ThreatExpert Report: Hacktool.Spammer

Submission Summary:

Submission details:

Submission received: 4 June 2008, 15:37:38
Processing time: 4 min 4 sec
Submitted sample:

File MD5: 0x360C7CD58DD933102E94E76C768F7DBD
File SHA-1: 0x72F5C573E7934693466BB5D8307567A2F5D33A41
Filesize: 46,080 bytes
Alias: Hacktool.Spammer [Symantec]

Summary of the findings:

What's been found	Severity Level
Produces outbound traffic.
Contains characteristics of an identified security risk.

Technical Details:

Possible Security Risk

Attention! The following threat category was identified:

Threat Category	Description
	A hacktool that could be used by attackers to break into a system

File System Modifications

The following file was created in the system:

#	Filename(s)	File Size	File Hash	Alias
1	[file and pathname of the sample #1]	46,080 bytes	MD5: 0x360C7CD58DD933102E94E76C768F7DBD SHA-1: 0x72F5C573E7934693466BB5D8307567A2F5D33A41	Hacktool.Spammer [Symantec]

Memory Modifications

There was a new process created in the system:

Process Name	Process Filename	Main Module Size
[filename of the sample #1]	[file and pathname of the sample #1]	57,344 bytes

Other details

To mark the presence in the system, the following Mutex objects were created:

uiqwehddyrui23h
DBWinMutex

The following Host Names were requested from a host database:

208.66.194.215
192.168.0.102
9a1aa4820f010d7.biz
7a65cf85c0b7e88.biz
e61e45ed80c59493.biz
cb6b9198f384e5.biz
dee6a7760b1d2.biz
b72ba13293ed9477.biz
d2561a513e69dd3e.biz
2d60dfa3891d4bd8.biz
fc56dfa5d1f32d6.biz
6f9503748ad98f2.biz
02afffb8346829.biz
f99959152587f675.biz
60983c3e73a63cfd.biz
344b9a9bfd69599.biz
549ad23db838d8bb.biz
4e9a1f983702566.biz

There was registered attempt to establish connection with the remote host. The connection details are:

Remote Host	Port Number
208.66.194.215	443

Outbound traffic (potentially malicious)

There was an outbound traffic produced on port 443:

All content ("Information") contained in this report is the copyrighted work of Threat Expert Ltd and its associated companies ("ThreatExpert") and may not be copied without the express permission of ThreatExpert.

The Information is provided on an "as is" basis. ThreatExpert disclaims all warranties, whether express or implied, to the maximum extent permitted by law, including the implied warranties that the Information is merchantable, of satisfactory quality, accurate, fit for a particular purpose or need, or non-infringing, unless such implied warranties are legally incapable of exclusion. Further, ThreatExpert does not warrant or make any representations regarding the use or the results of the use of the Information in terms of their correctness, accuracy, reliability, or otherwise.