ThreatExpert Report: Worm.Oderoor, Spam-SamBurg, BKDR

Visit ThreatExpert web site

Close Report

Submission Summary:

Submission details:

Submission received: 30 July 2008, 23:53:38
Processing time: 3 min 37 sec
Submitted sample:

File MD5: 0x32C576E88F19697E3462BF8BF1A3D379
File SHA-1: 0x1C13352A0704C60A17EF2815A17FF1366881E527
Filesize: 245,760 bytes
Alias:

Worm.Oderoor [PCTools]
Spam-SamBurg [McAfee]
BKDR_AGENT.AOAW [Trend Micro]

Summary of the findings:

What's been found	Severity Level
Downloads/requests other files from Internet.
Creates a startup registry entry.
Contains characteristics of an identified security risk.

Technical Details:

Possible Security Risk

Attention! Characteristics of the following security risk was identified in the system:

Security Risk	Description
Worm.Oderoor	Worm.Oderoor is a threat that has the capability to change parts of its body to avoid easy detection from security applications.

Attention! The following threat category was identified:

Threat Category	Description
	A network-aware worm that attempts to replicate across the existing network(s)

File System Modifications

The following file was created in the system:

#	Filename(s)	File Size	File Hash	Alias
1	[file and pathname of the sample #1]	245,760 bytes	MD5: 0x32C576E88F19697E3462BF8BF1A3D379 SHA-1: 0x1C13352A0704C60A17EF2815A17FF1366881E527	Worm.Oderoor [PCTools] Spam-SamBurg [McAfee] BKDR_AGENT.AOAW [Trend Micro]

Memory Modifications

There was a new process created in the system:

Process Name	Process Filename	Main Module Size
[filename of the sample #1]	[file and pathname of the sample #1]	245,760 bytes

There was a new service created in the system:

Service Name	Display Name	Status	Service Filename
ueyjyotbioa8k	BlueSoleilCS	"Stopped"	[file and pathname of the sample #1] /service

Registry Modifications

The following Registry Keys were created:

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ueyjyotbioa8k
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ueyjyotbioa8k\Security
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ueyjyotbioa8k
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ueyjyotbioa8k\Security

The newly created Registry Values are:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

[filename of the sample #1 without extension] = "[file and pathname of the sample #1]"

so that [file and pathname of the sample #1] runs every time Windows starts

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ueyjyotbioa8k\Security]

Security = 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 0

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ueyjyotbioa8k]

Type = 0x00000010
Start = 0x00000002
ErrorControl = 0x00000000
ImagePath = "[file and pathname of the sample #1] /service"
DisplayName = "BlueSoleilCS"
ObjectName = "LocalSystem"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ueyjyotbioa8k\Security]

Security = 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ueyjyotbioa8k]

Type = 0x00000010
Start = 0x00000002
ErrorControl = 0x00000000
ImagePath = "[file and pathname of the sample #1] /service"
DisplayName = "BlueSoleilCS"
ObjectName = "LocalSystem"

Other details

To mark the presence in the system, the following Mutex object was created:

591778864

The following port was open in the system:

Port	Protocol	Process
13791	TCP	[file and pathname of the sample #1]

The following Host Names were requested from a host database:

bqphniraivdy.dyndns.org
zaljljiebm.yi.org
xdpdrrzrtmy.dynserv.com
vnlxpriemei.mooo.com
tqorwrzimvsz.dyndns.org
saklurivevc.yi.org
qdofarzixnna.mooo.com
gnkhyrimpn.com
epobfrazhe.cc
cssvlrjei.net
acopjraqawb.dyndns.org
yfsjpsrd.yi.org
wpodosail.dynserv.com
vssfuarud.mooo.com
tcozsaahefyu.dyndns.org
rfstyarmwe.yi.org
hponxaayp.mooo.com
fsshdardhwd.com
dcwbbaaqzonv.cc
bfsdhar.net
apwxgbihsfh.dyndns.org
yssrmbrukf.yi.org
wcvmkbigdxcw.dynserv.com
ufrgqbslvwmj.mooo.com
spvaxjjy.dyndns.org
qszcvjscoo.yi.org
gcvwbjj.mooo.com
efzqzjsczfb.com
dpvkgjjgrx.cc
brzeejatsxv.net
zcvykkjg.dyndns.org
xezajkak.yi.org
vpvupkjx.dynserv.com
trzonkacn.mooo.com
ruditkjonxu.dyndns.org
qezcssabg.yi.org
ghdwysj.mooo.com
erzywsbsrozo.com
cudscssfjgjb.cc
aezmjsbk.net
yhcghtswc.dyndns.org
wryantbbux.yi.org
uucultson.dynserv.com
tegwstbafpi.mooo.com
rhcqqtsffhsv.dyndns.org
prgkwtbrygci.yi.org
fuceubs.mooo.com
degybbjjiyxi.com
bhctzbsvbphw.cc
zrgvfbj.net
ytcpdcs.dyndns.org
wegjkckzmh.yi.org
ugkdictee.dynserv.com
srgxockrxyo.mooo.com
qtkructdxq.dyndns.org
oegttcki.yi.org
egknzkb.mooo.com
crghxkkzahdl.com
btkbdkbm.cc
zwfvckkztyx.net
xgjpilbdl.dyndns.org
vjnrglkqeqrm.yi.org
ttjlnlbdwica.dynserv.com
rwnflls.mooo.com
pgjzrlb.dyndns.org
ojntpltzhz.yi.org
etjnwlcla.mooo.com
cwnputt.com
agjjatcdkilb.cc
yjndgtt.net
wtrxfuc.dyndns.org
uvnrluthw.yi.org
sgrljukt.dynserv.com
rinoputyg.mooo.com
ptrioukl.dyndns.org
nvncuutxza.yi.org
dgrwsukcsa.mooo.com
bimqyutpk.com
ztqkxckbcrjw.cc
xvumddugdjt.net
wgqgbdl.dyndns.org
uiuahdcxnan.yi.org
stqugdlkga.dynserv.com
qvuomdcx.mooo.com
oyqisdlbz.dyndns.org
eiukqdcorjcl.yi.org
clqexdl.mooo.com
avuyvdcfcbe.com
zyysbdlsu.cc
xiumzmcxus.net
vlyggmtjnsj.dyndns.org
tvuiemcwfkt.yi.org
rxyckmtbyj.dynserv.com
piuwjmcnqb.mooo.com
nkyqpmu.dyndns.org
evbknmdfj.yi.org
cxxetmurbssc.mooo.com
aibgsmdwu.com
ykxaymujmkn.cc
wvbvevlvmb.net
uxxpcvua.dyndns.org

There were registered attempts to establish connection with the remote hosts. The connection details are:

Remote Host	Port Number
66.249.83.27	25
64.233.163.27	25
66.249.83.114	25

The data identified by the following URLs was then requested from the remote web server:

http://www.msn.com/
http://www.news.com/
http://www.latimes.com/
http://www.cbsnews.com/
http://edition.cnn.com/
http://www.nytimes.com/
http://www.reuters.com/

All content ("Information") contained in this report is the copyrighted work of Threat Expert Ltd and its associated companies ("ThreatExpert") and may not be copied without the express permission of ThreatExpert.

The Information is provided on an "as is" basis. ThreatExpert disclaims all warranties, whether express or implied, to the maximum extent permitted by law, including the implied warranties that the Information is merchantable, of satisfactory quality, accurate, fit for a particular purpose or need, or non-infringing, unless such implied warranties are legally incapable of exclusion. Further, ThreatExpert does not warrant or make any representations regarding the use or the results of the use of the Information in terms of their correctness, accuracy, reliability, or otherwise.