ThreatExpert Report: Trojan-Spy.Win32.Agent.cbot, BackDoor-FGQ, Troj/Agent-WIB..

Visit ThreatExpert web site

Close Report

Submission Summary:

Submission details:

Submission received: 10 September 2012, 15:33:55
Processing time: 9 min 19 sec
Submitted sample:

File MD5: 0x297D5EE5CF9C4EFAD42E89AD1AF8FA8E
File SHA-1: 0xEE63BA4FA5A5D65E38264CAB2FEC1F46113D552C
Filesize: 87,384 bytes
Alias:

Trojan-Spy.Win32.Agent.cbot [Kaspersky Lab]
BackDoor-FGQ [McAfee]
Troj/Agent-WIB [Sophos]
Backdoor:Win32/Morix.B [Microsoft]
Backdoor.Win32.Morix [Ikarus]

Summary of the findings:

What's been found	Severity Level
Creates a startup registry entry.
Contains characteristics of an identified security risk.

Technical Details:

Possible Security Risk

Attention! The following threat category was identified:

Threat Category	Description
	A keylogger program that can capture all user keystrokes (including confidential details such username, password, credit card number, etc.)

File System Modifications

The following files were created in the system:

#	Filename(s)	File Size	File Hash	Alias
1	%Windir%\6E044745\svchsot.exe [file and pathname of the sample #1]	87,384 bytes	MD5: 0x297D5EE5CF9C4EFAD42E89AD1AF8FA8E SHA-1: 0xEE63BA4FA5A5D65E38264CAB2FEC1F46113D552C	Trojan-Spy.Win32.Agent.cbot [Kaspersky Lab] BackDoor-FGQ [McAfee] Troj/Agent-WIB [Sophos] Backdoor:Win32/Morix.B [Microsoft] Backdoor.Win32.Morix [Ikarus]
2	%Windir%\Tasks\At1.job	348 bytes	MD5: 0xFFAF7D7790602694E92BCBA2D0CB380B SHA-1: 0x13E383CD8ACE01C95327A1D9A38516E49D845CA1	(not available)
3	%Windir%\Tasks\At10.job	348 bytes	MD5: 0xBE0571D19663B4DF2470B46B05169FD2 SHA-1: 0xCFFB4E2E46611F06B6BC75C5D65669DB10F748BB	(not available)
4	%Windir%\Tasks\At11.job	348 bytes	MD5: 0x247C8BA43A1A1527D3C0BE51277CDEA9 SHA-1: 0x7F3B4975677A8A9C3E177C993733B453393DEC5A	(not available)
5	%Windir%\Tasks\At12.job	348 bytes	MD5: 0x6BAAB19FBF41F2BF014314BDB62DCF8B SHA-1: 0xDF19500EFEF607D5E6A640085AE5F48691C4FD25	(not available)
6	%Windir%\Tasks\At13.job	348 bytes	MD5: 0x343ADE22EBAFEE78B8147C0B87BC153F SHA-1: 0x0E2FD06F0FC1DCD324B7EADDB2244F38C365AE73	(not available)
7	%Windir%\Tasks\At14.job	348 bytes	MD5: 0xF402BD999B2E0347A8BB3DB4BA157417 SHA-1: 0xB87D9A5C23132D6F1A3950830E40CF63D910F9C0	(not available)
8	%Windir%\Tasks\At15.job	348 bytes	MD5: 0xFCA2EFCFD37F197FEEF7B75F5A4A4E5F SHA-1: 0xB3EC174F1DEC9BD662F845322700C775DA316CF9	(not available)
9	%Windir%\Tasks\At16.job	348 bytes	MD5: 0x3A270842ECD8397FF13252C221AA1C3C SHA-1: 0xCB413A45008120F1E2446FB8B15D3CB437A755E0	(not available)
10	%Windir%\Tasks\At17.job	348 bytes	MD5: 0xBFDFD531871A75063C4411A63B3EE161 SHA-1: 0x4EAE2309C97D80E6A066B0412A28DFB5A28B22F4	(not available)
11	%Windir%\Tasks\At18.job	348 bytes	MD5: 0x471F219CDC0AE70915F4C4FD0719EFA3 SHA-1: 0xF1AF5DED933EB71800630A0AD44753D3E75B84CE	(not available)
12	%Windir%\Tasks\At19.job	348 bytes	MD5: 0x8E7EB3055F98657C988F8A121453C6E0 SHA-1: 0xB2489AC4560E9FAD53F1E88FA33C95586A460D07	(not available)
13	%Windir%\Tasks\At2.job	348 bytes	MD5: 0xF4D9A3E86C348DD93C41CE05941000AE SHA-1: 0x8C5C8CF4C8AB52F10950BF4381A8286AB0CCB07E	(not available)
14	%Windir%\Tasks\At20.job	348 bytes	MD5: 0x466C97726DEAEBF9C3DE2047B9F5E00A SHA-1: 0xBEA0E46871BB4DE75EAF154AD40195F675C55541	(not available)
15	%Windir%\Tasks\At21.job	348 bytes	MD5: 0xF349379DD03593B69224B7154B76DCBA SHA-1: 0x06EE7E90E295A974E53FE1BFB9ABC0CA9091A88F	(not available)
16	%Windir%\Tasks\At22.job	348 bytes	MD5: 0xEB6490FE3E7D1C21C2E91DE8F4AAE6A1 SHA-1: 0xBC2AB8E785278FBB0B65F9F111BC4F5B48B09881	(not available)
17	%Windir%\Tasks\At23.job	348 bytes	MD5: 0x5C1F248F92EFBDAC33BED69494EEEB1D SHA-1: 0x92038EA1743DF7CED34A68B05059F05791C0E2BF	(not available)
18	%Windir%\Tasks\At24.job	348 bytes	MD5: 0x5F519BED2460D985E94875B271783BAF SHA-1: 0xC238951A31D7967E0F7D2C4D1422EEB251B340EB	(not available)
19	%Windir%\Tasks\At3.job	348 bytes	MD5: 0x739C79F0FE8C5A7559DE3D2F96A4904B SHA-1: 0x74848E480A0E1CD73E84B38027BA822ECCA704AC	(not available)
20	%Windir%\Tasks\At4.job	348 bytes	MD5: 0xA56EC23DB0CD4828F62D4FC4F1CB0AF9 SHA-1: 0x4A7CF9D9089796B72B1FD40E27C23BD2A1701E49	(not available)
21	%Windir%\Tasks\At5.job	348 bytes	MD5: 0x9F74D4E3F19252CBC6D0BFDC7477F497 SHA-1: 0xBAD0985831BAA0BF4614F7BF949D0B8859E16656	(not available)
22	%Windir%\Tasks\At6.job	348 bytes	MD5: 0x82BCCC31724F03D61D32EAABE517DEC1 SHA-1: 0x541459F7855DFA33CB7C8A9746304CE3596F32E6	(not available)
23	%Windir%\Tasks\At7.job	348 bytes	MD5: 0x1ADDC0B186207FE8B9984B0BBBA7A9E3 SHA-1: 0xA3DAF12202BDF45EA9D35AA1D14CAA49CA234EA5	(not available)
24	%Windir%\Tasks\At8.job	348 bytes	MD5: 0x735882F6D711AB77C00FF66385A3FA7C SHA-1: 0x5618CE335FBB49E60A105F7E56671F367A99129A	(not available)
25	%Windir%\Tasks\At9.job	348 bytes	MD5: 0x0A18E17C02DFF1CF6017C5E0741C372F SHA-1: 0x10BEB8D52BB8242003A60D276E00772FA23293D8	(not available)

Note:

%Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows or C:\Winnt.

The following directory was created:

%Windir%\6E044745

Memory Modifications

There was a new process created in the system:

Process Name	Process Filename	Main Module Size
[filename of the sample #1]	[file and pathname of the sample #1]	98,304 bytes

Registry Modifications

The newly created Registry Value is:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

6E044745 = "%Windir%\6E044745\svchsot.exe"

so that svchsot.exe runs every time Windows starts

Other details

To mark the presence in the system, the following Mutex object was created:

caoxiaolong.3322.org:8000127.0.0.1:2012127.0.0.1:2012

The following Host Name was requested from a host database:

caoxiaolong.3322.org

There were registered attempts to establish connection with the remote hosts. The connection details are:

Remote Host	Port Number
caoxiaolong.3322.org	8000
caoxiaolong.3322.org	2012

All content ("Information") contained in this report is the copyrighted work of Threat Expert Ltd and its associated companies ("ThreatExpert") and may not be copied without the express permission of ThreatExpert.

The Information is provided on an "as is" basis. ThreatExpert disclaims all warranties, whether express or implied, to the maximum extent permitted by law, including the implied warranties that the Information is merchantable, of satisfactory quality, accurate, fit for a particular purpose or need, or non-infringing, unless such implied warranties are legally incapable of exclusion. Further, ThreatExpert does not warrant or make any representations regarding the use or the results of the use of the Information in terms of their correctness, accuracy, reliability, or otherwise.