ThreatExpert Report: TROJ_BJLG.SMUS1, Trojan:Win32/Malex.gen!E, Trojan-Downloader.Win32.Small..

Visit ThreatExpert web site

Close Report

Submission Summary:

Submission details:

Submission received: 18 September 2012, 16:53:45
Processing time: 9 min 39 sec
Submitted sample:

File MD5: 0x370630D41E41C5443E65A1D0C99FEDA3
File SHA-1: 0x992F1CBC89B588A380238F5245ABC93C604066CB
Filesize: 212,992 bytes
Alias:

TROJ_BJLG.SMUS1 [Trend Micro]
Trojan:Win32/Malex.gen!E [Microsoft]
Trojan-Downloader.Win32.Small [Ikarus]

Summary of the findings:

What's been found	Severity Level
Capability to modify the hosts file that may potentially block access to security-related Web sites.
Produces outbound traffic.
Contains characteristics of an identified security risk.

Technical Details:

Possible Security Risk

Attention! The following threat categories were identified:

Threat Category	Description
	A malicious trojan horse or bot that may represent security risk for the compromised system and/or its network environment
	A keylogger program that can capture all user keystrokes (including confidential details such username, password, credit card number, etc.)
	A malicious backdoor trojan that runs in the background and allows remote access to the compromised system

File System Modifications

The following files were created in the system:

#	Filename(s)	File Size	File Hash	Alias
1	%Temp%\svchost.exe %Windir%\FANS.exe %Windir%\HACK.exe [file and pathname of the sample #1]	212,992 bytes	MD5: 0x370630D41E41C5443E65A1D0C99FEDA3 SHA-1: 0x992F1CBC89B588A380238F5245ABC93C604066CB	TROJ_BJLG.SMUS1 [Trend Micro] Trojan:Win32/Malex.gen!E [Microsoft] Trojan-Downloader.Win32.Small [Ikarus]
2	%System%\yjsoft.ini	5,398,536 bytes	MD5: 0xC341BF10E60DE0655C4D1DC0307A79B2 SHA-1: 0xEE993E8617976EE2C0969F0EFB1A8D9D5DB212A0	Backdoor.Trojan [Symantec] Trojan-PSW.Win32.Bjlog.aago [Kaspersky Lab] BackDoor-TW.dll [McAfee] Mal/Zegost-E [Sophos] Backdoor:Win32/Zegost.L [Microsoft] Backdoor.Win32.Zegost [Ikarus]

Notes:

%Temp% is a variable that refers to the temporary folder in the short path form. By default, this is C:\Documents and Settings\[UserName]\Local Settings\Temp\ (Windows NT/2000/XP).
%Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows or C:\Winnt.
%System% is a variable that refers to the System folder. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

Memory Modifications

There were new processes created in the system:

Process Name	Process Filename	Main Module Size
svchost.exe	%Temp%\svchost.exe	221,184 bytes
[filename of the sample #1]	[file and pathname of the sample #1]	221,184 bytes
fans.exe	%Windir%\fans.exe	221,184 bytes
hack.exe	%Windir%\hack.exe	221,184 bytes

The following module was loaded into the address space of other process(es):

Module Name	Module Filename	Address Space Details
yjsoft.ini	%System%\yjsoft.ini	Process name: svchost.exe Process filename: %Temp%\svchost.exe Address space: 0x20000000 - 0x20026AC8

Registry Modifications

The following Registry Keys were created:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Com70
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\MediaResources\msvideo
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\MediaResources\msvideo

Other details

Analysis of the file resources indicate the following possible country of origin:

China

To mark the presence in the system, the following Mutex object was created:

Global\b16777343_2012j

The following Host Name was requested from a host database:

xlgzshi.vicp.net

There was registered attempt to establish connection with the remote host. The connection details are:

Remote Host	Port Number
xlgzshi.vicp.net	2012

Outbound traffic (potentially malicious)

There was an outbound traffic produced on port 2012:

00000000 | 6362 3173 7420 0200 001F 0500 0078 9C4B | cb1st .......x.K
00000010 | 6360 6098 03C4 AC40 CC08 C41A 5C0C 0C4C | c``....@....\..L
00000020 | 403A 38B5 A82C 3339 5521 2031 395B C188 | @:8..,39U! 19[..
00000030 | 81EE 00E4 0606 4646 86ED DC0C 0CF5 4096 | ......FF......@.
00000040 | 737E 6E41 6949 6A91 5F62 6E2A 9146 ACD2 | s~nAiIj._bn*.F..
00000050 | 6780 F8E9 3F10 0701 B1EF 6A66 0636 1166 | g...?.....jf.6.f
00000060 | 0643 0303 3323 A310 5706 0663 630B 4B1A | .C..3#..W..cc.K.
00000070 | 7960 8401 034C C0E0 6662 6068 6261 8CAA | y`...L..fb`hba..
00000080 | 7093 98EE CD1F 53CF 32A2 1B70 E16F FD85 | p.....S.2..p.o..
00000090 | 63A2 0C6F A21E 83D9 AC02 136A 2012 8C60 | c..o.......j ..`
000000A0 | 7E05 90C5 E732 B1A6 8073 62CD 8127 D36B | ~....2...sb..'.k
000000B0 | 1A81 EC1F A61D 350B 9D27 D6A0 1A24 C200 | ......5..'...$..
000000C0 | 3207 0434 668A 3044 443F 06B3 4FB0 4EAC | 2..4f.0DD?..O.N.
000000D0 | 5100 F255 621E 3304 02D9 15BC 220C B9AC | Q..Ub.3....."...
000000E0 | 10BD 1C4B 8E96 DB01 C53F 741E 2D3F 04E4 | ...K.....?t.-?..
000000F0 | 9F01 EAB9 3C7B 620D 48CC 8E19 A4E2 60B9 | ....<{b.H.....`.
00000100 | C0F4 A3E5 2075 209E 0C83 0538 7D9E 00E2 | .... u ....8}...
00000110 | 17C0 8C33 5914 613B 2303 C467 5339 26D6 | ...3Y.a;#..gS9&.
00000120 | 4C60 82A8 E960 07E6 B159 20BB 0E82 EDB1 | L`...`...Y .....
00000130 | 8062 10DB 1E68 CF8D 03D3 6B5E 03E5 6D4C | .b...h....k^..mL
00000140 | 9814 9EC4 3E66 F80F 4AB0 0FFE D6BF B051 | ....>f..J......Q
00000150 | 6110 0232 7B80 E654 00D5 FE00 F25F C43C | a..2{..T....._.<
00000160 | 06BB E73F 10D8 00D9 3631 10FF A939 3330 | ...?....61...930
00000170 | 7828 A980 D90E 01A6 0CA9 E999 7925 1945 | x(..........y%.E
00000180 | A913 E02E 3365 F089 7A8C 7028 D0FC 2340 | ....3e..z.p(..#@
00000190 | BD5A 6A0D 350D 2033 8034 C8E5 1398 60A1 | .Zj.5. 3.4....`.
000001A0 | C8C0 801C 4702 B078 8E85 C40F 483F 4CAE | ....G..x....H?L.
000001B0 | 04A8 1F64 A70C 90FD 7966 730D 07D0 2C90 | ...d....yfs...,.
000001C0 | FB40 663A A936 D480 DC3F E9EA 849A DDB3 | .@f:.6...?......
000001D0 | 216C 507E D673 6650 00B1 41FE 2DB8 CE00 | !lP~.sfP..A.-...
000001E0 | F637 2310 83C4 76AD 6550 4076 674E 2CC4 | .7#...v.eP@vgN,.
000001F0 | 9D1A B110 7782 8441 EAF1 B913 96A6 40FA | ....w..A......@.
00000200 | 6D80 6A99 808A 6480 B4A1 99B9 F99A FF8F | m.j...d.........
00000210 | B1BA 5306 492B C84C C74E 0600 65CD D235 | ..S.I+.L.N..e..5

All content ("Information") contained in this report is the copyrighted work of Threat Expert Ltd and its associated companies ("ThreatExpert") and may not be copied without the express permission of ThreatExpert.

The Information is provided on an "as is" basis. ThreatExpert disclaims all warranties, whether express or implied, to the maximum extent permitted by law, including the implied warranties that the Information is merchantable, of satisfactory quality, accurate, fit for a particular purpose or need, or non-infringing, unless such implied warranties are legally incapable of exclusion. Further, ThreatExpert does not warrant or make any representations regarding the use or the results of the use of the Information in terms of their correctness, accuracy, reliability, or otherwise.