Submission Summary:

• Submission details:
• Submission received: 29 September 2012, 22:02:16
• Processing time: 8 min 12 sec
• Submitted sample:
• File MD5: 0x32F31466912D9DD9A88E53F26D683D17
• File SHA-1: 0xF35D2B992F187CA28643181307D1868C6BF6E2F5
• Filesize: 159,189 bytes
• Alias:
• Backdoor.Win32.Agent.alqt [Kaspersky Lab]
• Trojan-GameThief.Win32.Magania [Ikarus]

• Summary of the findings:

What's been found	Severity Level
Produces outbound traffic.
Contains characteristics of an identified security risk.

Technical Details:

Possible Security Risk

• Attention! Characteristics of the following security risk was identified in the system:

Security Risk	Description
Trojan.Dialer	Trojan.Dialer is a program used to dial a high-cost international phone number using a modem without the users permission or knowledge. Removal of this dialer is advisable if it is not installed for a purpose.

• Attention! The following threat categories were identified:

Threat Category	Description
	A program that downloads files to the local computer that may represent security risk
	A keylogger program that can capture all user keystrokes (including confidential details such username, password, credit card number, etc.)
	A malicious backdoor trojan that runs in the background and allows remote access to the compromised system

File System Modifications

• The following files were created in the system:

#	Filename(s)	File Size	File Hash	Alias
1	%Temp%\1348981340.dat %System%\yuksuser.dll	34,461 bytes	MD5: 0x05C6220071256778077243C8328D6450 SHA-1: 0x61B4C50A20957736598F331653C5A566B84EC592	Downloader [Symantec] PWS-OnlineGames.hi.gen.a [McAfee] Mal/Agent-IR [Sophos] PWS:Win32/Lolyda.BF [Microsoft] Trojan-GameThief.Win32.Frethoq [Ikarus]
2	%Temp%\1348981443.dat %System%\dllcache\ksuser.dll %System%\dllcache\midimap.dll %System%\dllcache\msimg32.dll %System%\ksuser.dll %System%\sysapp18.dll	34,461 bytes	MD5: 0xE0B47439AA20734E6B292C593F7A08A1 SHA-1: 0xD4F9B27EA92F49D30CA61285D719DECE1BCA2795	Downloader [Symantec] PWS-OnlineGames.hi.gen.a [McAfee] Mal/Agent-IR [Sophos] PWS:Win32/Lolyda.BF [Microsoft] Trojan-GameThief.Win32.Frethoq [Ikarus]
3	c:\mibao.exe	119,738 bytes	MD5: 0xCC63D846479F9A41C8C841A96B8080DC SHA-1: 0x3B8C34A7E3EDEDB3050EE50A6907A190D78E5B13	Infostealer.Gampass [Symantec] not-a-virus:Porn-Tool.Win32.Agent.uc, Backdoor.Win32.Agent.alqt [Kaspersky Lab] Backdoor:Win32/Farfli.A [Microsoft] Trojan-GameThief.Win32.Magania [Ikarus]
4	c:\mibaoka.gif	8,932 bytes	MD5: 0x5792B426338688B7C53818511436F596 SHA-1: 0x02220DFBB25AA27D770A6443B3513466647B2494	(not available)
5	%System%\6to4ex.dll %System%\netsvcs_0x0ex.dll	107,555 bytes	MD5: 0x712A66E38466F48162B6E3D376BD29F7 SHA-1: 0x6373F0B48D1C12615DD42CC1263D93F7A9CE4606	Backdoor.Trojan [Symantec] Trojan-GameThief.Win32.Magania.evsa [Kaspersky Lab] BackDoor-DVB [McAfee] Mal/Redos-H [Sophos] Backdoor:Win32/Farfli.K [Microsoft] Backdoor.Win32.Zegost [Ikarus]
6	[file and pathname of the sample #1]	159,189 bytes	MD5: 0x32F31466912D9DD9A88E53F26D683D17 SHA-1: 0xF35D2B992F187CA28643181307D1868C6BF6E2F5	Backdoor.Win32.Agent.alqt [Kaspersky Lab] Trojan-GameThief.Win32.Magania [Ikarus]
7	%System%\TEM5.tmp %System%\yumsimg32.dll	4,608 bytes	MD5: 0xB5331F2B6F37C66C29C847F3B94FF900 SHA-1: 0x3FB833BC7393F88EC633961EC8C3C74891205F2E	(not available)
8	%System%\yumidimap.dll	18,944 bytes	MD5: 0x3B4702155BB2AE9DC00C06A68834BDFA SHA-1: 0xC1463918C83B4CAC3886E49A63318062558E645B	(not available)

• Notes:
• %Temp% is a variable that refers to the temporary folder in the short path form. By default, this is C:\Documents and Settings\[UserName]\Local Settings\Temp\ (Windows NT/2000/XP).
• %System% is a variable that refers to the System folder. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

• The following files were modified:
• %System%\midimap.dll
• %System%\msimg32.dll

Memory Modifications

• There were new processes created in the system:

Process Name	Process Filename	Main Module Size
360.exe	C:\360.exe	126,976 bytes
[filename of the sample #1]	[file and pathname of the sample #1]	430,080 bytes
mibao.exe	c:\mibao.exe	421,888 bytes
[generic host process]	[generic host process filename]	45,056 bytes
361.exe	C:\361.exe	90,112 bytes

• Notes:
• [generic host process filename] is a full path filename of [generic host process].

• The following module was loaded into the address space of other process(es):

Module Name	Module Filename	Address Space Details
6to4ex.dll	%System%\6to4ex.dll	Process name: svchost.exe Process filename: %System%\svchost.exe Address space: 0x630000 - 0x64E000

• There was a new service created in the system:

Registry Modifications

• The following Registry Keys were created:
• HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\MediaResources\msvideo
• HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_6TO4
• HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_6TO4\0000
• HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_6TO4\0000\Control
• HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\6to4
• HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\6to4\Parameters
• HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\6to4\Security
• HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\6to4\Enum
• HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\netsvcs_0x0
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\MediaResources\msvideo
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_6TO4
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_6TO4\0000
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_6TO4\0000\Control
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\6to4
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\6to4\Parameters
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\6to4\Security
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\6to4\Enum
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\netsvcs_0x0

• The newly created Registry Values are:
• [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_6TO4\0000\Control]
• *NewlyCreated* = 0x00000000
• ActiveService = "6to4"
• [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_6TO4\0000]
• Service = "6to4"
• Legacy = 0x00000001
• ConfigFlags = 0x00000000
• Class = "LegacyDriver"
• ClassGUID = "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
• DeviceDesc = "QQ"
• [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_6TO4]
• NextInstance = 0x00000001
• [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\6to4\Enum]
• 0 = "Root\LEGACY_6TO4\0000"
• Count = 0x00000001
• NextInstance = 0x00000001
• [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\6to4\Security]
• Security = 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 0
• [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\6to4\Parameters]
• ServiceDll = "%System%\6to4ex.dll"
• [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\6to4]
• Type = 0x00000120
• Start = 0x00000002
• ErrorControl = 0x00000001
• ImagePath = "%System%\svchost.exe -k netsvcs"
• DisplayName = "QQ"
• ObjectName = "LocalSystem"
• Description = "QQ"
• [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\netsvcs_0x0]
• InstallModule = "C:\360.exe"
• [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_6TO4\0000\Control]
• *NewlyCreated* = 0x00000000
• ActiveService = "6to4"
• [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_6TO4\0000]
• Service = "6to4"
• Legacy = 0x00000001
• ConfigFlags = 0x00000000
• Class = "LegacyDriver"
• ClassGUID = "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
• DeviceDesc = "QQ"
• [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_6TO4]
• NextInstance = 0x00000001
• [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\6to4\Enum]
• 0 = "Root\LEGACY_6TO4\0000"
• Count = 0x00000001
• NextInstance = 0x00000001
• [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\6to4\Security]
• Security = 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 0
• [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\6to4\Parameters]
• ServiceDll = "%System%\6to4ex.dll"
• [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\6to4]
• Type = 0x00000120
• Start = 0x00000002
• ErrorControl = 0x00000001
• ImagePath = "%System%\svchost.exe -k netsvcs"
• DisplayName = "QQ"
• ObjectName = "LocalSystem"
• Description = "QQ"
• [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\netsvcs_0x0]
• InstallModule = "C:\360.exe"

• The following Registry Value was modified:
• [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost]
• netsvcs =

Other details

• Analysis of the file resources indicate the following possible country of origin:

	China

• To mark the presence in the system, the following Mutex objects were created:
• AAAAAAsa+wva60rr2xsaa9rrSxqaavta+f
• sysapp1952
• sysapp980

• The following Host Names were requested from a host database:
• 192.5.5.241
• 203.171.229.172

• There was registered attempt to establish connection with the remote host. The connection details are:

Outbound traffic (potentially malicious)

• There was an outbound traffic produced on port 9060: