ThreatExpert Report: Spyware.Perfect, not-a-virus:Monitor.Win32.Perflogger.cb, RapSFX packed app..

Visit ThreatExpert web site

Close Report

Submission Summary:

Submission details:

Submission received: 11 June 2011, 07:07:38
Processing time: 12 min 0 sec
Submitted sample:

File MD5: 0x2DEA84671BA235943AA4E33B4F4C161F
File SHA-1: 0x672B8E3CA8F7CCC1372075CC1D9E65FB64DBE534
Filesize: 430,566 bytes
Alias & packer info:

Spyware.Perfect [Symantec]
not-a-virus:Monitor.Win32.Perflogger.cb [Kaspersky Lab]
RapSFX packed app [McAfee]
TROJ_STARTPG.C [Trend Micro]
Mal/Dropper-PQ [Sophos]
MonitoringTool:Win32/PerfectKeylogger [Microsoft]
not-a-virus:Monitor.Win32.Perflogger [Ikarus]
packed with: RapSFX [Kaspersky Lab]

Summary of the findings:

What's been found	Severity Level
Capability to send out email message(s) with the built-in SMTP client engine.
Communication with a remote IRC server.
Produces outbound traffic.
Creates a startup registry entry.
Registers a 32-bit in-process server DLL.
Registers a Browser Helper Object (Microsoft's Internet Explorer plugin module).
Contains characteristics of an identified security risk.

Technical Details:

Possible Security Risk

Attention! The following threat categories were identified:

Threat Category	Description
	A malicious trojan horse or bot that may represent security risk for the compromised system and/or its network environment
	A spyware program that represents security risk for a local system

File System Modifications

The following files were created in the system:

#	Filename(s)	File Size	File Hash	Alias
1	%System%\bpk.dat	2,122 bytes	MD5: 0x17A98D068DE9F659C17317AAB676B855 SHA-1: 0xA2EB862FCEC8BD8082A082F0771A393CF0568387	(not available)
2	%System%\bpk.exe	405,504 bytes	MD5: 0xE3035B490AEC5FCC4BD84A6AC4A63EC0 SHA-1: 0x0C951E166D39D2CA6477E82E7C221F42E9E2D238	Spyware.Perfect [Symantec] not-a-virus:Monitor.Win32.Perflogger.ad [Kaspersky Lab] Keylog-Perfect.gen [McAfee] MonitoringTool:Win32/PerfectKeylogger [Microsoft] not-a-virus:Monitor.Win32.Perflogger [Ikarus] Win-Trojan/Keylogger.405504 [AhnLab]
3	%System%\bpkhk.dll	24,576 bytes	MD5: 0xD724D18BEFA4BB6AE993892653EC795C SHA-1: 0xD3070CE39963836CEA5355587FA5FA4DDABB1C09	Spyware.Perfect [Symantec] not-a-virus:Monitor.Win32.Perflogger.ca [Kaspersky Lab] Keylog-Perfect.dll [McAfee] MonitoringTool:Win32/PerfectKeylogger [Microsoft] not-a-virus:Monitor.Win32.Perflogger [Ikarus]
4	%System%\bpkr.exe	7,680 bytes	MD5: 0xEC4E28B5E9F18F16C27829D594AA1058 SHA-1: 0x5C38FA04D591002B36EF8693060E939DECCC487B	Spyware.Perfect [Symantec] not-a-virus:Monitor.Win32.Perflogger.cb [Kaspersky Lab] Keylog-Perfect.dldr [McAfee] MonitoringTool:Win32/PerfectKeylogger [Microsoft] not-a-virus:Monitor.Win32.Perfloger [Ikarus]
5	%System%\bpkwb.dll	40,960 bytes	MD5: 0x45D276FCCFE7E40C1A75A0FC15DE0722 SHA-1: 0xD455CC5E636B025399BCF33F4062BD270011D2EC	Spyware.Perfect [Symantec] not-a-virus:Monitor.Win32.Perflogger.ca [Kaspersky Lab] Keylog-Perfect [McAfee] MonitoringTool:Win32/PerfectKeylogger [Microsoft] not-a-virus:Monitor.Win32.Perflogger [Ikarus]
6	[file and pathname of the sample #1]	430,566 bytes	MD5: 0x2DEA84671BA235943AA4E33B4F4C161F SHA-1: 0x672B8E3CA8F7CCC1372075CC1D9E65FB64DBE534	Spyware.Perfect [Symantec] not-a-virus:Monitor.Win32.Perflogger.ca, not-a-virus:Monitor.Win32.Perflogger.ad, not-a-virus:Monitor.Win32.Perflogger.cb [Kaspersky Lab] RapSFX packed app [McAfee] TROJ_STARTPG.C [Trend Micro] Mal/Dropper-PQ [Sophos] MonitoringTool:Win32/PerfectKeylogger [Microsoft] not-a-virus:Monitor.Win32.Perflogger [Ikarus] packed with RapSFX [Kaspersky Lab]

Note:

%System% is a variable that refers to the System folder. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

The following directory was created:

%Temp%\RarSFX0

Notes:

%Temp% is a variable that refers to the temporary folder in the short path form. By default, this is C:\Documents and Settings\[UserName]\Local Settings\Temp\ (Windows NT/2000/XP).

Memory Modifications

There were new processes created in the system:

Process Name	Process Filename	Main Module Size
bpk.exe	%System%\bpk.exe	409,600 bytes
[filename of the sample #1]	[file and pathname of the sample #1]	86,016 bytes

The following modules were loaded into the address space of other process(es):

Module Name	Module Filename	Address Space Details
bpkhk.dll	%System%\bpkhk.dll	Process name: explorer.exe Process filename: %Windir%\explorer.exe Address space: 0xF90000 - 0xF96000
bpkhk.dll	%System%\bpkhk.dll	Process name: msmsgs.exe Process filename: %ProgramFiles%\messenger\msmsgs.exe Address space: 0x10000000 - 0x10006000
bpkhk.dll	%System%\bpkhk.dll	Process name: dllhost.exe Process filename: %System%\dllhost.exe Address space: 0x10000000 - 0x10006000
bpkhk.dll	%System%\bpkhk.dll	Process name: sdnsmain.exe Process filename: %Windir%\dns\sdnsmain.exe Address space: 0x14E0000 - 0x14E6000
bpkhk.dll	%System%\bpkhk.dll	Process name: IEXPLORE.EXE Process filename: %ProgramFiles%\internet explorer\iexplore.exe Address space: 0x1940000 - 0x1946000
bpkhk.dll	%System%\bpkhk.dll	Process name: VMwareUser.exe Process filename: %ProgramFiles%\vmware\vmware tools\vmwareuser.exe Address space: 0x10000000 - 0x10006000
bpkhk.dll	%System%\bpkhk.dll	Process name: bpk.exe Process filename: %System%\bpk.exe Address space: 0x10000000 - 0x10006000

Notes:

%Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows or C:\Winnt.
%ProgramFiles% is a variable that refers to the Program Files folder. A typical path is C:\Program Files.

Registry Modifications

The following Registry Keys were created:

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}\ProgID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}\Programmable
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}\TypeLib
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}\VersionIndependentProgID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A}\ProxyStubClsid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A}\TypeLib
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{1E1B286C-88FF-11D3-8D96-D7ACAC95951A}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{1E1B286C-88FF-11D3-8D96-D7ACAC95951A}\1.0
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{1E1B286C-88FF-11D3-8D96-D7ACAC95951A}\1.0\0
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{1E1B286C-88FF-11D3-8D96-D7ACAC95951A}\1.0\0\win32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{1E1B286C-88FF-11D3-8D96-D7ACAC95951A}\1.0\FLAGS
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{1E1B286C-88FF-11D3-8D96-D7ACAC95951A}\1.0\HELPDIR
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PK.IE
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PK.IE\CLSID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PK.IE\CurVer
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PK.IE.1
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PK.IE.1\CLSID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}

The newly created Registry Values are:

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}\VersionIndependentProgID]

(Default) = "PK.IE"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}\TypeLib]

(Default) = "{1E1B286C-88FF-11D3-8D96-D7ACAC95951A}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}\ProgID]

(Default) = "PK.IE.1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}\InprocServer32]

(Default) = "%System%\bpkwb.dll"
ThreadingModel = "Apartment"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}]

(Default) = "IE Plugin Class"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A}\TypeLib]

(Default) = "{1E1B286C-88FF-11D3-8D96-D7ACAC95951A}"
Version = "1.0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A}\ProxyStubClsid32]

(Default) = "{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A}\ProxyStubClsid]

(Default) = "{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A}]

(Default) = "IViewSource"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{1E1B286C-88FF-11D3-8D96-D7ACAC95951A}\1.0\0\win32]

(Default) = "%System%\bpkwb.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{1E1B286C-88FF-11D3-8D96-D7ACAC95951A}\1.0\HELPDIR]

(Default) = "%System%\"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{1E1B286C-88FF-11D3-8D96-D7ACAC95951A}\1.0\FLAGS]

(Default) = "0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{1E1B286C-88FF-11D3-8D96-D7ACAC95951A}\1.0]

(Default) = "BPK IE Plugin Type Library"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PK.IE\CurVer]

(Default) = "PK.IE.1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PK.IE\CLSID]

(Default) = "{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PK.IE]

(Default) = "IE Class"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PK.IE.1\CLSID]

(Default) = "{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PK.IE.1]

(Default) = "IE Plugin Class"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}]

(Default) = "PK IE Plugin"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

bpk = "%System%\bpk.exe"

so that bpk.exe runs every time Windows starts

Other details

There were registered attempts to establish connection with the remote hosts. The connection details are:

Remote Host	Port Number
209.190.85.253	21
209.190.85.253	25013
209.190.85.253	56460

Outbound traffic (potentially malicious)

Attention! There was a new connection established with a remote IRC Server. The generated outbound IRC traffic is provided below:

There was an outbound traffic produced on port 21:

There was an outbound traffic produced on port 25013:

There was an outbound traffic produced on port 56460:

All content ("Information") contained in this report is the copyrighted work of Threat Expert Ltd and its associated companies ("ThreatExpert") and may not be copied without the express permission of ThreatExpert.

The Information is provided on an "as is" basis. ThreatExpert disclaims all warranties, whether express or implied, to the maximum extent permitted by law, including the implied warranties that the Information is merchantable, of satisfactory quality, accurate, fit for a particular purpose or need, or non-infringing, unless such implied warranties are legally incapable of exclusion. Further, ThreatExpert does not warrant or make any representations regarding the use or the results of the use of the Information in terms of their correctness, accuracy, reliability, or otherwise.