Submission Summary:

• Submission details:
• Submission received: 6 December 2007, 13:55:12
• Processing time: 6 min 14 sec
• Submitted sample:
• File MD5: 0x3B33847C20FDA540A004613A44B3533A
• Filesize: 337,858 bytes
• Alias: Trojan.PWS.IcqSmiley.A [PCTools]

• Summary of the findings:

What's been found	Severity Level
Contains characteristics of an identified security risk.

Technical Details:

• The new window was created, as shown below:

Possible Security Risk

• Attention! Characteristics of the following security risks were identified in the system:

Security Risk	Description
PSWTool.Messen!sd5	PSWTool.Messen!sd5 is a potentially unsafe program designed to access the passwords in your system.
PSWTool.NetPass!sd5	PSWTool.NetPass!sd5 is a potentially unsafe program designed to access the passwords in your system.
Application.StoragePass_Viewer	StoragePass Viewer is a utility that is able to reveal passwords stored by Internet Explorer, Outlook Express and MSN Explorer.
Application.MessenPass	MessenPass is used to retrieve password from various instant messenging application. It has been used by attackers with malicious intent. We recommend that Messenpass be removed unless installed for a purpose.
Application.MailPass_Viewer	MailPass Viewer is a email password recovery application from NirSoft. It enables the user to view all email accounts passwords stored in email applications. We recommend that MailPass Viewer be removed unless installed for a purpose.
Adware.ProduKey	ProduKey is an application which is used to retrieve Product ID and CD-Key for Microsoft applications. It can be used by attackers with malicious intent. We recommend that ProduKey be removed unless installed for a purpose.
Adware.Protected_Storage_Pass_View	Protected Storage Pass View displays all passwords stored in user's protected storage. It has been used by attackers with malicious intent. We recommend that Protected Storage Pass View be removed unless installed for a purpose.

• Attention! The following threat category was identified:

Threat Category	Description
	A hacktool that could be used by attackers to break into a system

File System Modifications

• The following files were created in the system:

#	Filename(s)	File Size	File Hash	Alias
1	%Temp%\Switchblade-Siliv-1-3-0-1\autorun.inf	91 bytes	MD5: 0xF4012045B45DE6B617C208AAD17C8D1D	(not available)
2	%Temp%\Switchblade-Siliv-1-3-0-1\blank.ico	766 bytes	MD5: 0xDE67C8A550ECFA5BAB367FEE7675A9D4	(not available)
3	%Temp%\Switchblade-Siliv-1-3-0-1\Documents\logfiles\%ComputerName%.log	3,353 bytes	MD5: 0xC3647CE5CFA2FC5B1D398DD3A53782F5	(not available)
4	%Temp%\Switchblade-Siliv-1-3-0-1\Documents\logfiles\pwfile.txt	0 bytes	MD5: 0xD41D8CD98F00B204E9800998ECF8427E	(not available)
5	%Temp%\Switchblade-Siliv-1-3-0-1\folder.ico	25,214 bytes	MD5: 0x0EFBFDC86BE9496D6123E5162ACA5687	(not available)
6	%Temp%\Switchblade-Siliv-1-3-0-1\README.txt	1,438 bytes	MD5: 0x649456E92868B93859E4945EB2E30AB9	(not available)
7	%Temp%\Switchblade-Siliv-1-3-0-1\Thumbs.db	4,096 bytes	MD5: 0x8E8D6332E1FEC5B0AA69917E5FCA8D29	(not available)
8	%Temp%\Switchblade-Siliv-1-3-0-1\WIP\CMD\DUH.vbs	402 bytes	MD5: 0x4A5140F6E510B3300C82063CD483242C	(not available)
9	%Temp%\Switchblade-Siliv-1-3-0-1\WIP\CMD\go.cmd	5,407 bytes	MD5: 0x9DFC82253462497EDD748EF36746D054	(not available)
10	%Temp%\Switchblade-Siliv-1-3-0-1\WIP\CMD\go.exe	5,120 bytes	MD5: 0x8204F34555645A11D068EA8817FDD5DC	(not available)
11	%Temp%\Switchblade-Siliv-1-3-0-1\WIP\CMD\iepv.exe	40,448 bytes	MD5: 0x640E7144859C57E21E489BE91998E1CC	(not available)
12	%Temp%\Switchblade-Siliv-1-3-0-1\WIP\CMD\LsaExt.dll	61,440 bytes	MD5: 0x03E8E98DFE06611EAC5694CD2F2DC542	PWCrack-Pwdump [McAfee]
13	%Temp%\Switchblade-Siliv-1-3-0-1\WIP\CMD\mspass.exe	44,032 bytes	MD5: 0x588AB9262F42D01D153257CE3B71EBFE	PSWTool.Messen!sd5 [PCTools]
14	%Temp%\Switchblade-Siliv-1-3-0-1\WIP\CMD\netpass.exe	39,936 bytes	MD5: 0x634FAAD6C5F06DBB88A40CBE91F9CD10	PSWTool.NetPass!sd5 [PCTools]
15	%Temp%\Switchblade-Siliv-1-3-0-1\WIP\CMD\ProduKey.exe	31,744 bytes	MD5: 0xBA312165D0B19BCD9E01B1C0B55C41FC	Hacktool [Symantec]
16	%Temp%\Switchblade-Siliv-1-3-0-1\WIP\CMD\pspv.exe	52,736 bytes	MD5: 0x35861F4EA9A8ECB6C357BDB91B7DF804	Application.StoragePass_Viewer [PCTools] PWCrack-PassView [McAfee]
17	%Temp%\Switchblade-Siliv-1-3-0-1\WIP\CMD\PwDump.exe	188,416 bytes	MD5: 0x3573E1F3D7F2E39675C37E5ECE21258F	PWCrack-Pwdump [McAfee]
18	%Temp%\Switchblade-Siliv-1-3-0-1\WIP\CMD\pwservice.exe	45,056 bytes	MD5: 0xFE201C1F942707D645CD34EC3368ACF2	(not available)
19	%Temp%\Switchblade-Siliv-1-3-0-1\WIP\CMD\wkv.exe	36,864 bytes	MD5: 0xD1BF4F47ED8362D91E94CD7253972F87	(not available)
20	[file and pathname of the sample #1]	337,858 bytes	MD5: 0x3B33847C20FDA540A004613A44B3533A	Trojan.PWS.IcqSmiley.A [PCTools]

• Note:
• %Temp% is a variable that refers to the temporary folder in the short path form. By default, this is C:\Documents and Settings\[UserName]\Local Settings\Temp\ (Windows NT/2000/XP).

• The following directories were created:
• %Temp%\Switchblade-Siliv-1-3-0-1
• %Temp%\Switchblade-Siliv-1-3-0-1\Documents
• %Temp%\Switchblade-Siliv-1-3-0-1\Documents\logfiles
• %Temp%\Switchblade-Siliv-1-3-0-1\WIP
• %Temp%\Switchblade-Siliv-1-3-0-1\WIP\CMD

Memory Modifications

• There were new processes created in the system:

Process Name	Process Filename	Main Module Size
iepv.exe	%Temp%\switchblade-siliv-1-3-0-1\wip\cmd\iepv.exe	102,400 bytes
mspass.exe	%Temp%\switchblade-siliv-1-3-0-1\wip\cmd\mspass.exe	110,592 bytes
netpass.exe	%Temp%\switchblade-siliv-1-3-0-1\wip\cmd\netpass.exe	102,400 bytes
ProduKey.exe	%Temp%\switchblade-siliv-1-3-0-1\wip\cmd\produkey.exe	86,016 bytes
pspv.exe	%Temp%\switchblade-siliv-1-3-0-1\wip\cmd\pspv.exe	65,536 bytes
wkv.exe	%Temp%\switchblade-siliv-1-3-0-1\wip\cmd\wkv.exe	98,304 bytes
pwservice.exe	%Temp%\Switchblade-Siliv-1-3-0-1\WIP\CMD\pwservice.exe	53,248 bytes
PwDump.exe	%Temp%\Switchblade-Siliv-1-3-0-1\WIP\CMD\PwDump.exe	200,704 bytes
go.exe	%Temp%\Switchblade-Siliv-1-3-0-1\WIP\CMD\go.exe	28,672 bytes

• The following module was loaded into the address space of other process(es):

Module Name	Module Filename	Address Space Details
LsaExt.dll	%Temp%\Switchblade-Siliv-1-3-0-1\WIP\CMD\LsaExt.dll	Process name: [generic host process] Process filename: [generic host process filename] Address space: 0x920000 - 0x931000

• Notes:
• [generic host process filename] is a full path filename of [generic host process].

Registry Modifications

• The following Registry Keys were created:
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ESENT\Process\ipconfig
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ESENT\Process\ipconfig\DEBUG
• HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host
• HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings
• HKEY_CURRENT_USER\Software\NirSoft
• HKEY_CURRENT_USER\Software\NirSoft\iepv
• HKEY_CURRENT_USER\Software\NirSoft\MessenPass
• HKEY_CURRENT_USER\Software\NirSoft\NetPass
• HKEY_CURRENT_USER\Software\NirSoft\ProduKey
• HKEY_CURRENT_USER\Software\NirSoft\pspv
• HKEY_CURRENT_USER\Software\NirSoft\WirelessKeyView

• The newly created Registry Value is:
• [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ESENT\Process\ipconfig\DEBUG]
• Trace Level = ""

• The following Registry Values were modified:
• [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\ServiceCurrent]
• (Default) = 0x0000000B
• [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ServiceCurrent]
• (Default) = 0x0000000B

Other details

• Analysis of the file resources indicate the following possible countries of origin:

	Russian Federation
	Israel