ThreatExpert Report: Trojan.Generic, Trojan Horse, Mal/FakeAV-BX..

Visit ThreatExpert web site

Close Report

Submission Summary:

Submission details:

Submission received: 21 December 2009, 03:15:22
Processing time: 12 min 49 sec
Submitted sample:

File MD5: 0x1FA7A8C927FDA3689599E0559A25F6EF
File SHA-1: 0x64979E0238E857CA3CDF1453F60898C249B1FC1E
Filesize: 1,965,056 bytes
Alias:

Trojan.Generic [PCTools]
Trojan Horse [Symantec]
Mal/FakeAV-BX [Sophos]
TrojanDropper:Win32/Microjoin.gen!B [Microsoft]
Trojan-Dropper.Win32.Microjoin [Ikarus]

Summary of the findings:

What's been found	Severity Level
Threat characteristics of ZBot - a banking trojan that disables firewall, steals sensitive financial data (credit card numbers, online banking login details), makes screen snapshots, downloads additional components, and provides a hacker with the remote access to the compromised system.
Capability to steal information such personal financial data (credit card numbers, online banking login details), user profiles, software registration keys, passwords.
Attempts to compromise security settings/rules of security products by emulating mouse clicks on the dialog windows. For example, when a security product pops up a dialog box asking for user permission to block suspicious activity, a threat may click Allow button to enable its malicious payload.
Contains characteristics a trojan that can steals passwords from multiple popular email, ICQ and FTP client applications, such as Mirabilis ICQ, Miranda, Trillian, Microsoft Outlook, CuteFTP, Thunderbird, FileZilla, FlashFXP, The Bat!, etc.
Stealth-mode characteristics common to Rootkits.
Produces outbound traffic.
Downloads/requests other files from Internet.
Creates a startup registry entry.
Contains characteristics of an identified security risk.

Technical Details:

Possible Security Risk

Attention! Characteristics of the following security risks were identified in the system:

Security Risk	Description
Trojan-Clicker.VB	Trojan.Clicker.VB contacts various servers to download and display aggressive pop-up advertisements.
Backdoor.UltimateDefender.GVW	Backdoor.UltimateDefender.GVW runs in the background and allows remote access to the infected machine. It also attempts to download and execute other malicious files onto the compromised system.
Adware.Component.Unrelated	These common components have files and keys that are in different threats but the threats are not related to one another in that the author of the signature is not the same. It is recommended that all these entries be removed.
Trojan-Spy.Zbot.YETH	Trojan-Spy.Zbot.YETH is a rootkit trojan which steals online banking information and downloads other malware as well.

Attention! The following threat categories were identified:

Threat Category	Description
	A keylogger program that can capture all user keystrokes (including confidential details such username, password, credit card number, etc.)
	A malicious trojan horse or bot that may represent security risk for the compromised system and/or its network environment
	A malicious backdoor trojan that runs in the background and allows remote access to the compromised system

File System Modifications

The following files were created in the system:

#	Filename(s)	File Size	File Hash	Alias
1	%Temp%\0_11adwara.exe	17,408 bytes	MD5: 0xC052E5CA13EAED4C44290D7CBA7139E9 SHA-1: 0xA66067DE84E01E13EAE0B74A17F5C668E41FE5A0	Packed.Win32.TDSS.aa [Kaspersky Lab] DNSChanger.p [McAfee] Mal/FakeAV-BP [Sophos]
2	%Temp%\12.tmp	64,000 bytes	MD5: 0x666168D6CF03521C133AB2D2096493D9 SHA-1: 0xE4E24EBA074EE79A62616C12B1BC4D2A574C41CF	Trojan.Generic [PCTools] Trojan Horse [Symantec] Trojan.Win32.Tdss.auzn [Kaspersky Lab] Mal/FakeAV-BP [Sophos] Trojan:Win32/Alureon.CT [Microsoft]
3	%Temp%\2_load.exe	13,312 bytes	MD5: 0xCF5A9B9493A15C3092C477F7165FF63B SHA-1: 0x12D8CFEA6A90DB695B21B952D0A1AA280708F148	Mal/FakeAV-BX [Sophos] TrojanDropper:Win32/Agent.UM [Microsoft] Trojan-Dropper.Agent [Ikarus]
4	%Temp%\4_pinnew.exe	44,544 bytes	MD5: 0xF1DF4C555B6B3C16002EF9AA5A0A4F6A SHA-1: 0xAC680326573874A903BA31FD61CE6A861DDC5729	VirTool:Win32/DelfInject.gen!AM [Microsoft] VirTool.Win32.DelfInject [Ikarus]
5	%Temp%\5_odb.exe %Windir%\odb.exe	293,888 bytes	MD5: 0xB83454C710BAD506EEB09A70233CDB92 SHA-1: 0xF0DD8EB2B7DFFADEDF74830647B8D8DCB0028136	TrojanClicker:Win32/Klik [Microsoft] Trojan-Clicker.Win32.Klik [Ikarus]
6	%Temp%\6_ldr3.exe	84,480 bytes	MD5: 0x765AF0E1A589B51FB2428A6B4941F69D SHA-1: 0xA4FBE79B6CB2A89574AABCC12982D6362681CAC9	Mal/FakeAV-BX [Sophos] PWS:Win32/Zbot.J [Microsoft] PWS.Win32 [Ikarus]
7	%Temp%\avto.exe %Windir%\svc.exe	290,816 bytes	MD5: 0xCFBA4EB27C46DF0607900975A595EE34 SHA-1: 0x10520CB213D258D1942F6BD1AAC1DF4505067F8D	Trojan.Generic [PCTools] Trojan Horse [Symantec] Mal/FakeAV-BX [Sophos] TrojanClicker:Win32/Klik [Microsoft] Trojan-Clicker.Win32.Klik [Ikarus]
8	%Temp%\q1.exe	296,960 bytes	MD5: 0xCD7D5A8BB2AF9421F77F70AF4D67668B SHA-1: 0x8AF9E3BBE7C0241BEA5B0984DC4A5D30B1773050	TrojanClicker:Win32/Klik [Microsoft] Trojan-Clicker.Win32.Klik [Ikarus]
9	%Temp%\teste1_p.exe %Windir%\lsass.exe	357,376 bytes	MD5: 0x20AB4143F6A924C46BB6EE87CD703712 SHA-1: 0x1FE216BC22C1647ACB21B7D5302FF9617E278E51	Mal/FakeAV-BX, Mal/EncPk-MC, Mal/Fakecor-B, Mal/Behav-314 [Sophos] TrojanDownloader:Win32/Renos.FJ [Microsoft] Trojan-Downloader.Win32.Renos [Ikarus]
10	[file and pathname of the sample #1]	1,965,056 bytes	MD5: 0x1FA7A8C927FDA3689599E0559A25F6EF SHA-1: 0x64979E0238E857CA3CDF1453F60898C249B1FC1E	Trojan.Generic [PCTools] Trojan Horse [Symantec] Mal/FakeAV-BX [Sophos] TrojanDropper:Win32/Microjoin.gen!B [Microsoft] Trojan-Dropper.Win32.Microjoin [Ikarus]
11	%System%\sdra64.exe	363,520 bytes	MD5: 0xC534E1E5A5ACE64DCB49E3036936B283 SHA-1: 0x6E6913FCF459487EB4C6B55CC3230F92516D8E30	Mal/FakeAV-BX [Sophos] PWS:Win32/Zbot.J [Microsoft]

Notes:

%Temp% is a variable that refers to the temporary folder in the short path form. By default, this is C:\Documents and Settings\[UserName]\Local Settings\Temp\ (Windows NT/2000/XP).
%Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows or C:\Winnt.
%System% is a variable that refers to the System folder. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

Attention! The following hidden files were created in the system:

#	Filename(s)	File Size	File Hash
1	%System%\lowsec\local.ds %System%\lowsec\user.ds	0 bytes	MD5: 0xD41D8CD98F00B204E9800998ECF8427E SHA-1: 0xDA39A3EE5E6B4B0D3255BFEF95601890AFD80709
2	%System%\lowsec\user.ds.lll	540 bytes	MD5: 0xBCA81E685776603440D13FED315F07EF SHA-1: 0x4D324DB39E4D9C013B5E1DFA40A5A20013BD1487

Attention! The following hidden directory was created:

%System%\lowsec

Memory Modifications

There were new processes created in the system:

Process Name	Process Filename	Main Module Size
4_pinnew.exe	%Temp%\4_pinnew.exe	249,856 bytes
0_11adwara.exe	%Temp%\0_11adwara.exe	57,344 bytes
1260540331.exe	%Temp%\1260540331.exe	143,360 bytes
teste1_p.exe	%Temp%\teste1_p.exe	N/A
q1.exe	%Temp%\q1.exe	N/A
5_odb.exe	%Temp%\5_odb.exe	N/A
svc.exe	%Windir%\svc.exe	N/A
lsass.exe	%Windir%\lsass.exe	N/A
odb.exe	%Windir%\odb.exe	N/A
avto.exe	%Temp%\avto.exe	N/A
6_ldr3.exe	%Temp%\6_ldr3.exe	N/A
[filename of the sample #1]	[file and pathname of the sample #1]	N/A

There were new memory pages created in the address space of the system process(es):

Process Name	Process Filename	Allocated Size
services.exe	%System%\services.exe	90,112 bytes
lsass.exe	%System%\lsass.exe	90,112 bytes
svchost.exe	%System%\svchost.exe	90,112 bytes
svchost.exe	%System%\svchost.exe	90,112 bytes
svchost.exe	%System%\svchost.exe	90,112 bytes
svchost.exe	%System%\svchost.exe	90,112 bytes
svchost.exe	%System%\svchost.exe	90,112 bytes
alg.exe	%System%\alg.exe	90,112 bytes

Registry Modifications

The following Registry Keys were created:

HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\{334613DB-50C1-B3BE-95ED-E9915A134FF1}
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\{43BF8CD1-C5D5-2230-7BB2-98F22C2B7DC6}
HKEY_USERS\.DEFAULT\Software\Microsoft\Protected Storage System Provider

The newly created Registry Values are:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

netc = "%Windir%\svc.exe"
lsass = "%Windir%\lsass.exe"
odby = "%Windir%\odb.exe"

so that svc.exe runs every time Windows starts

so that lsass.exe runs every time Windows starts

so that odb.exe runs every time Windows starts

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network]

UID = "%ComputerName%_0001B2C0"

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\{334613DB-50C1-B3BE-95ED-E9915A134FF1}]

{3039636B-5F3D-6C64-6675-696870667265} = F7 09 F2 0D
{33373039-3132-3864-6B30-303233343434} = 47 09 F2 0D

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\{43BF8CD1-C5D5-2230-7BB2-98F22C2B7DC6}]

{3039636B-5F3D-6C64-6675-696870667265} = F7 09 F2 0D
{33373039-3132-3864-6B30-303233343434} = 47 09 F2 0D

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]

ProxyEnable = 0x00000000

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]

NotifyDownloadComplete = "yes"

The following Registry Values were modified:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]

Userinit =

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]

AppData =
Cookies =
History =

Other details

Analysis of the file resources indicate the following possible country of origin:

Russian Federation

To mark the presence in the system, the following Mutex objects were created:

E5F9D08201CA822E000000742
CritOpMutex
_AVIRA_21099
E6297F8A01CA822E000000A02
E6297F8A01CA822E000000A42
E5EB826601CA822E000007E42

The following ports were open in the system:

Port	Protocol	Process
1056	UDP	odb.exe (%Windir%\odb.exe)
1058	UDP	lsass.exe (%Windir%\lsass.exe)
1062	UDP	5_odb.exe (%Temp%\5_odb.exe)

The following Host Name was requested from a host database:

moretds.in

There was registered attempt to establish connection with the remote host. The connection details are:

Remote Host	Port Number
moretds.in	1037

The following Internet Connections were established:

Server Name	Server Port	Connect as User	Connection Password
d45648675.cn	443	(null)	(null)
autouploaders.net	80	(null)	(null)
saloongins.cn	80	(null)	(null)
settopworld.cn	80	(null)	(null)
greatinstant.cn	80	(null)	(null)
trenublo.cn	80	(null)	(null)
bestwebtop.net	80	(null)	(null)
greattaby.com	80	(null)	(null)
cafebarplaza.cn	80	(null)	(null)
discoverany.cn	80	(null)	(null)

The following GET requests were made:

11223/cfg3.bin
nop/tds2.php
incallspa.php
mass/tds2.php
yourseekerz.php
estplanete.php
estvirtuel.php
addlinkworld.php
mostextra.php
greattab.php

Outbound traffic (potentially malicious)

There was an outbound traffic produced on port 443:

There was an outbound traffic produced on port 1043:

There was an outbound traffic produced on port 1037:

There was an outbound traffic produced on port 1040:

All content ("Information") contained in this report is the copyrighted work of Threat Expert Ltd and its associated companies ("ThreatExpert") and may not be copied without the express permission of ThreatExpert.

The Information is provided on an "as is" basis. ThreatExpert disclaims all warranties, whether express or implied, to the maximum extent permitted by law, including the implied warranties that the Information is merchantable, of satisfactory quality, accurate, fit for a particular purpose or need, or non-infringing, unless such implied warranties are legally incapable of exclusion. Further, ThreatExpert does not warrant or make any representations regarding the use or the results of the use of the Information in terms of their correctness, accuracy, reliability, or otherwise.