktop.
%Temp% is a variable that refers to the temporary folder in the short path form. By default, this is C:\Documents and Settings\[UserName]\Local Settings\Temp\ (Windows NT/2000/XP).
%ProgramFiles% is a variable that refers to the Program Files folder. A typical path is C:\Program Files.

The following file was modified:

%Windir%\win.ini

Notes:

%Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows or C:\Winnt.

The following directories were created:

%CommonPrograms%\ï¿½ï¿½È¤--VIP
%ProgramFiles%\HenQu
%ProgramFiles%\HenQu\Flash
%ProgramFiles%\HenQu\Pic

Memory Modifications

There was a new memory page created in the address space of the system process(es):

Process Name	Process Filename	Allocated Size
SetInfo.exe	%ProgramFiles%\henqu\setinfo.exe	172,032 bytes

Registry Modifications

The following Registry Keys were created:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ï¿½ï¿½È¤--VIP_is1
HKEY_LOCAL_MACHINE\SOFTWARE\ODBC\Brazos volatile counter
HKEY_LOCAL_MACHINE\SOFTWARE\ODBC\Temporary (volatile) Jet DSN for process 0x354 Thread 0x3d0 DBC 0x9f7b54 Jet
HKEY_LOCAL_MACHINE\SOFTWARE\ODBC\Temporary (volatile) Jet DSN for process 0x354 Thread 0x3d0 DBC 0x9f7b54 Jet\Engines
HKEY_LOCAL_MACHINE\SOFTWARE\ODBC\Temporary (volatile) Jet DSN for process 0x354 Thread 0x3d0 DBC 0x9f7b54 Jet\Engines\Jet

The newly created Registry Values are:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ï¿½ï¿½È¤--VIP_is1]

Inno Setup: Setup Version = "5.1.1-beta"
Inno Setup: App Path = "%ProgramFiles%\HenQu"
InstallLocation = "%ProgramFiles%\HenQu\"
Inno Setup: Icon Group = "ï¿½ï¿½È¤--VIP"
Inno Setup: User = "%UserName%"
Inno Setup: Selected Tasks = "desktopicon,quicklaunchicon,changestartpage"
Inno Setup: Deselected Tasks = ""
DisplayName = "ï¿½ï¿½È¤Ð¡ï¿½ï¿½Ï· v2.4"
UninstallString = ""%ProgramFiles%\HenQu\unins000.exe""
QuietUninstallString = ""%ProgramFiles%\HenQu\unins000.exe" /SILENT"
Publisher = "ï¿½ï¿½È¤--VIP"
URLInfoAbout = "http://www.henqu.com"
HelpLink = "http://www.henqu.com"
URLUpdateInfo = "http://www.henqu.com"
NoModify = 0x00000001
NoRepair = 0x00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\ODBC\Brazos volatile counter]

VolatileDsnCount = 0x00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\ODBC\Temporary (volatile) Jet DSN for process 0x354 Thread 0x3d0 DBC 0x9f7b54 Jet\Engines\Jet]

Driver = "{Microsoft Access Driver (*.mdb)}"
ImplicitCommitSync = ""
Threads = 0x00000003
UserCommitSync = "Yes"

[HKEY_LOCAL_MACHINE\SOFTWARE\ODBC\Temporary (volatile) Jet DSN for process 0x354 Thread 0x3d0 DBC 0x9f7b54 Jet]

ProcessId = 0x00000354
DBQ = "%ProgramFiles%\henqu\Flash.mdb"
DriverId = 0x00000019
PWD = ""
SafeTransactions = 0x00000000
UID = ""

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\International]

W2KLpk = 0x00000001

The following Registry Value was modified:

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]

Start Page =

Other details

There were registered attempts to establish connection with the remote hosts. The connection details are:

Remote Host	Port Number
123.125.42.13	80
60.28.198.121	80
61.172.249.96	80

The data identified by the following URLs was then requested from the remote web server:

http://tj.mop.com/display.html?7001|774|0|receiver|0|mop
http://yx.mop.com/codepic/ts/300-250.gif
http://yx.mop.com/codepic/ts/100-300.gif
http://sql.55gg.com/Update.txt
http://sql.55gg.com/YouXi/Default/NewFlash/Index_1.html
http://sql.55gg.com/tongji.htm
http://sql.55gg.com/GetsType2.asp?k=K7h6A6gJfx78N64&m=b6b673eccd37a6a3&id=23
http://sql.55gg.com/Ads3.html
http://sql.55gg.com/Ads4.html
http://sql.55gg.com/GetbType.asp?k=76KOQtzP677&m=bd3d403a576d38d1
http://sql.55gg.com/Ads1.html
http://sql.55gg.com/Inc/Style.css
http://sql.55gg.com/Ads2.html
http://sql.55gg.com/YouXi/Default/TuiJian/Index_1.html

All content ("Information") contained in this report is the copyrighted work of Threat Expert Ltd and its associated companies ("ThreatExpert") and may not be copied without the express permission of ThreatExpert.

The Information is provided on an "as is" basis. ThreatExpert disclaims all warranties, whether express or implied, to the maximum extent permitted by law, including the implied warranties that the Information is merchantable, of satisfactory quality, accurate, fit for a particular purpose or need, or non-infringing, unless such implied warranties are legally incapable of exclusion. Further, ThreatExpert does not warrant or make any representations regarding the use or the results of the use of the Information in terms of their correctness, accuracy, reliability, or otherwise.