Submission Summary:

• Submission details:
• Submission received: 6 January 2009, 03:34:43
• Processing time: 6 min 0 sec
• Submitted sample:
• File MD5: 0x23CBA6463EBF329FCF95A79DA60BADBE
• File SHA-1: 0x9C9AEDECC23B8437F7C3257C52993CA3A5EC8322
• Filesize: 166,522 bytes
• Alias:
• Trojan-PSW.Delf!sd5 [PCTools]
• W32.Pasobir [Symantec]
• Trojan-PSW.Win32.Delf.ln [Kaspersky Lab]
• Generic.en [McAfee]
• Mal/EncPk-BW, Mal/Behav-103, Mal/Behav-043, Mal/Emogen-E, Mal/Behav-053 [Sophos]
• Worm:Win32/Emerleox.gen!A [Microsoft]
• Worm.Win32.Delf [Ikarus]

• Summary of the findings:

What's been found	Severity Level
Capability to send out email message(s) with the built-in SMTP client engine.
Downloads/requests other files from Internet.
Creates a startup registry entry.
Contains characteristics of an identified security risk.

Technical Details:

Possible Security Risk

• Attention! Characteristics of the following security risks were identified in the system:

Security Risk	Description
Trojan-PSW.Delf!sd5	Trojan-PSW.Delf!sd5 is a malicious application that attempts to steal passwords, login details, and other confidential information.
Trojan.Dumaru	Trojan.Dumaru opens a backdoor on the infected machine. It can log keystrokes and capture text from browser windows while visiting certain Internet banking sites. It will also steal local information including cached passwords, clipboard data and confidential information residing in the registry.
Trojan-PWS.QQRob	Trojan.PSW.QQRob is a trojan that will steal usernames and passwords and then send to an attacker via email.
Trojan.QQPass.LN	Trojan.QQPass.LN steals passwords, usernames and other sensitive data and sends them via instant messenger or through email to pre-defined servers. It also kills critical Security Software.

• Attention! The following threat category was identified:

Threat Category	Description
	A keylogger program that can capture all user keystrokes (including confidential details such username, password, credit card number, etc.)

File System Modifications

• The following files were created in the system:

#	Filename(s)	File Size	File Hash	Alias
1	[file and pathname of the sample #1] %System%\SVOHOST.exe	166,522 bytes	MD5: 0x23CBA6463EBF329FCF95A79DA60BADBE SHA-1: 0x9C9AEDECC23B8437F7C3257C52993CA3A5EC8322	Trojan-PSW.Delf!sd5 [PCTools] W32.Pasobir [Symantec] Trojan-PSW.Win32.Delf.ln [Kaspersky Lab] Generic.en [McAfee] Mal/EncPk-BW, Mal/Behav-103, Mal/Behav-043, Mal/Emogen-E, Mal/Behav-053 [Sophos] Worm:Win32/Emerleox.gen!A [Microsoft] Worm.Win32.Delf [Ikarus]
2	%System%\winscok.dll	33,280 bytes	MD5: 0x00F9A2B3CC690BC44412EB492F84346C SHA-1: 0x627E83F34799C9C591559DB7EA1A33FAE47332D8	Trojan-PWS.QQRob [PCTools] W32.Pasobir [Symantec] Trojan-PSW.Win32.Delf.ln [Kaspersky Lab] PWS-QQRob.dll [McAfee] Mal_Infostl [Trend Micro] Mal/Behav-053, Mal/LineDLL-B [Sophos] Worm:Win32/Emerleox.gen!A [Microsoft] Trojan-PWS.Win32.QQPass [Ikarus]

• Note:
• %System% is a variable that refers to the System folder. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

Memory Modifications

• There were new processes created in the system:

Process Name	Process Filename	Main Module Size
SVOHOST.exe	%System%\svohost.exe	166,400 bytes
[filename of the sample #1]	[file and pathname of the sample #1]	166,400 bytes

• The following modules were loaded into the address space of other process(es):

Module Name	Module Filename	Address Space Details
winscok.dll	%System%\winscok.dll	Process name: explorer.exe Process filename: %Windir%\explorer.exe Address space: 0x1880000 - 0x188E000
winscok.dll	%System%\winscok.dll	Process name: dllhost.exe Process filename: %System%\dllhost.exe Address space: 0x2530000 - 0x253E000
winscok.dll	%System%\winscok.dll	Process name: IEXPLORE.EXE Process filename: %ProgramFiles%\internet explorer\iexplore.exe Address space: 0x3D0000 - 0x3DE000
winscok.dll	%System%\winscok.dll	Process name: SVOHOST.exe Process filename: %System%\svohost.exe Address space: 0x8C0000 - 0x8CE000

• Notes:
• %Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows or C:\Winnt.
• %ProgramFiles% is a variable that refers to the Program Files folder. A typical path is C:\Program Files.

• The following system services were modified:

Service Name	Display Name	New Status	Service Filename
ALG	Application Layer Gateway Service	"Stopped"	%System%\alg.exe
SharedAccess	Windows Firewall/Internet Connection Sharing (ICS)	"Stopped"	%System%\svchost.exe -k netsvcs

Registry Modifications

• The following Registry Key was created:
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer

• The newly created Registry Values are:
• [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
• hx-1 = "1"
• [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
• SoundMam = "%System%\SVOHOST.exe"

so that SVOHOST.exe runs every time Windows starts

• [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\New Windows]
• PopupMgr = "no"

Other details

• Analysis of the file resources indicate the following possible country of origin:

	China

• The following Internet Connection was established:

• The following GET requests were made:
• index.html
• index.jpg

• The following Internet downloads were started (the retrieved bits are saved into the local file):

• There was application-defined hook procedure installed into the hook chain (e.g. to monitor keystrokes). The installed hook is handled by the following module:
• %System%\winscok.dll