ThreatExpert Report: Trojan.Gen, Trojan.Win32.Monder.nwpc, Trojan.Win32.Agent.tuah..

Submission Summary:

Submission details:

Submission received: 17 September 2012, 21:48:27
Processing time: 11 min 35 sec
Submitted sample:

File MD5: 0x2C89AE0ECEE4942362B964CFB4D46E09
File SHA-1: 0x6760F0FC9BDD9FA37D77A0BCAE9D8C19608A9530
Filesize: 1,524,578 bytes

Summary of the findings:

What's been found	Severity Level
Capability to send out email message(s) with the built-in SMTP client engine.
Contains characteristics of an identified security risk.

Technical Details:

Possible Security Risk

Attention! The following threat category was identified:

Threat Category	Description
	A malicious trojan horse or bot that may represent security risk for the compromised system and/or its network environment

File System Modifications

The following files were created in the system:

#	Filename(s)	File Size	File Hash	Alias
1	%CommonAppData%\SUS\AKV.exe	772,608 bytes	MD5: 0xBAEC3A04CF5ADCFF017D3465FA45EE4A SHA-1: 0x63E4BF0E3168690E9118565AA1BEEF1849DBAF36	(not available)
2	%CommonAppData%\SUS\SUS.01	80,384 bytes	MD5: 0x8942289FE2D65D66FB8BBBD8F5F1BD5B SHA-1: 0x4ED44EF8AE253D99353C3D22ABF8DA9A2E708580	Trojan.Gen [Symantec] Trojan.Win32.Monder.nwpc [Kaspersky Lab]
3	%CommonAppData%\SUS\SUS.02	56,320 bytes	MD5: 0xDAD4D733FBC7BB35C39BE08F922A95BD SHA-1: 0x532C3F2A5E11FDA4586DEE08D05FD28C7DF502BB	Trojan.Win32.Agent.tuah [Kaspersky Lab] Trojan.Win32.Agent [Ikarus]
4	%CommonAppData%\SUS\SUS.exe	2,189,824 bytes	MD5: 0x8B219B16188A4D83AFAD19B2AD473A89 SHA-1: 0x495A427D02FD844A8EB08767E23E68C7E9A26BB1	(not available)
5	%CommonAppData%\SUS\Uninstall.exe	53,036 bytes	MD5: 0x79354FC5E77FC7B3EC10089C99C897D6 SHA-1: 0x37C89B075435A87CACF1CADE0DACB8FE7510B930	(not available)
6	%CommonPrograms%\Ardamax Keylogger 4.0\Ardamax Keylogger 4.0.lnk	838 bytes	MD5: 0x32700E0BA43C10BB7A66E43CA6B35BEA SHA-1: 0xF24DCC3CFC4423F61B92267633A6CF1B075C9FB9	(not available)
7	%CommonPrograms%\Ardamax Keylogger 4.0\Log Viewer.lnk	968 bytes	MD5: 0x36E21366A9D250DDB44E2C85E9349EDB SHA-1: 0x62385691AE9274BE395243436A3C2A299A213AA3	(not available)
8	[file and pathname of the sample #1]	1,524,578 bytes	MD5: 0x2C89AE0ECEE4942362B964CFB4D46E09 SHA-1: 0x6760F0FC9BDD9FA37D77A0BCAE9D8C19608A9530	(not available)

Notes:

%CommonAppData% is a variable that refers to the file system directory containing application data for all users. A typical path is C:\Documents and Settings\All Users\Application Data.
%CommonPrograms% is a variable that refers to the file system directory that contains the directories for the common program groups that appear on the Start menu for all users. A typical path is C:\Documents and Settings\All Users\Start Menu\Programs (Windows NT/2000/XP).

The following directories were created:

%CommonAppData%\SUS
%CommonPrograms%\Ardamax Keylogger 4.0

Memory Modifications

There were new processes created in the system:

Process Name	Process Filename	Main Module Size
sus.exe	%CommonAppData%\sus\sus.exe	2,408,448 bytes
lzma.exe	%CommonAppData%\SUS\lzma.exe	73,728 bytes
ns9.tmp	%Temp%\nsl2.tmp\ns9.tmp	20,480 bytes
[filename of the sample #1]	[file and pathname of the sample #1]	249,856 bytes
ns3.tmp	%Temp%\nsl2.tmp\ns3.tmp	20,480 bytes
nsC.tmp	%Temp%\nsl2.tmp\nsC.tmp	20,480 bytes
ns6.tmp	%Temp%\nsl2.tmp\ns6.tmp	20,480 bytes

Notes:

%Temp% is a variable that refers to the temporary folder in the short path form. By default, this is C:\Documents and Settings\[UserName]\Local Settings\Temp\ (Windows NT/2000/XP).

Registry Modifications

The following Registry Key was created:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Ardamax Keylogger 4.0

The newly created Registry Values are:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

sus Start = "%CommonAppData%\sus\sus.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Ardamax Keylogger 4.0]

DisplayName = "Ardamax Keylogger 4.0"
UninstallString = "%CommonAppData%\sus\Uninstall.exe"

Other details

Analysis of the file resources indicate the following possible country of origin:

Russian Federation

To mark the presence in the system, the following Mutex object was created:

Local\{D45184B2-D44D-4D99-931B-B84626BC5EF2}

There were application-defined hook procedures installed into the hook chain (e.g. to monitor keystrokes). The installed hooks are handled by the following modules:

%CommonAppData%\sus\sus.exe
%CommonAppData%\sus\sus.01
%CommonAppData%\sus\akv.exe

All content ("Information") contained in this report is the copyrighted work of Threat Expert Ltd and its associated companies ("ThreatExpert") and may not be copied without the express permission of ThreatExpert.

The Information is provided on an "as is" basis. ThreatExpert disclaims all warranties, whether express or implied, to the maximum extent permitted by law, including the implied warranties that the Information is merchantable, of satisfactory quality, accurate, fit for a particular purpose or need, or non-infringing, unless such implied warranties are legally incapable of exclusion. Further, ThreatExpert does not warrant or make any representations regarding the use or the results of the use of the Information in terms of their correctness, accuracy, reliability, or otherwise.