Submission Summary:

• Submission details:
• Submission received: 1 August 2012, 00:58:01
• Processing time: 9 min 59 sec
• Submitted sample:
• File MD5: 0x345DA5939C6FC003CAA6E6ECF3B3AFFF
• File SHA-1: 0x339F14D3725756968831CB6A8F835CE0D2EE3D0F
• Filesize: 710,656 bytes
• Alias:
• Trojan.Gen [Symantec]
• Trojan-Downloader.Win32.Anedl [Ikarus]

• Summary of the findings:

What's been found	Severity Level
Produces outbound traffic.
Creates a startup registry entry.
Contains characteristics of an identified security risk.

Technical Details:

Possible Security Risk

• Attention! The following threat categories were identified:

Threat Category	Description
	A program that downloads files to the local computer that may represent security risk
	A malicious trojan horse or bot that may represent security risk for the compromised system and/or its network environment

File System Modifications

• The following files were created in the system:

#	Filename(s)	File Size	File Hash	Alias
1	%AppData%\Microsoft\rundll32.exe %Temp%\IXP000.TMP\Lotador.exe %System%\Microsoft\rundll32.exe	499,712 bytes	MD5: 0xD43546845196F80E0984A311D4E43ACC SHA-1: 0x78888B83C2D67703170B87358848C0C18CB00054	Trojan-Downloader.Win32.Anedl.j [Kaspersky Lab] Worm:Win32/Rebhip.A [Microsoft] Trojan-Downloader.Win32.Anedl [Ikarus]
2	%AppData%\%UserName%v1.18.0 - Trial versionlog.dat	15 bytes	MD5: 0xBF3DBA41023802CF6D3F8C5FD683A0C7 SHA-1: 0x466530987A347B68EF28FAAD238D7B50DB8656A5	Troj/RebhipCn-A [Sophos]
3	%Temp%\%UserName%2.txt	242,116 bytes	MD5: 0x87BA3D168758E148A1C0CAAAD19B4C47 SHA-1: 0x8B64D2A154ACCF7E430EF87F155B96C063804039	(not available)
4	%Temp%\%UserName%7	0 bytes	MD5: 0xD41D8CD98F00B204E9800998ECF8427E SHA-1: 0xDA39A3EE5E6B4B0D3255BFEF95601890AFD80709	(not available)
5	%Temp%\%UserName%8	0 bytes	MD5: 0xD41D8CD98F00B204E9800998ECF8427E SHA-1: 0xDA39A3EE5E6B4B0D3255BFEF95601890AFD80709	(not available)
6	[file and pathname of the sample #1]	710,656 bytes	MD5: 0x345DA5939C6FC003CAA6E6ECF3B3AFFF SHA-1: 0x339F14D3725756968831CB6A8F835CE0D2EE3D0F	Trojan.Gen [Symantec] Trojan-Downloader.Win32.Anedl [Ikarus]

• Notes:
• %AppData% is a variable that refers to the file system directory that serves as a common repository for application-specific data. A typical path is C:\Documents and Settings\[UserName]\Application Data.
• %Temp% is a variable that refers to the temporary folder in the short path form. By default, this is C:\Documents and Settings\[UserName]\Local Settings\Temp\ (Windows NT/2000/XP).
• %System% is a variable that refers to the System folder. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

• The following directory was created:
• %Temp%\IXP000.TMP

Memory Modifications

• There were new processes created in the system:

• Notes:
• [generic host process filename] is a full path filename of [generic host process].

• There were new memory pages created in the address space of the system process(es):

Process Name	Process Filename	Allocated Size
IEXPLORE.EXE	%ProgramFiles%\internet explorer\iexplore.exe	507,904 bytes
IEXPLORE.EXE	%ProgramFiles%\internet explorer\iexplore.exe	466,944 bytes
IEXPLORE.EXE	%ProgramFiles%\internet explorer\iexplore.exe	507,904 bytes
IEXPLORE.EXE	%ProgramFiles%\internet explorer\iexplore.exe	466,944 bytes

• Notes:
• %ProgramFiles% is a variable that refers to the Program Files folder. A typical path is C:\Program Files.

Registry Modifications

• The following Registry Keys were created:
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{4405N34S-8257-0ME0-02F0-82BK54R373MH}
• HKEY_CURRENT_USER\Software\Gunz

• The newly created Registry Values are:
• [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{4405N34S-8257-0ME0-02F0-82BK54R373MH}]
• StubPath = "%System%\microsoft\rundll32.exe"
• StubPath = "%AppData%\microsoft\rundll32.exe Restart"

so that rundll32.exe runs every time Windows starts

• [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
• microsoft = "%System%\microsoft\rundll32.exe"
• microsoft = "%AppData%\microsoft\rundll32.exe"

so that rundll32.exe runs every time Windows starts

• [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
• microsoft = "%System%\microsoft\rundll32.exe"
• microsoft = "%AppData%\microsoft\rundll32.exe"

so that rundll32.exe runs every time Windows starts

• [HKEY_CURRENT_USER\Software\Gunz]
• FirstExecution = "01/08/2012 -- 00:58"
• NewIdentification = "Gunz"
• NewGroup = ""

• The following Registry Values were modified:
• [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\ServiceCurrent]
• (Default) =
• [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ServiceCurrent]
• (Default) =

Other details

• Analysis of the file resources indicate the following possible country of origin:

	Brazil

• To mark the presence in the system, the following Mutex objects were created:
• UserName5
• XXUGP0104LJJ71
• XXUGP0104LJJ71UserName15
• XXUGP0104LJJ71_SAIR
• DesktopCleanupMutex

• The following Host Name was requested from a host database:
• nickyalmeida.no-ip.org

• There was registered attempt to establish connection with the remote host. The connection details are:

Outbound traffic (potentially malicious)

• There was an outbound traffic produced on port 999: