Submission Summary:

• Submission details:
• Submission received: 13 September 2012, 13:17:42
• Processing time: 7 min 59 sec
• Submitted sample:
• File MD5: 0x203A71E8B2E6D39D9AD643AA1252A112
• File SHA-1: 0x801026256928E0A9164480D9A33B1EFE8392CFC2
• Filesize: 29,217 bytes
• Alias & packer info:
• Backdoor.Nitol [Symantec]
• PWS-Lineage!cb [McAfee]
• Troj/Dloadr-DNE [Sophos]
• Trojan.Win32.Rozena [Ikarus]
• packed with: UPX [Kaspersky Lab]

Technical Details:

Possible Security Risk

• Attention! The following threat category was identified:

Threat Category	Description
	A malicious backdoor trojan that runs in the background and allows remote access to the compromised system

File System Modifications

• The following file was created in the system:

#	Filename(s)	File Size	File Hash	Alias
1	[file and pathname of the sample #1] %Windir%\vipxie.exe	29,217 bytes	MD5: 0x203A71E8B2E6D39D9AD643AA1252A112 SHA-1: 0x801026256928E0A9164480D9A33B1EFE8392CFC2	Backdoor.Nitol [Symantec] PWS-Lineage!cb [McAfee] Troj/Dloadr-DNE [Sophos] Trojan.Win32.Rozena [Ikarus] packed with UPX [Kaspersky Lab]

• Note:
• %Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows or C:\Winnt.

Memory Modifications

• There were new processes created in the system:

• There was a new service created in the system:

Registry Modifications

• The following Registry Keys were created:
• HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_DSLSERVERYII
• HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_DSLSERVERYII\0000
• HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_DSLSERVERYII\0000\Control
• HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\DSLserveryii
• HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\DSLserveryii\Security
• HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\DSLserveryii\Enum
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_DSLSERVERYII
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_DSLSERVERYII\0000
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_DSLSERVERYII\0000\Control
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DSLserveryii
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DSLserveryii\Security
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DSLserveryii\Enum

• The newly created Registry Values are:
• [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_DSLSERVERYII\0000\Control]
• *NewlyCreated* = 0x00000000
• ActiveService = "DSLserveryii"
• [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_DSLSERVERYII\0000]
• Service = "DSLserveryii"
• Legacy = 0x00000001
• ConfigFlags = 0x00000000
• Class = "LegacyDriver"
• ClassGUID = "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
• DeviceDesc = "DCOM Serveribt Process Launcher."
• [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_DSLSERVERYII]
• NextInstance = 0x00000001
• [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\DSLserveryii\Enum]
• 0 = "Root\LEGACY_DSLSERVERYII\0000"
• Count = 0x00000001
• NextInstance = 0x00000001
• [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\DSLserveryii\Security]
• Security = 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 0
• [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\DSLserveryii]
• Type = 0x00000010
• Start = 0x00000002
• ErrorControl = 0x00000000
• ImagePath = "%Windir%\vipxie.exe"
• DisplayName = "DCOM Serveribt Process Launcher."
• ObjectName = "LocalSystem"
• Description = "DCOM Serverwry Process Launcher.."
• [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_DSLSERVERYII\0000\Control]
• *NewlyCreated* = 0x00000000
• ActiveService = "DSLserveryii"
• [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_DSLSERVERYII\0000]
• Service = "DSLserveryii"
• Legacy = 0x00000001
• ConfigFlags = 0x00000000
• Class = "LegacyDriver"
• ClassGUID = "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
• DeviceDesc = "DCOM Serveribt Process Launcher."
• [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_DSLSERVERYII]
• NextInstance = 0x00000001
• [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DSLserveryii\Enum]
• 0 = "Root\LEGACY_DSLSERVERYII\0000"
• Count = 0x00000001
• NextInstance = 0x00000001
• [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DSLserveryii\Security]
• Security = 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 0
• [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DSLserveryii]
• Type = 0x00000010
• Start = 0x00000002
• ErrorControl = 0x00000000
• ImagePath = "%Windir%\vipxie.exe"
• DisplayName = "DCOM Serveribt Process Launcher."
• ObjectName = "LocalSystem"
• Description = "DCOM Serverwry Process Launcher.."

• The following Registry Values were modified:
• [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\ServiceCurrent]
• (Default) =
• [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ServiceCurrent]
• (Default) =

Other details

• Analysis of the file resources indicate the following possible country of origin:

	China

• To mark the presence in the system, the following Mutex object was created:
• DSLserveryii

• The following port was open in the system:

• The following Host Names were requested from a host database:
• 192.5.5.241
• huyiai.3322.org

• There was registered attempt to establish connection with the remote host. The connection details are:

Outbound traffic (potentially malicious)

• There was an outbound traffic produced on port 6000: