ThreatExpert Report: Trojan-Dropper.Agent, possible-Threat.Patch.SuspectCRC, Trojan.Win32.Nebuler..

Submission Summary:

Submission details:

Submission received: 12 August 2012, 03:31:42
Processing time: 11 min 26 sec
Submitted sample:

File MD5: 0x3790C78B6A231A2CD54FBC216C18651D
File SHA-1: 0x5B83EAE39C0DB19D7570C3A37C15038877D52616
Filesize: 2,893,187 bytes
Alias: Trojan-Dropper.Agent [Ikarus]

Summary of the findings:

What's been found	Severity Level
Downloads/requests other files from Internet.
Creates a startup registry entry.
Contains characteristics of an identified security risk.

Technical Details:

Possible Security Risk

Attention! Characteristics of the following security risk was identified in the system:

Security Risk	Description
Trojan-Downloader.AZ	Trojan.Downloader.AZ downloads various other malware without the users knowledge, including a dialer which sits in your temp directory and can change your ISP phone number on your computer to a high rate phone number.

Attention! The following threat category was identified:

Threat Category	Description
	A malicious trojan horse or bot that may represent security risk for the compromised system and/or its network environment

File System Modifications

The following files were created in the system:

#	Filename(s)	File Size	File Hash	Alias
1	%Temp%\31.exe	6,144 bytes	MD5: 0xDF094274592026F85D6B29DD4EC2F58D SHA-1: 0xED09B7F2334BD65575D6719AD9693029E235F471	packed with UPX [Kaspersky Lab]
2	%Temp%\32.exe	274,944 bytes	MD5: 0xA625620E95370BB65B6FFD5B7AC0F1A4 SHA-1: 0x6629C5361289A34B576CF43E8CFD306F50DD34CC	possible-Threat.Patch.SuspectCRC [Ikarus] packed with UPX [Kaspersky Lab]
3	%Temp%\33.exe	371,712 bytes	MD5: 0xEE34FB8CD3EECBD9BEBD0F7DA56473CF SHA-1: 0xEDFD4230CC95339FC6C7DBEA8E412106E4388509	Trojan.Win32.Nebuler [Ikarus]
4	%Temp%\34.exe	911,789 bytes	MD5: 0x8E3DEAB77754A984AB9DBD3D1E144CB1 SHA-1: 0x6053AB09E9951CD6966B4B2B7DBC0CB0570060C8	(not available)
5	%Temp%\35.exe	169,984 bytes	MD5: 0x6CAB2DED1CA60EFAF68BC158993F9BDE SHA-1: 0x13D14108B66DA6E38F254A7BD3DEEC10D9975EAB	(not available)
6	%Temp%\36.exe	180,224 bytes	MD5: 0x2B99D02B75330473270E729AD3A4537E SHA-1: 0xD7DD90EFD4D5E4A35D331ABECC4F803628FB5989	Trojan.Zlob [Symantec] Generic.dx!bc3f [McAfee] Troj/Crack-AE [Sophos] Trojan-Dropper.Agent [Ikarus]
7	%Temp%\37.exe	192,000 bytes	MD5: 0xC387216EC24EDB507F4BB113724547D8 SHA-1: 0x8048670C9978F94960CF96ADC5FB039C5B62EAC1	Trojan Horse [Symantec] Troj/Crack-AE [Sophos] Trojan-Dropper.Agent [Ikarus]
8	%Temp%\38.exe	192,000 bytes	MD5: 0xCF46E6E10E6995DA40EDB135838CA627 SHA-1: 0xDA21E99B67E9B85B8F6E619324C171437E1911CF	Trojan.Gen [Symantec] Generic.dx!bcdn [McAfee] Troj/Crack-AE [Sophos] Trojan-Dropper.Agent [Ikarus]
9	%Temp%\39.exe	272,384 bytes	MD5: 0x3B227CA1EA5702291EFECAE9CBEC133D SHA-1: 0x61D48DBE2DD7DF79F6A2A5E7436337C2CB045F83	Trojan.Zlob [Symantec] Generic.dx!bc3m [McAfee] Troj/Crack-AE [Sophos] Trojan-Dropper.Agent [Ikarus]
10	%Temp%\40.exe	325,120 bytes	MD5: 0x1FFDC8853B7FB5BD3AFD0D9F40D4B1DB SHA-1: 0xA4D9F6EC5A3D640411AAF6896C3F85B96D6373B1	Trojan-Dropper.Agent [Ikarus]
11	%Temp%\41.exe	17,878 bytes	MD5: 0x73AE76D24FACD99D2D63DE5DF4E2E7F5 SHA-1: 0x000DC9740548C4B00C01EF45641B2C9446521141	packed with UPX [Kaspersky Lab]
12	%Temp%\42.exe	4,128 bytes	MD5: 0x109B674A22C8A54DCFFFA80B64CA5AAE SHA-1: 0xD9C94CE737FD5B51B8A4BCD530DAE672B84A95A1	packed with UPX [Kaspersky Lab]
13	%Temp%\43.exe	92,160 bytes	MD5: 0xE1AB07F925CD1167B43ACB5934D329F9 SHA-1: 0xD45DC7D86442A2AEFB77FD599E20CD9AE980BC78	Trojan.Adclicker [Symantec] Mal/Generic-L [Sophos] Backdoor.Pigeon [Ikarus] packed with PE_Patch.PECompact [Kaspersky Lab]
14	%Temp%\44.exe	238,080 bytes	MD5: 0x93D28625888E74A6BF8385D891C6B5F3 SHA-1: 0xC5A7CA860CE418C95EB2109254DC4BBE61170DF8	(not available)
15	%ProgramFiles%\Wondershare\DiaShow f?r PSP Go\PSPSlideshow.exe	2,330,112 bytes	MD5: 0x037A3FFE6753451CFEAEC7410B03292E SHA-1: 0x909830A523344ADD6CEDFE716DC33A275D577193	(not available)
16	%ProgramFiles%\Wondershare\DiaShow f?r PSP Go\unins000.dat	1,096 bytes	MD5: 0xD1CAE979B59F5C8950967512B39044DE SHA-1: 0x47A10D578D4CEDF7D2D5BA981BCDD9B1DFEA659C	(not available)
17	%ProgramFiles%\Wondershare\DiaShow f?r PSP Go\unins000.exe	732,166 bytes	MD5: 0x421534B2C74A2E8063772BDD583D90DF SHA-1: 0xFB04A8EF9F45042ABBD029AD751EEEE6BA95E4AA	(not available)
18	%System%\BASSMOD.dll	9,728 bytes	MD5: 0x8D56ADCA34E7FB2DFACFC5EA87B23FF9 SHA-1: 0x0E93AE841D7A1F9587655906847DDCFC3269D9D1	(not available)
19	%System%\msiiry32.dll %System%\msizuw32.dll	175,104 bytes	MD5: 0x6B8489388AA6621259CE541D54004981 SHA-1: 0x541F12357DFA16986B3192F3C4C539B3B21EBC57	Troj/Nuage-B [Sophos] Trojan.Win32.Nebuler [Ikarus] packed with UPX [Kaspersky Lab]
20	%System%\muzika.xm	51,355 bytes	MD5: 0x4E7887BCD4495E8AD2147A17057FB94E SHA-1: 0xEDD53D21D6DBA313030DE94FAF38E33D22195D05	(not available)
21	[file and pathname of the sample #1]	2,893,187 bytes	MD5: 0x3790C78B6A231A2CD54FBC216C18651D SHA-1: 0x5B83EAE39C0DB19D7570C3A37C15038877D52616	Trojan-Dropper.Agent [Ikarus]

Notes:

%Temp% is a variable that refers to the temporary folder in the short path form. By default, this is C:\Documents and Settings\[UserName]\Local Settings\Temp\ (Windows NT/2000/XP).
%ProgramFiles% is a variable that refers to the Program Files folder. A typical path is C:\Program Files.
%System% is a variable that refers to the System folder. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

The following directories were created:

%ProgramFiles%\Wondershare
%ProgramFiles%\Wondershare\DiaShow f?r PSP Go

Memory Modifications

There were new processes created in the system:

Process Name	Process Filename	Main Module Size
41.exe	%Temp%\41.exe	77,824 bytes
44.exe	%Temp%\44.exe	548,864 bytes
31.exe	%Temp%\31.exe	73,728 bytes
32.exe	%Temp%\32.exe	536,576 bytes
35.exe	%Temp%\35.exe	466,944 bytes
36.exe	%Temp%\36.exe	270,336 bytes
37.exe	%Temp%\37.exe	282,624 bytes
38.exe	%Temp%\38.exe	282,624 bytes
39.exe	%Temp%\39.exe	360,448 bytes
40.exe	%Temp%\40.exe	413,696 bytes
34.tmp	%Temp%\is-KVI1I.tmp\34.tmp	786,432 bytes
34.exe	%Temp%\34.exe	106,496 bytes
42.exe	%Temp%\42.exe	32,768 bytes
34.tmp	%Temp%\is-0G3QF.tmp\34.tmp	786,432 bytes

The following modules were loaded into the address space of other process(es):

Module Name	Module Filename	Address Space Details
BASSMOD.dll	%System%\BASSMOD.dll	Process name: 43.exe Process filename: %Temp%\43.exe Address space: 0x3B0000 - 0x3C8000
BASSMOD.dll	%System%\BASSMOD.dll	Process name: 32.exe Process filename: %Temp%\32.exe Address space: 0x390000 - 0x3A8000
msiiry32.dll	%System%\msiiry32.dll	Process name: [generic host process] Process filename: [generic host process filename] Address space: 0xB50000 - 0xBD6000
BASSMOD.dll	%System%\BASSMOD.dll	Process name: 32.exe Process filename: %Temp%\32.exe Address space: 0x390000 - 0x3A8000
msizuw32.dll	%System%\msizuw32.dll	Process name: [generic host process] Process filename: [generic host process filename] Address space: 0xB50000 - 0xBD6000

Notes:

[generic host process filename] is a full path filename of [generic host process].

Registry Modifications

The following Registry Keys were created:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Wondershare DiaShow f?r PSP Go - Aktivierung_is1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\tOckl

The newly created Registry Values are:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Wondershare DiaShow f?r PSP Go - Aktivierung_is1]

Inno Setup: Setup Version = "5.3.5 (a)"
Inno Setup: App Path = "%ProgramFiles%\Wondershare\DiaShow f?r PSP Go"
InstallLocation = "%ProgramFiles%\Wondershare\DiaShow f?r PSP Go\"
Inno Setup: Icon Group = "Wondershare DiaShow f?r PSP Go"
Inno Setup: User = "%UserName%"
DisplayName = "Wondershare DiaShow f?r PSP Go 2.0.1.1"
UninstallString = ""%ProgramFiles%\Wondershare\DiaShow f?r PSP Go\unins000.exe""
QuietUninstallString = ""%ProgramFiles%\Wondershare\DiaShow f?r PSP Go\unins000.exe" /SILENT"
NoModify = 0x00000001
NoRepair = 0x00000001
InstallDate = "20120812"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]

MSIDLL = "rundll32.exe msizuw32.dll,KhhlSUqwWlhb"

so that 32.exe runs every time Windows starts

Other details

To mark the presence in the system, the following Mutex objects were created:

c14f7bg943
608?147:<?258

The following Internet Connections were established:

Server Name	Server Port	Connect as User	Connection Password
madcapphotoworks.com	80	(null)	(null)
www.bts.brainz.cz	80	(null)	(null)
www.gambit.webz.cz	80	(null)	(null)

The data identified by the following URLs was then requested from the remote web server:

http://www.flashbug.xf.cz/admin/index.php?q=139859
http://www.extremepower.wz.cz/adv/index.php?q=139953
http://www.egypt2007.unas.cz/admin/index.php?q=140031
http://www.egypt2007.unas.cz/admin/index.php?q=146515
http://www.extremepower.wz.cz/adv/index.php?q=146531
http://www.flashbug.xf.cz/admin/index.php?q=146531
http://www.flashbug.xf.cz/admin/index.php?q=176921
http://www.extremepower.wz.cz/adv/index.php?q=176937
http://www.egypt2007.unas.cz/admin/index.php?q=176937

All content ("Information") contained in this report is the copyrighted work of Threat Expert Ltd and its associated companies ("ThreatExpert") and may not be copied without the express permission of ThreatExpert.

The Information is provided on an "as is" basis. ThreatExpert disclaims all warranties, whether express or implied, to the maximum extent permitted by law, including the implied warranties that the Information is merchantable, of satisfactory quality, accurate, fit for a particular purpose or need, or non-infringing, unless such implied warranties are legally incapable of exclusion. Further, ThreatExpert does not warrant or make any representations regarding the use or the results of the use of the Information in terms of their correctness, accuracy, reliability, or otherwise.