Submission Summary:

• Submission details:
• Submission received: 3 November 2009, 15:27:18
• Processing time: 5 min 11 sec
• Submitted sample:
• File MD5: 0x1BF532E8B9E7498D35B1A69A4759CF6D
• File SHA-1: 0x2C7881D7FC350AEAFB27C76040C9BF7BD0C767A5
• Filesize: 33,280 bytes
• Alias:
• Packed.Generic.264 [Symantec]
• Backdoor.Win32.Small.zp [Kaspersky Lab]

• Summary of the findings:

What's been found	Severity Level
Produces outbound traffic.
Communication with a remote SMTP server and sending out email.
Creates a startup registry entry.
Contains characteristics of an identified security risk.

Technical Details:

Possible Security Risk

• Attention! Characteristics of the following security risk was identified in the system:

Security Risk	Description
Trojan.Agent	Trojan.Agent will spy on the browsing habits of users, modify Internet Explorer settings and download malicious files.

• Attention! The following threat categories were identified:

Threat Category	Description
	A malicious backdoor trojan that runs in the background and allows remote access to the compromised system
	A virus capable to modify other files by infecting, prepending, or overwriting them them with its own body
	A malicious trojan horse or bot that may represent security risk for the compromised system and/or its network environment

File System Modifications

• The following files were created in the system:

#	Filename(s)	File Size	File Hash	Alias
1	%UserProfile%\reader_s.exe %System%\reader_s.exe [file and pathname of the sample #1]	33,280 bytes	MD5: 0x1BF532E8B9E7498D35B1A69A4759CF6D SHA-1: 0x2C7881D7FC350AEAFB27C76040C9BF7BD0C767A5	Packed.Generic.264 [Symantec] Backdoor.Win32.Small.zp [Kaspersky Lab]
2	%System%\dllcache\ndis.sys	212,480 bytes	MD5: 0x0811697768F503138F9E498662D49435 SHA-1: 0xBCC6B06D1B65981C3D41084EA39C846629808B8F	Trojan.Neprodoor!inf [Symantec] Virus.Win32.Protector.b [Kaspersky Lab] Troj/Pushu-Gen, Mal/Fakedis-A [Sophos] Virus.Win32.Protector [Ikarus] Win32/Dnis.C [AhnLab]

• Notes:
• %UserProfile% is a variable that specifies the current user's profile folder. By default, this is C:\Documents and Settings\[UserName] (Windows NT/2000/XP).
• %System% is a variable that refers to the System folder. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

• The following file was modified:
• %System%\drivers\ndis.sys

Memory Modifications

• There were new processes created in the system:

Process Name	Process Filename	Main Module Size
reader_s.exe	%System%\reader_s.exe	49,152 bytes
reader_s.exe	%UserProfile%\reader_s.exe	49,152 bytes

• There was a new memory page created in the address space of the system process(es):

Process Name	Process Filename	Allocated Size
svchost.exe	%System%\svchost.exe	5,124,096 bytes

Registry Modifications

• The following Registry Key was created:
• HKEY_LOCAL_MACHINE\SOFTWARE\AGProtect

• The newly created Registry Values are:
• [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
• reader_s = "%System%\reader_s.exe"

so that reader_s.exe runs every time Windows starts

• [HKEY_LOCAL_MACHINE\SOFTWARE\AGProtect]
• Cfg = 09 00 00 00 17 48 00 00 A2 57 A8 19 A0 B0 B0 B0 B9 B0 AD B0 B0 B0 B0 B0 60 B0 4E 4F 48 42 4A 4F 42 49 42 77 B0 AA B0 B0 B0 B0 B0 60 B0 4A 4F 42 4F 4B 48 42 4F 4A 49 42 4B 77 B0 A8 B0 B0 B0 B0 B0 60 B0 4F 49 4C 42 4F 4D 4D 42 4F 40 4C 42 4E 4F 40 B0 A
• [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
• reader_s = "%UserProfile%\reader_s.exe"

so that reader_s.exe runs every time Windows starts

Other details

• There were registered attempts to establish connection with the remote hosts. The connection details are:

Outbound traffic (potentially malicious)

• There was an outbound traffic produced on port 25:

• There was an outbound traffic produced on port 8562:

Generated SMTP traffic

• Email Senders:
• Manager Desiree Cantu <shipping@dhl-usa.com>
• Manager Lea Dickey <shipping@dhl-usa.com>
• <slantsi7630@colgate.com>
• <gazetteerskx865@manitowoc.com>
• <haydnrz4@cincinnatimoving.com>
• <willingnessafi844@realestatecapitalgroup.com>
• <lateraled@intranet.asia>
• <soundlesslyxe69@kontotest.com>
• <syllables40@SweetMove.com>
• <screenwritersjls8@DuncanGroup.net>
• <alterableqi4@clickjewelry.com>
• <avariciously@solae.com>
• <khwarizmig03@crosses.tv>
• <refundgy764@azr.info>
• <exaltation6@uklocalarea.com>
• <hyperspacejzy43@moneyforbet.com>
• <poltergeistren5@betaclic.com>
• <preaches77@linkedin.com>
• <waitersemyh3@trackspro.com>
• <atmosphericxe5@sessiondrummer.com>
• <rationalezf@as.nu>
• <embryologistoyk87@thefreebieboard.com>
• <debonairvom@socialmeeting.net>
• <detonatingrp2@beriev.com>
• <firewoodq45@redhat.com>
• <adolescent8@ft.com>
• <crierzu6@seedrack.com>
• <triplesyju33@wires.tv>
• <hipping@downtownrealtygroup.com>

• Email Recipients:
• hardy5@bustyasians.net
• harold2@homre.com
• <gwhitehe@ucsd.edu>
• <gwphillips@ucsd.edu>
• <gwright@ucsd.edu>
• <gzxajiitkp@ucsd.edu>
• <ginawright@ucsd.edu>
• <gineering@ucsd.edu>
• <guzhou@ucsd.edu>
• <gyee@ucsd.edu>
• <gyeex@ucsd.edu>
• <gwhite@ucsd.edu>
• <hansa.patel@gb.unisys.com>
• <hansa.pateln@gb.unisys.com>
• <hansa.patelnn@gb.unisys.com>
• <hansen@gb.unisys.com>
• <harmoni@gb.unisys.com>
• <haronvo_281@gb.unisys.com>
• <harpeanne@gb.unisys.com>
• <harper@gb.unisys.com>
• <harpern@gb.unisys.com>
• <harpernn@gb.unisys.com>
• <greeniedd@aha.ru>
• <gy74oknlurpvn@aha.ru>
• <glmnn@aha.ru>
• <gncinyzw@aha.ru>
• <gncsn@aha.ru>
• <goranljd@aha.ru>
• <grot@aha.ru>
• <grotesk@aha.ru>
• <gps7d@aha.ru>
• <glint@aha.ru>
• <hardiman@nb.net>
• <hardison061@nb.net>
• <hardwood@nb.net>
• <hakeem42@nb.net>
• <harrit@nb.net>
• <harrocks@nb.net>
• <harry0@nb.net>
• <harry342@nb.net>
• <harry@nb.net>
• <harryb@nb.net>
• <hard.pan@poloralphlauren.com>
• <harasfyre@poloralphlauren.com>
• <harbin0@poloralphlauren.com>
• <harbin12@poloralphlauren.com>
• <harbin16@poloralphlauren.com>
• <harbin56@poloralphlauren.com>
• <harbin95@poloralphlauren.com>
• <harbin96@poloralphlauren.com>
• <harbin@poloralphlauren.com>
• <harbineric@poloralphlauren.com>
• <hambone@marshall.edu>
• <hambric4@marshall.edu>
• <hami@marshall.edu>
• <hamilto1@marshall.edu>
• <hamilto7@marshall.edu>
• <griffi15@marshall.edu>
• <guttman1@marshall.edu>
• <guttman1q@marshall.edu>
• <hanna5@marshall.edu>
• <hannah6@marshall.edu>
• <hawkins@gcfg.com>
• <grabow@all4gis.com>
• <graboski@all4gis.com>
• <girton@all4gis.com>
• <girod@all4gis.com>
• <golay@all4gis.com>
• <golba@all4gis.com>
• <golberg@all4gis.com>
• <gold@all4gis.com>
• <golda@all4gis.com>
• <goldade@all4gis.com>
• <harripa@gamezone.com>
• <harrison@gamezone.com>
• <harrisonh@gamezone.com>
• <harrist@gamezone.com>
• <hart@gamezone.com>
• <hartdd@gamezone.com>
• <hartisamuil@gamezone.com>
• <hartley@gamezone.com>
• <hartp@gamezone.com>
• <harvey225@gamezone.com>
• <harveydubois@nycmail.com>
• <harveylarkin@nycmail.com>
• <hassan@nycmail.com>
• <hassanali@nycmail.com>
• <haasbase@nycmail.com>
• <haastjqndwnvlga@nycmail.com>
• <hadrihadr@nycmail.com>
• <gzdc@nycmail.com>
• <gzja@nycmail.com>
• <hat@nycmail.com>
• <hardy5@customersat.com>
• <hardy@customersat.com>
• <harjits@customersat.com>
• <harmon@customersat.com>
• <harmond@customersat.com>
• <hasyhgpwhiszn@wls.wels.net>
• <harper@customersat.com>

• Email Subjects:
• DHL Services. Please Get Your Parcel NR.34904
• DHL Services. Please Get Your Parcel NR.28126

• Email Attachment:
• DHL_package_label_1c058.zip (77,111 bytes)

• Email Body:

• For example, the generated email message may look similar to the one shown below: