Submission Summary:

• Submission details:
• Submission received: 16 January 2008, 11:32:13
• Processing time: 3 min 52 sec
• Submitted sample:
• File MD5: 0x34F1FF4434EF65C225DF372D62F819B0
• Filesize: 114,689 bytes

• Summary of the findings:

What's been found	Severity Level
Threat characteristics of the Storm worm (aka CME-711/Peacomm/Nuwar/Zhelatin/Tibs). This threat is normally received as an email attachment; it may consist of a rootkit, a peer-to-peer client, and a mass-mailing worm component. To bypass firewalls, its code may be injected and run from the legitimate services.exe process.
Capability to send out email message(s) with the built-in SMTP client engine.
Searching for email addresses by enumerating files with the certain extensions. This functionality is used by mass-mailers and spam-bots.
Backdoor functionality: connected remote users are able to perform multiple actions on the compromised system.
Stealth-mode characteristics common to Rootkits.
Contains characteristics of an identified security risk.

Technical Details:

Possible Security Risk

• Attention! The following threat categories were identified:

Threat Category	Description
	A malicious backdoor trojan that runs in the background and allows remote access to the compromised system
	A network-aware worm that attempts to replicate across the existing network(s)

File System Modifications

• The following file was created in the system:

• Attention! The following hidden files were created in the system:

#	Filename(s)	File Size	File Hash
1	%System%\burito.ini	40,172 bytes	MD5: 0xC690A8F60B15864AE63C8911A318F3F9
2	%System%\burito7844-7cdb.sys	129,792 bytes	MD5: 0xC4B9DD12714666C0707F5A6E39156C11

• Note:
• %System% is a variable that refers to the System folder. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

Memory Modifications

• There was a new process created in the system:

• There was a new memory page created in the address space of the system process(es):

Process Name	Process Filename	Allocated Size
services.exe	%System%\services.exe	135,168 bytes

• There was a new kernel-mode driver installed in the system:

Driver Name	Driver Filename
burito7844-7cdb	%System%\burito7844-7cdb.sys

Registry Modifications

• Attention! There were hidden Registry Keys created:
• HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_BURITO7844-7CDB
• HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_BURITO7844-7CDB\0000
• HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\burito7844-7cdb
• HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\burito7844-7cdb\Security

• Attention! The newly created hidden Registry Values are:
• [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_BURITO7844-7CDB\0000]
• Service = "burito7844-7cdb"
• Legacy = 0x00000001
• ConfigFlags = 0x00000000
• Class = "LegacyDriver"
• ClassGUID = "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
• DeviceDesc = "burito7844-7cdb"
• [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_BURITO7844-7CDB]
• NextInstance = 0x00000001
• [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\burito7844-7cdb\Security]
• Security = 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 0
• [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\burito7844-7cdb]
• Type = 0x00000001
• Start = 0x00000002
• ErrorControl = 0x00000001
• ImagePath = "%System%\burito7844-7cdb.sys"
• DisplayName = "burito7844-7cdb"

Heuristics Analysis

• Heuristically identified details of the peer-to-peer botnet that could be used to download the latest instructions:

• Heuristically identified capability to harvest email addresses (e.g. for spamming or mass-mailing purposes) from files with the following extensions:

• Heuristically identified that addresses containing the following strings are not harvested: