ThreatExpert Report: W32.Virut.CF, Virus.Win32.Virut.ce, W32/Virut.n.gen, PE

Visit ThreatExpert web site

Close Report

Submission Summary:

Submission details:

Submission received: 31 August 2012, 04:56:54
Processing time: 8 min 14 sec
Submitted sample:

File MD5: 0x2ACBAF4DE450781901DF0BCAD72897A7
File SHA-1: 0x75E599E01B5E42D9CFD4C1DE2C23236F5A392D4C
Filesize: 206,829 bytes
Alias:

W32.Virut.CF [Symantec]
Virus.Win32.Virut.ce [Kaspersky Lab]
W32/Virut.n.gen [McAfee]
PE_VIRUX.R-4 [Trend Micro]
W32/Scribble-B [Sophos]
Backdoor:Win32/PcClient.ZR [Microsoft]
Virus.Win32.Dialer.1313 [Ikarus]

Technical Details:

The new window was created, as shown below:

NOTICE: The content shown in the above window is captured automatically and is not controlled or endorsed by ThreatExpert.
Please contact us on this link should any material be offensive or inappropriate and we will ensure any such content is blocked from future viewers of the report.

Possible Security Risk

Attention! The following threat categories were identified:

Threat Category	Description
	A virus capable to modify other files by infecting, prepending, or overwriting them them with its own body
	A malicious backdoor trojan that runs in the background and allows remote access to the compromised system

File System Modifications

The following files were created in the system:

#	Filename(s)	File Size	File Hash	Alias
1	%Temp%\102921_lang.dll %Temp%\200281_lang.dll	125,570 bytes	MD5: 0x6EBA74690576036AE2069DE879F35191 SHA-1: 0x48E769110818E0DB706E62285BBAB32D1A701C4E	Backdoor.Trojan [Symantec] Trojan-GameThief.Win32.Magania.dpvu [Kaspersky Lab] BackDoor-DVB.gen.p [McAfee] Mal/Zegost-A [Sophos] Backdoor:Win32/Zegost.AD [Microsoft] Backdoor.Win32.Inject [Ikarus] Win-Trojan/Onlinegamehack.125570 [AhnLab]
2	%System%\incrjzdkv.exe	206,829 bytes	MD5: 0x3FD5A20C3BF2219CA60DDFB539C0FA72 SHA-1: 0xFC5FA03EB9D3593325F9BEDFF4114EAEF2D37452	W32.Virut.CF [Symantec] Virus.Win32.Virut.ce [Kaspersky Lab] W32/Virut.n.gen [McAfee] PE_VIRUX.R-4 [Trend Micro] W32/Scribble-B [Sophos] Backdoor:Win32/PcClient.ZR [Microsoft] Virus.Win32.Dialer.1313 [Ikarus]
3	%System%\incrjzdkv.exe_lang.ini	47 bytes	MD5: 0x2342BBDABEBF98774EC33172E0CE1D82 SHA-1: 0x903CFA1B6BD44314995CBC3DCC42168E98387F4D	(not available)
4	[file and pathname of the sample #1]	206,829 bytes	MD5: 0x2ACBAF4DE450781901DF0BCAD72897A7 SHA-1: 0x75E599E01B5E42D9CFD4C1DE2C23236F5A392D4C	W32.Virut.CF [Symantec] Virus.Win32.Virut.ce [Kaspersky Lab] W32/Virut.n.gen [McAfee] PE_VIRUX.R-4 [Trend Micro] W32/Scribble-B [Sophos] Backdoor:Win32/PcClient.ZR [Microsoft] Virus.Win32.Dialer.1313 [Ikarus]
5	%System%\syslog.dat	0 bytes	MD5: 0xD41D8CD98F00B204E9800998ECF8427E SHA-1: 0xDA39A3EE5E6B4B0D3255BFEF95601890AFD80709	(not available)

Notes:

%Temp% is a variable that refers to the temporary folder in the short path form. By default, this is C:\Documents and Settings\[UserName]\Local Settings\Temp\ (Windows NT/2000/XP).
%System% is a variable that refers to the System folder. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

The following files were modified:

[pathname with a string SHARE]\msinfo32.exe
[pathname with a string SHARE]\sapisvr.exe
%ProgramFiles%\Internet Explorer\Connection Wizard\icwconn1.exe
%ProgramFiles%\Internet Explorer\Connection Wizard\icwconn2.exe
%ProgramFiles%\Internet Explorer\Connection Wizard\icwrmind.exe
%ProgramFiles%\Internet Explorer\Connection Wizard\icwtutor.exe
%ProgramFiles%\Internet Explorer\Connection Wizard\inetwiz.exe
%ProgramFiles%\Internet Explorer\Connection Wizard\isignup.exe
%ProgramFiles%\Internet Explorer\iedw.exe
%ProgramFiles%\Internet Explorer\IEXPLORE.EXE
%ProgramFiles%\MSN\MSNIA\msniasvc.exe
%ProgramFiles%\MSN\MSNIA\prestp.exe
%ProgramFiles%\MSN\MsnInstaller\msninst.exe
%ProgramFiles%\NetMeeting\cb32.exe
%ProgramFiles%\NetMeeting\conf.exe
%ProgramFiles%\NetMeeting\wb32.exe
%ProgramFiles%\Outlook Express\msimn.exe
%ProgramFiles%\Outlook Express\oemig50.exe
%ProgramFiles%\Outlook Express\setup50.exe
%ProgramFiles%\Outlook Express\wab.exe
%ProgramFiles%\Outlook Express\wabmig.exe
%ProgramFiles%\Web Publish\WPWIZ.EXE
%ProgramFiles%\Windows Media Player\migrate.exe
%ProgramFiles%\Windows Media Player\mplayer2.exe
%ProgramFiles%\Windows Media Player\setup_wm.exe
%ProgramFiles%\Windows Media Player\wmplayer.exe
%ProgramFiles%\Windows NT\Accessories\wordpad.exe
%ProgramFiles%\Windows NT\dialer.exe
%ProgramFiles%\Windows NT\hypertrm.exe
%ProgramFiles%\Windows NT\Pinball\PINBALL.EXE
%Windir%\Cache\Adobe Reader 6.0.1\ENUBIG\setup.exe
%Windir%\hh.exe
%Windir%\inf\unregmp2.exe
%Windir%\Installer\{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}\places.exe
%Windir%\Microsoft.NET\Framework\NETFXSBS10.exe
%Windir%\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe
%Windir%\Microsoft.NET\Framework\v2.0.50727\aspnet_regbrowsers.exe
%Windir%\Microsoft.NET\Framework\v2.0.50727\aspnet_regsql.exe
%Windir%\Microsoft.NET\Framework\v2.0.50727\CasPol.exe
%Windir%\Microsoft.NET\Framework\v2.0.50727\dfsvc.exe
%Windir%\Microsoft.NET\Framework\v2.0.50727\IEExec.exe
%Windir%\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
%Windir%\Microsoft.NET\Framework\v2.0.50727\jsc.exe
%Windir%\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
%Windir%\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
%Windir%\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
%Windir%\msagent\agentsvr.exe
%Windir%\mui\muisetup.exe
%Windir%\NOTEPAD.EXE
%Windir%\pchealth\helpctr\binaries\HelpCtr.exe
%Windir%\pchealth\helpctr\binaries\HelpHost.exe
%Windir%\pchealth\helpctr\binaries\HelpSvc.exe
%Windir%\pchealth\helpctr\binaries\HscUpd.exe
%Windir%\pchealth\helpctr\binaries\msconfig.exe
%Windir%\pchealth\helpctr\binaries\notiflag.exe
%Windir%\pchealth\UploadLB\Binaries\UploadM.exe
%Windir%\regedit.exe
%System%\accwiz.exe
%System%\actmovie.exe
%System%\ahui.exe
%System%\arp.exe
%System%\asr_fmt.exe
%System%\asr_ldm.exe
%System%\asr_pfu.exe
%System%\at.exe
%System%\atmadm.exe
%System%\attrib.exe
%System%\auditusr.exe
%System%\blastcln.exe
%System%\bootcfg.exe
%System%\bootok.exe
%System%\bootvrfy.exe
%System%\cacls.exe
%System%\calc.exe
%System%\charmap.exe
%System%\chkdsk.exe
%System%\chkntfs.exe
%System%\cidaemon.exe
%System%\cipher.exe
%System%\cisvc.exe
%System%\ckcnv.exe
%System%\cleanmgr.exe
%System%\clean_all.exe
%System%\cliconfg.exe
%System%\clipbrd.exe
%System%\clipsrv.exe
%System%\cmd.exe
%System%\cmdl32.exe
%System%\cmmon32.exe
%System%\cmstp.exe
%System%\Com\comrepl.exe
%System%\Com\comrereg.exe
%System%\comp.exe
%System%\compact.exe
%System%\conime.exe
%System%\control.exe
%System%\convert.exe
%System%\cscript.exe
%System%\ctfmon.exe
%System%\dcomcnfg.exe

Notes:

%ProgramFiles% is a variable that refers to the Program Files folder. A typical path is C:\Program Files.
%Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows or C:\Winnt.

The following directories were created:

c:\System Volume Information\.
c:\System Volume Information\..

Memory Modifications

There were new processes created in the system:

Process Name	Process Filename	Main Module Size
[filename of the sample #1]	[file and pathname of the sample #1]	221,184 bytes
incrjzdkv.exe	%System%\incrjzdkv.exe	221,184 bytes

Registry Modifications

The following Registry Keys were created:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{6DEAD507-4410-4569-87E1-3DE929C6E296}
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\MediaResources\msvideo
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\PCRatStact
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\MediaResources\msvideo
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PCRatStact

The newly created Registry Values are:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{6DEAD507-4410-4569-87E1-3DE929C6E296}]

stubpath = "%System%\incrjzdkv.exe"

so that incrjzdkv.exe runs every time Windows starts

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\PCRatStact]

Type = 0x00000120

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PCRatStact]

Type = 0x00000120

Other details

Analysis of the file resources indicate the following possible country of origin:

China

To mark the presence in the system, the following Mutex objects were created:

/Q9JkQiV58Fx1h17A79AWidesMkqecHfw2Ljdv+GYqw=
{6DEAD507-4410-4569-87E1-3DE929C6E296}
AMResourceMutex2
VideoRenderer

The following Host Names were requested from a host database:

192.168.1.136
ilo.brenz.pl
lbdxxd.com
cxpumb.com
pevxmk.com
ocwozs.com
dvyeiq.com
vfolcg.com
dafdoy.com
qapemg.com
noyirm.com
svteyw.com
kdbmwg.com
ant.trenz.pl
gsutjd.com
qgfefy.com
aayyis.com
nyxtil.com
rngjqi.com
mbuhjc.com
yihrow.com
ghzsue.com
iuizmw.com
ypylvs.com
vzlejo.com
jpxuvs.com
tqzoyv.com
begxip.com
cinbms.com
oeagif.com
ayssqa.com
yhxslv.com
reyixs.com
vxdlpu.com
efezfg.com
yfbiut.com
usmagi.com
yupjio.com
xgdigf.com
ekpaiy.com
iyaele.com
zailai.com
qauizq.com
teloko.com
kyhtjb.com
pxuids.com
apfxby.com
zgfpom.com
emqyhf.com
snwuyi.com
kuiynt.com
qzbqau.com
ioqydu.com
iunoev.com
zviiee.com
mtoojn.com
cuolbv.com
nwhzit.com
dsydyi.com
kfsztn.com
odzomi.com
fscpki.com
fcouyo.com
rbejum.com
eoolif.com
tveavn.com
vjmwih.com
uzybmw.com
bpugnb.com
ityiiw.com
zpnrvi.com
kenysl.com
rkaddi.com
fouphy.com
qreast.com
ckzlio.com
uyryts.com
seayie.com
ttemdb.com
hiujat.com
ujyrxe.com
hressz.com
swuleg.com
oejwbw.com
anyklx.com
enwruo.com
wepfzu.com
oimkoe.com
eaooua.com
wdgzai.com
oiiosv.com
lrqmuy.com
tqezia.com
rhmhok.com
iotuco.com
riczab.com
uavmeq.com
zbevmi.com
zikiyd.com
uemfmd.com

There was registered attempt to establish connection with the remote host. The connection details are:

Remote Host	Port Number
lbdxxd.com	443

There was application-defined hook procedure installed into the hook chain (e.g. to monitor keystrokes). The installed hook is handled by the following module:

%Temp%\102921_lang.dll

All content ("Information") contained in this report is the copyrighted work of Threat Expert Ltd and its associated companies ("ThreatExpert") and may not be copied without the express permission of ThreatExpert.

The Information is provided on an "as is" basis. ThreatExpert disclaims all warranties, whether express or implied, to the maximum extent permitted by law, including the implied warranties that the Information is merchantable, of satisfactory quality, accurate, fit for a particular purpose or need, or non-infringing, unless such implied warranties are legally incapable of exclusion. Further, ThreatExpert does not warrant or make any representations regarding the use or the results of the use of the Information in terms of their correctness, accuracy, reliability, or otherwise.