ThreatExpert Report: Trojan-Spy.Win32.Agent.cbot, BackDoor-FGQ, Backdoor:Win32/Morix.B..

Visit ThreatExpert web site

Close Report

Submission Summary:

Submission details:

Submission received: 14 August 2012, 20:11:49
Processing time: 8 min 7 sec
Submitted sample:

File MD5: 0x1D9ADCF6B88FBE615036DBCA8D07F8BF
File SHA-1: 0x3423A736A8F507003BEEB563552128C42F4C9341
Filesize: 341,504 bytes
Alias:

Trojan-Spy.Win32.Agent.cbot [Kaspersky Lab]
BackDoor-FGQ [McAfee]
Backdoor:Win32/Morix.B [Microsoft]
Backdoor.Win32.Morix [Ikarus]

Summary of the findings:

What's been found	Severity Level
Creates a startup registry entry.
Contains characteristics of an identified security risk.

Technical Details:

Possible Security Risk

Attention! The following threat category was identified:

Threat Category	Description
	A keylogger program that can capture all user keystrokes (including confidential details such username, password, credit card number, etc.)

File System Modifications

The following files were created in the system:

#	Filename(s)	File Size	File Hash	Alias
1	%Windir%\D8A93922\svchsot.exe [file and pathname of the sample #1]	341,504 bytes	MD5: 0x1D9ADCF6B88FBE615036DBCA8D07F8BF SHA-1: 0x3423A736A8F507003BEEB563552128C42F4C9341	Trojan-Spy.Win32.Agent.cbot [Kaspersky Lab] BackDoor-FGQ [McAfee] Backdoor:Win32/Morix.B [Microsoft] Backdoor.Win32.Morix [Ikarus]
2	%Windir%\Tasks\At1.job	348 bytes	MD5: 0x3CC7C58D1896A651AF561F7DF2332A1D SHA-1: 0x93E02806618BC2FC1D85B47B6D82304D7C0D303B	(not available)
3	%Windir%\Tasks\At10.job	348 bytes	MD5: 0x20893CEB4F531DC4A19A1933AE825CA1 SHA-1: 0x28EB0C79198A75B6C802C17F29584C4584AE7A29	(not available)
4	%Windir%\Tasks\At11.job	348 bytes	MD5: 0xBE78EEA4A92D5F6E338F092F83156E56 SHA-1: 0x83B3322637436A048F1348C4A7BF51EA534DABB7	(not available)
5	%Windir%\Tasks\At12.job	348 bytes	MD5: 0xEE4AC1FDFF16C124B93013B6F91740B5 SHA-1: 0x5B1D366778A8497E3B891EA06A60CCFB812759B3	(not available)
6	%Windir%\Tasks\At13.job	348 bytes	MD5: 0x1F6D9AB4097F192F63BF588A2B91E965 SHA-1: 0x33C9A85A23CBBA1B2C77D752B54476682B896883	(not available)
7	%Windir%\Tasks\At14.job	348 bytes	MD5: 0x7BB9CD54C937B5A7020535F55DBE1EE9 SHA-1: 0xB5D2AE075E609F7803BCF5143B20F87257D622B1	(not available)
8	%Windir%\Tasks\At15.job	348 bytes	MD5: 0xA89DD4352399D0535AFF8E1CEFBD31E5 SHA-1: 0xD62C1175622497720483FBA0C09DDB80A63425E7	(not available)
9	%Windir%\Tasks\At16.job	348 bytes	MD5: 0x0CB94746AF8AC4D5F0BD3221EB7288D9 SHA-1: 0xED95AE64EDF868720933A7C9C58AA9414A37AC9A	(not available)
10	%Windir%\Tasks\At17.job	348 bytes	MD5: 0xE08D9DBD0A8FB64A2040D41FA2B2C178 SHA-1: 0x79B23F66F0768A870DA64CCAA20152C58C872CA3	(not available)
11	%Windir%\Tasks\At18.job	348 bytes	MD5: 0x13F5D4826E1CAC256284EBFCF3F82B91 SHA-1: 0xE9F620A28667888BC4114994229C20A7A7480D86	(not available)
12	%Windir%\Tasks\At19.job	348 bytes	MD5: 0x19393234D04E7674277177EF260ED600 SHA-1: 0xAFD44D07A4A2E9B46C6A58BE89A6B21DCC3B9D6B	(not available)
13	%Windir%\Tasks\At2.job	348 bytes	MD5: 0x2CE9B52C9F89C5B2197C1D8E2056DCA2 SHA-1: 0x7BC8483C327F15653B6273393C8FF3535912F8B6	(not available)
14	%Windir%\Tasks\At20.job	348 bytes	MD5: 0xF4F7B8E4079F423E8C4CAB16B3D976D1 SHA-1: 0xFF516A4AAD0B00D3F6A7A57E846D63E9EC74EABC	(not available)
15	%Windir%\Tasks\At21.job	348 bytes	MD5: 0xD70AB2D1FA69BB59F6A60CD506184478 SHA-1: 0x6C1CA9CF9239C2F7677000BB9CCCF4196B476C70	(not available)
16	%Windir%\Tasks\At22.job	348 bytes	MD5: 0x6854559FB0CE6239EAC6D60EC102F420 SHA-1: 0x636927C87DC7434277757CBF85007D55A12241B5	(not available)
17	%Windir%\Tasks\At23.job	348 bytes	MD5: 0xE089B19CA5C2C0F6151FC2C5FF2DB43E SHA-1: 0x3E2B3A15A1F224DE1AF8BBB4634AE9D3ECF09066	(not available)
18	%Windir%\Tasks\At24.job	348 bytes	MD5: 0x9676C1BA211D73FCE03264AA28A60BD6 SHA-1: 0x2D6FDA1A539D155094C8EAA36B327DB38C5841CD	(not available)
19	%Windir%\Tasks\At3.job	348 bytes	MD5: 0x9EBFB18390D02467424ED982F68D4756 SHA-1: 0x6DC138F2B5FEA9D153FCB8EDF7C312D6DA11BEBB	(not available)
20	%Windir%\Tasks\At4.job	348 bytes	MD5: 0x3F9875AA9D38D33C8603C7C97C7C4A36 SHA-1: 0x668DE476F1FF77D92CDA9C34E1AC237E3956FFE4	(not available)
21	%Windir%\Tasks\At5.job	348 bytes	MD5: 0x49A60F13ED72DF85C7E6DE3465B0C276 SHA-1: 0x8076EA2B0C8D5BA47D9615CEF433C14D63830F96	(not available)
22	%Windir%\Tasks\At6.job	348 bytes	MD5: 0x7E0A24345B3D73AE80030272E4860363 SHA-1: 0x6CA1568F4B7F0563FBE754824661990DB6044178	(not available)
23	%Windir%\Tasks\At7.job	348 bytes	MD5: 0x42DCC7FEAEE1FA6AD8EE3B4FF2DC6E07 SHA-1: 0x1ABA576E80C2D4EA7DE26D1F123F9CDF1050718E	(not available)
24	%Windir%\Tasks\At8.job	348 bytes	MD5: 0x8E6B1F2CF3750EE025FB348542B8C870 SHA-1: 0x534865DE5A874E46625E7F998F489FC131528835	(not available)
25	%Windir%\Tasks\At9.job	348 bytes	MD5: 0x51DEBF983BB2C023B0098196E74E12BB SHA-1: 0xBDD1E70D73A0DCF8710C0D8410862733FADDFFE6	(not available)

Note:

%Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows or C:\Winnt.

The following directory was created:

%Windir%\D8A93922

Memory Modifications

There was a new process created in the system:

Process Name	Process Filename	Main Module Size
[filename of the sample #1]	[file and pathname of the sample #1]	356,352 bytes

Registry Modifications

The newly created Registry Value is:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

D8A93922 = "%Windir%\D8A93922\svchsot.exe"

so that svchsot.exe runs every time Windows starts

Other details

To mark the presence in the system, the following Mutex object was created:

qwert88000.3322.org:2012127.0.0.1:2012127.0.0.1:2012

The following Host Name was requested from a host database:

qwert88000.3322.org

There was registered attempt to establish connection with the remote host. The connection details are:

Remote Host	Port Number
qwert88000.3322.org	2012

All content ("Information") contained in this report is the copyrighted work of Threat Expert Ltd and its associated companies ("ThreatExpert") and may not be copied without the express permission of ThreatExpert.

The Information is provided on an "as is" basis. ThreatExpert disclaims all warranties, whether express or implied, to the maximum extent permitted by law, including the implied warranties that the Information is merchantable, of satisfactory quality, accurate, fit for a particular purpose or need, or non-infringing, unless such implied warranties are legally incapable of exclusion. Further, ThreatExpert does not warrant or make any representations regarding the use or the results of the use of the Information in terms of their correctness, accuracy, reliability, or otherwise.