ThreatExpert Report: Trojan.Gen, Trojan.SuspectCRC, Generic PUP.z!gc, HackTool.Win32.Agent..

Visit ThreatExpert web site

Close Report

Submission Summary:

Submission details:

Submission received: 28 July 2012, 03:32:55
Processing time: 11 min 0 sec
Submitted sample:

File MD5: 0x25C29AD2C98A4A9C6058DB18876CA95D
File SHA-1: 0xDD6855FC8BEB40844A2245FD06B62708EEF99E40
Filesize: 2,488,832 bytes
Alias:

Trojan.Gen [Symantec]
Trojan.SuspectCRC [Ikarus]

Summary of the findings:

What's been found	Severity Level
Capability to send out email message(s) with the built-in SMTP client engine.
Produces outbound traffic.
Creates a startup registry entry.
Contains characteristics of an identified security risk.

Technical Details:

Possible Security Risk

Attention! The following threat categories were identified:

Threat Category	Description
	A malicious trojan horse or bot that may represent security risk for the compromised system and/or its network environment
	A malicious backdoor trojan that runs in the background and allows remote access to the compromised system

File System Modifications

The following files were created in the system:

#	Filename(s)	File Size	File Hash	Alias
1	%Temp%\IXP000.TMP\BL4CKC~1.EXE	729,088 bytes	MD5: 0xC941B3711E7A358B28510FEFA557FA41 SHA-1: 0xB568E46488F557CA128E5ECBF7B085A1D9B1882B	Generic PUP.z!gc [McAfee] HackTool.Win32.Agent [Ikarus]
2	%Temp%\IXP000.TMP\BSICON.DLL	29,696 bytes	MD5: 0x40F47AB7B896572BEB3041CC676001BD SHA-1: 0x1F61ADDA9E555C7BAD89568C44F015E00BE834DC	Trojan.Gen [Symantec] Trojan.SuspectCRC [Ikarus]
3	%Temp%\IXP000.TMP\COMCT232.OCX	164,144 bytes	MD5: 0x1B63AF252CFEFF520871F0AE37C80C5E SHA-1: 0xD52D32B1E1C0136803846049F5919484A64D0A85	(not available)
4	%Temp%\IXP000.TMP\COMCT332.OCX	369,696 bytes	MD5: 0x92E901440774CFE50FAFAABA3436447C SHA-1: 0x61D5718AAA5457F90ABE960D43DA1D155B0433AF	(not available)
5	%Temp%\IXP000.TMP\comctl32.dll	617,472 bytes	MD5: 0xB0124CB21D28B1C9F678B566B6B57D92 SHA-1: 0x262353D512012F32682A338D4C618AF2A1177044	(not available)
6	%Temp%\IXP000.TMP\COMCTL32.OCX	609,584 bytes	MD5: 0x821511549E2AAF29889C7B812674D59B SHA-1: 0x3B2FD80F634A3D62277E0508BEDCA9AAE0C5A0D6	(not available)
7	%Temp%\IXP000.TMP\comdlg32.ocx	140,288 bytes	MD5: 0xD76F0EAB36F83A31D411AEAF70DA7396 SHA-1: 0x9BC145B54500FB6FBEA9BE61FBDD90F65FD1BC14	(not available)
8	%Temp%\IXP000.TMP\MSCOMCTL.OCX	1,066,176 bytes	MD5: 0x714CF24FC19A20AE0DC701B48DED2CF6 SHA-1: 0xD904D2FA7639C38FFB6E69F1EF779CA1001B8C18	(not available)
9	%Temp%\IXP000.TMP\MSFLXGRD.OCX	244,024 bytes	MD5: 0x898F06BBE5317236571360E544D1A0E0 SHA-1: 0xA05B720D0071EC2885AE9F27564F271808F404E4	(not available)
10	%Temp%\IXP000.TMP\MSINET.OCX	132,880 bytes	MD5: 0x90A39346E9B67F132EF133725C487FF6 SHA-1: 0x9CD22933F628465C863BED7895D99395ACAA5D2A	(not available)
11	%Temp%\IXP000.TMP\MSVBVM60.dll	1,386,496 bytes	MD5: 0xF28EB5CBC3CA6D8C787F09F047D1F9C8 SHA-1: 0x70DB1FAC822974BC9B636A984BCC1DA2E67F8DE5	(not available)
12	%Temp%\IXP000.TMP\msvcp60.dll	413,696 bytes	MD5: 0x1F57EB5B92B2AC7F9D71A77D184D8C13 SHA-1: 0xC067F10BA008EC0D6097BB447B7121E7C17F87C1	(not available)
13	%Temp%\IXP000.TMP\MSWINSCK.OCX	108,336 bytes	MD5: 0x9484C04258830AA3C2F2A70EB041414C SHA-1: 0xB242A4FB0E9DCF14CB51DC36027BAFF9A79CB823	(not available)
14	%Temp%\IXP000.TMP\mswsock.dll	245,248 bytes	MD5: 0x4E74AF063C3271FBEA20DD940CFD1184 SHA-1: 0xF4D8D9B3492E0FB5EBEEB30F1FAB75340BB09EDB	(not available)
15	%Temp%\IXP000.TMP\RICHTX32.OCX	203,576 bytes	MD5: 0x722435BA4D18F1704B43E823A12E489A SHA-1: 0x48F3C6E2E14E397055B667E2C8BAA85177EB6D44	(not available)
16	%System%\Bifrost\server.exe	333,213 bytes	MD5: 0x9C2E8002EDB08893EA11CDD5E2FE6B2E SHA-1: 0x85B1C75082DC1505181BC54708AEA704A027CA2C	Backdoor.Trojan [Symantec] Trojan:Win32/Dynamer [Microsoft] Virus.Win32.VBInject [Ikarus]
17	[file and pathname of the sample #1]	2,488,832 bytes	MD5: 0x25C29AD2C98A4A9C6058DB18876CA95D SHA-1: 0xDD6855FC8BEB40844A2245FD06B62708EEF99E40	Trojan.Gen [Symantec] Trojan.SuspectCRC [Ikarus]

Notes:

%Temp% is a variable that refers to the temporary folder in the short path form. By default, this is C:\Documents and Settings\[UserName]\Local Settings\Temp\ (Windows NT/2000/XP).
%System% is a variable that refers to the System folder. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

The following directories were created:

%Temp%\IXP000.TMP
%System%\Bifrost

Memory Modifications

There were new processes created in the system:

Process Name	Process Filename	Main Module Size
[filename of the sample #1]	[file and pathname of the sample #1]	2,502,656 bytes
server.exe	%System%\Bifrost\server.exe	36,864 bytes
server1.exe	%Temp%\IXP000.TMP\server1.exe	1,142,784 bytes

There was a new memory page created in the address space of the system process(es):

Process Name	Process Filename	Allocated Size
server.exe	%System%\bifrost\server.exe	2,060,288 bytes

Registry Modifications

The following Registry Keys were created:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9D71D88C-C598-4935-C5D1-43AA4DB90836}
HKEY_LOCAL_MACHINE\SOFTWARE\Bifrost
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\MediaResources\msvideo
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\MediaResources\msvideo
HKEY_CURRENT_USER\Software\Bifrost

The newly created Registry Values are:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9D71D88C-C598-4935-C5D1-43AA4DB90836}]

stubpath = "%System%\Bifrost\server.exe s"

so that server.exe runs every time Windows starts

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

wextract_cleanup0 = "rundll32.exe %System%\advpack.dll,DelNodeRunDLL32 "%Temp%\IXP000.TMP\""

[HKEY_LOCAL_MACHINE\SOFTWARE\Bifrost]

nck = ED 1B E6 27 B9 28 D6 32 74 C3 CD 74 FA 93 5B 67

[HKEY_CURRENT_USER\Software\Bifrost]

klg = 00

Other details

To mark the presence in the system, the following Mutex objects were created:

Bif1234
_!SHMSFTHISTORY!_

The following Host Name was requested from a host database:

oesydaeady.no-ip.biz

There were registered attempts to establish connection with the remote hosts. The connection details are:

Remote Host	Port Number
oesydaeady.no-ip.biz	81
oesydaeady.no-ip.biz	1033
oesydaeady.no-ip.biz	1056

The following GET request was made:

index.html

Outbound traffic (potentially malicious)

There was an outbound traffic produced on port 81:

00000000 | 2E01 0000 994F B271 E274 8C02 5AF2 B130 | .....O.q.t..Z..0
00000010 | 9FF5 3A12 6612 976F 202A 2FA6 F3E0 2F22 | ..:.f..o */.../"
00000020 | 3572 93A1 EA72 7DBD F3E8 B8B6 3CAC 00AA | 5r...r}.....<...
00000030 | 48AC 2B97 E974 4820 8DC5 4001 D627 056A | H.+..tH ..@..'.j
00000040 | 5146 6206 D0D7 D6F7 0B5C 1737 8825 51C7 | QFb......\.7.%Q.
00000050 | 93EF 5999 0F7C 4C07 ADF8 03B3 4D98 4CE5 | ..Y..|L.....M.L.
00000060 | A4BA A882 242A D871 4ED5 34B0 8FAD 70A2 | ....$*.qN.4...p.
00000070 | 6776 6D8E BFBE 9028 418B 370F D2C7 1A25 | gvm....(A.7....%
00000080 | 64FE 0BFB 74FD 61FD 2685 2A5B 955C 0FAB | d...t.a.&.*[.\..
00000090 | 3CEA 8410 65F3 30F9 007C 9DCC 5CF0 A2FC | <...e.0..|..\...
000000A0 | 526A 34C6 A0DB 2FDD 828D 6884 8004 C3B7 | Rj4.../...h.....
000000B0 | E39C E93A 871D 8D4C 9C97 3EBF 15A0 04FD | ...:...L..>.....
000000C0 | 5016 FC25 1C58 4EE3 9193 4BF3 B3DD A88A | P..%.XN...K.....
000000D0 | 51A6 B8DE 0220 30E8 F208 13B2 3819 3C32 | Q.... 0.....8.<2
000000E0 | 1D7B E81C 0325 D71E AC90 79C9 ACAA 8AAF | .{...%....y.....
000000F0 | 098C 05F4 2FBE 958F 6C7E 802C 2F9F F91B | ..../...l~.,/...
00000100 | EA2A 166A B929 FC36 9C73 DB46 0A7B 8EFB | .*.j.).6.s.F.{..
00000110 | B993 0A49 38DF 4270 56A9 D4C0 8506 DB9A | ...I8.BpV.......
00000120 | 12B1 DAFD C507 8849 4F0F 24E3 E273 EA05 | .......IO.$..s..
00000130 | E203                                    | ..

There was an outbound traffic produced on port 1033:

There was an outbound traffic produced on port 1056:

All content ("Information") contained in this report is the copyrighted work of Threat Expert Ltd and its associated companies ("ThreatExpert") and may not be copied without the express permission of ThreatExpert.

The Information is provided on an "as is" basis. ThreatExpert disclaims all warranties, whether express or implied, to the maximum extent permitted by law, including the implied warranties that the Information is merchantable, of satisfactory quality, accurate, fit for a particular purpose or need, or non-infringing, unless such implied warranties are legally incapable of exclusion. Further, ThreatExpert does not warrant or make any representations regarding the use or the results of the use of the Information in terms of their correctness, accuracy, reliability, or otherwise.