ThreatExpert Report: Trojan.Gen, Trojan-Dropper.Win32.Injector.dafl, Trojan-Dropper.Win32.Injector..

Visit ThreatExpert web site

Close Report

Submission Summary:

Submission details:

Submission received: 2 August 2012, 16:15:49
Processing time: 8 min 58 sec
Submitted sample:

File MD5: 0x193932F55ADD98B6B0E6A6225F1E39F1
File SHA-1: 0xDD9B88D3D2D822BD4CA65BA199D476E1D86AC664
Filesize: 688,632 bytes
Alias & packer info:

Trojan.Gen [Symantec]
Trojan-Dropper.Win32.Injector.dafl [Kaspersky Lab]
Trojan-Dropper.Win32.Injector [Ikarus]
packed with: Armadillo [Kaspersky Lab]

Summary of the findings:

What's been found	Severity Level
Downloads/requests other files from Internet.
Registers a 32-bit in-process server DLL.
Contains characteristics of an identified security risk.

Technical Details:

Possible Security Risk

Attention! The following threat category was identified:

Threat Category	Description
	A malicious trojan horse or bot that may represent security risk for the compromised system and/or its network environment

File System Modifications

The following file was created in the system:

#	Filename(s)	File Size	File Hash	Alias
1	[file and pathname of the sample #1]	688,632 bytes	MD5: 0x193932F55ADD98B6B0E6A6225F1E39F1 SHA-1: 0xDD9B88D3D2D822BD4CA65BA199D476E1D86AC664	Trojan.Gen [Symantec] Trojan-Dropper.Win32.Injector.dafl [Kaspersky Lab] Trojan-Dropper.Win32.Injector [Ikarus] packed with Armadillo [Kaspersky Lab]

Memory Modifications

There was a new process created in the system:

Process Name	Process Filename	Main Module Size
[filename of the sample #1]	[file and pathname of the sample #1]	1,232,896 bytes

Registry Modifications

The following Registry Keys were created:

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F22CEAB2-A2D9-FBC9-E136-7271339F5793}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F22CEAB2-A2D9-FBC9-E136-7271339F5793}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Licenses

The newly created Registry Values are:

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F22CEAB2-A2D9-FBC9-E136-7271339F5793}\InprocServer32]

(Default) = "ole32.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F22CEAB2-A2D9-FBC9-E136-7271339F5793}]

(Default) = "PipePSFactory"

[HKEY_LOCAL_MACHINE\SOFTWARE\Licenses]

{K7C0DB872A3F777C0} = 7A E5 99 7F 62 13 1F 7D 75 8E 32 07 1E 46 2E 03 07 99 01 65 14 0F C8 1F F3 29 FB 4A 8D 7D 4C FF FF FF FF 87 30 0C C3 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF F
{I1A2DF9AB86C7D61C} = 02 00 00 00

Other details

To mark the presence in the system, the following Mutex object was created:

RAL256807B1

The following Internet download was started (the retrieved bits are saved into the local file):

URL to be downloaded	Filename for the downloaded bits
http://fenessaw.com/pdf/hepter/win7update.exe	%Temp%\tmp.exe

Note:

%Temp% is a variable that refers to the temporary folder in the short path form. By default, this is C:\Documents and Settings\[UserName]\Local Settings\Temp\ (Windows NT/2000/XP).

Downloaded File Summary:

Download details:

Download retrieved: 2 August 2012 16:24:47
Processing time: 9 min 7 sec
Downloaded sample:

File MD5: 0xAAC13ACB969844DC1118F5390D7D1FCF
File SHA-1: 0x6C0941B8DBE8E6119B423E82CE5F9242CD3CB9F2
Filesize: 1,380,352 bytes
Alias & packer info:

Trojan.Gen [Symantec]
Trojan-Dropper.Win32.Injector.dafl [Kaspersky Lab]
Backdoor:Win32/Fynloski.A [Microsoft]
Trojan-Dropper.Win32.Injector [Ikarus]
packed with: Armadillo [Kaspersky Lab]

Summary of the findings:

What's been found	Severity Level
Produces outbound traffic.
Modifies some system settings that may have negative impact on overall system security state.
Creates a startup registry entry.
Registers a 32-bit in-process server DLL.
Contains characteristics of an identified security risk.

Technical Details:

Possible Security Risk

Attention! The following threat category was identified:

Threat Category	Description
	A malicious trojan horse or bot that may represent security risk for the compromised system and/or its network environment

File System Modifications

The following file was created in the system:

#	Filename(s)	File Size	File Hash	Alias
1	%MyDocuments%\MSDCSC\Plugin-container.exe [file and pathname of the sample #1]	1,380,352 bytes	MD5: 0xAAC13ACB969844DC1118F5390D7D1FCF SHA-1: 0x6C0941B8DBE8E6119B423E82CE5F9242CD3CB9F2	Trojan.Gen [Symantec] Trojan-Dropper.Win32.Injector.dafl [Kaspersky Lab] Backdoor:Win32/Fynloski.A [Microsoft] Trojan-Dropper.Win32.Injector [Ikarus] packed with Armadillo [Kaspersky Lab]

Note:

%MyDocuments% is a variable that refers to the file system directory used to physically store a user's common repository of documents. A typical path is C:\Documents and Settings\[UserName]\My Documents.

The following directories were created:

%Temp%\dclogs
%MyDocuments%\MSDCSC

Notes:

%Temp% is a variable that refers to the temporary folder in the short path form. By default, this is C:\Documents and Settings\[UserName]\Local Settings\Temp\ (Windows NT/2000/XP).

Memory Modifications

There were new processes created in the system:

Process Name	Process Filename	Main Module Size
[filename of the sample #1]	[file and pathname of the sample #1]	1,925,120 bytes
Plugin-container.exe	%MyDocuments%\MSDCSC\Plugin-container.exe	1,925,120 bytes

Registry Modifications

The following Registry Keys were created:

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F22CEAB2-A2D9-FBC9-E136-7271339F5793}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F22CEAB2-A2D9-FBC9-E136-7271339F5793}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F22CEAB2-A2D9-FBC9-E136-7271339F5793}\ProgID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F22CEAB2-A2D9-FBC9-E136-7271339F5793}\VersionIndependentProgID
HKEY_LOCAL_MACHINE\SOFTWARE\Licenses
HKEY_CURRENT_USER\Software\DC3_FEXEC

The newly created Registry Values are:

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F22CEAB2-A2D9-FBC9-E136-7271339F5793}\VersionIndependentProgID]

(Default) = "ADODB.Stream"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F22CEAB2-A2D9-FBC9-E136-7271339F5793}\ProgID]

(Default) = "ADODB.Stream.2.8"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F22CEAB2-A2D9-FBC9-E136-7271339F5793}\InprocServer32]

(Default) = "%ProgramFiles%\Common Files\System\ado\msado15.dll"
ThreadingModel = "Apartment"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F22CEAB2-A2D9-FBC9-E136-7271339F5793}]

(Default) = "ADODB.Stream"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]

AntiVirusDisableNotify = "1"

to disable notification of firewall, antivirus and/or update status through the Windows Security Center

[HKEY_LOCAL_MACHINE\SOFTWARE\Licenses]

{K7C0DB872A3F777C0} = 9E 6B CE C1 62 13 1F 16 80 9A 57 07 1E 46 2E 03 07 99 01 65 14 0F C8 1F F3 29 FB 4A 8D 7D 4C FF FF FF FF 87 30 0C C3 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF F
{I1A2DF9AB86C7D61C} = 02 00 00 00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]

Google Micro Update = "%MyDocuments%\MSDCSC\Plugin-container.exe"

so that Plugin-container.exe runs every time Windows starts

The following Registry Value was deleted:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]

AntiVirusDisableNotify = 0x00000001

The following Registry Value was modified:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]

Userinit =

Other details

To mark the presence in the system, the following Mutex objects were created:

RAL256807B1
DC_MUTEX-SYSRS4A

There was application-defined hook procedure installed into the hook chain (e.g. to monitor keystrokes). The installed hook is handled by the following module:

%MyDocuments%\MSDCSC\Plugin-container.exe

Outbound traffic (potentially malicious)

There was an outbound traffic produced on port 1604:

All content ("Information") contained in this report is the copyrighted work of Threat Expert Ltd and its associated companies ("ThreatExpert") and may not be copied without the express permission of ThreatExpert.

The Information is provided on an "as is" basis. ThreatExpert disclaims all warranties, whether express or implied, to the maximum extent permitted by law, including the implied warranties that the Information is merchantable, of satisfactory quality, accurate, fit for a particular purpose or need, or non-infringing, unless such implied warranties are legally incapable of exclusion. Further, ThreatExpert does not warrant or make any representations regarding the use or the results of the use of the Information in terms of their correctness, accuracy, reliability, or otherwise.