ThreatExpert Report: Trojan-Downloader.Win32.FraudLoad.vdiu, Downloader, BackDoor-BAC.gen..

Visit ThreatExpert web site

Close Report

Submission Summary:

Submission details:

Submission received: 29 November 2008, 02:56:24
Processing time: 11 min 33 sec
Submitted sample:

File MD5: 0x3B3DB39E058D72D453E1C72D68340DAE
File SHA-1: 0xB0E043D8929499AEE0C388FD999FE771B0947190
Filesize: 79,229 bytes
Alias:

Downloader [Symantec]
Trojan-Downloader.Win32.FraudLoad.vdiu [Kaspersky Lab]
BackDoor-BAC.gen [McAfee]
Mal/Generic-A [Sophos]
Backdoor:Win32/Haxdoor [Microsoft]
Trojan-Downloader.Win32.FraudLoad [Ikarus]

Summary of the findings:

What's been found	Severity Level
Downloads/requests other files from Internet.
Creates a startup registry entry.
Registers a Winlogon notification package so that the installed module is loaded into the address space of winlogon.exe.
Contains characteristics of an identified security risk.

Technical Details:

Possible Security Risk

Attention! Characteristics of the following security risk was identified in the system:

Security Risk	Description
Trojan-Downloader.Agent.BWH	Trojan-Downloader.Agent.BWH contacts a remote server in its attempt to secretly download additional threats onto affected machines.

Attention! The following threat categories were identified:

Threat Category	Description
	A program that downloads files to the local computer that may represent security risk
	A keylogger program that can capture all user keystrokes (including confidential details such username, password, credit card number, etc.)
	A hacktool that could be used by attackers to break into a system

File System Modifications

The following files were created in the system:

#	Filename(s)	File Size	File Hash	Alias
1	%Temp%\load.exe	18,432 bytes	MD5: 0x34F556AF2537462FAC87F586E0B6A756 SHA-1: 0xC50D4A19F8696D0A883FF20A035E5DC2BBCE3367	Generic Downloader.x [McAfee] Mal/Generic-A [Sophos] Trojan-Downloader.Win32.Bredolab [Ikarus]
2	%System%\k86.bin %Windir%\wiaservv.log	0 bytes	MD5: 0xD41D8CD98F00B204E9800998ECF8427E SHA-1: 0xDA39A3EE5E6B4B0D3255BFEF95601890AFD80709	(not available)
3	%System%\msansspc.dll	18,432 bytes	MD5: 0xE39C763CA4D87340C8A3995C2F231B0D SHA-1: 0x7163B14D3BAD92FF0A14A7189316F85676455DCB	Downloader [Symantec] Trojan-Downloader.Win32.Bredolab [Ikarus]
4	%System%\rs32net.exe	22,528 bytes	MD5: 0xE882E323C6D4005E768D58F56E1FD4CB SHA-1: 0x1F778E70321B9B5329D87A24360D7BEF90A78FCA	Downloader [Symantec] Trojan-Downloader.Win32.Agent.apyc [Kaspersky Lab] FakeAlert-AG.gen.c [McAfee] Mal/Generic-A [Sophos] TrojanDropper:Win32/Cutwail.AL [Microsoft] Trojan-Dropper.Win32.Cutwail [Ikarus]
5	[file and pathname of the sample #1]	79,229 bytes	MD5: 0x3B3DB39E058D72D453E1C72D68340DAE SHA-1: 0xB0E043D8929499AEE0C388FD999FE771B0947190	Downloader [Symantec] Trojan-Downloader.Win32.FraudLoad.vdiu [Kaspersky Lab] BackDoor-BAC.gen [McAfee] Mal/Generic-A [Sophos] Backdoor:Win32/Haxdoor [Microsoft] Trojan-Downloader.Win32.FraudLoad [Ikarus]
6	%System%\sbrige.dll	21,597 bytes	MD5: 0xBFFF62168BB4F31237B03E17600AA397 SHA-1: 0xE297B6EE70F3AA885E7473CE8BB077F9A5DBB9BE	Infostealer [Symantec] Trojan-Spy.Win32.Goldun.avc [Kaspersky Lab] Generic PWS.y [McAfee] Mal/TinyDL-T [Sophos] Trojan-Spy.Goldun.NDC [Ikarus]
7	%System%\sbunit.sys	8,624 bytes	MD5: 0xE24C91318DE54E633049C59305DEA7C4 SHA-1: 0x93801F320074E5089459D703C1E99DA5AD314741	Hacktool.Rootkit [Symantec] Trojan-Spy.Win32.Goldun.azg [Kaspersky Lab] BackDoor-BAC.gen [McAfee] Mal/Generic-A [Sophos] Backdoor:Win32/Haxdoor [Microsoft] Win32.SuspectCrc [Ikarus]

Notes:

%Temp% is a variable that refers to the temporary folder in the short path form. By default, this is C:\Documents and Settings\[UserName]\Local Settings\Temp\ (Windows NT/2000/XP).
%System% is a variable that refers to the System folder. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
%Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows or C:\Winnt.

The following directory was created:

%Temp%\msi_setup

Memory Modifications

There were new processes created in the system:

Process Name	Process Filename	Main Module Size
file.exe	%Temp%\file.exe	135,168 bytes
load.exe	%Temp%\load.exe	57,344 bytes
[filename of the sample #1]	[file and pathname of the sample #1]	20,480 bytes
load2.exe	%Temp%\load2.exe	32,768 bytes

Registry Modifications

The following Registry Keys were created:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sbrige
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\sbunit.sys
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\sbunit.sys
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_SBUNIT
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_SBUNIT\0000
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sbunit
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sbunit\Security

The newly created Registry Values are:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache]

Persistent = 0x00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

rs32net = "%System%\rs32net.exe"

so that rs32net.exe runs every time Windows starts

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sbrige]

DllName = 73 62 72 69 67 65 2E 64 6C 6C 00 00
Startup = "sbrige"
Impersonate = 0x00000001
Asynchronous = 0x00000001
MaxWait = 0x00000001
adr95 = "[5BAFF95B301CB9CD0]"

so that sbrige.dll is installed as a Winlogon notification package

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\sbunit.sys]

(Default) = "Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\sbunit.sys]

(Default) = "Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_SBUNIT\0000]

Service = "sbunit"
Legacy = 0x00000001
ConfigFlags = 0x00000000
Class = "LegacyDriver"
ClassGUID = "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
DeviceDesc = "Automated Power Control Unit"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_SBUNIT]

NextInstance = 0x00000001

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sbunit\Security]

Security = 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 0

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sbunit]

Type = 0x00000001
Start = 0x00000001
ErrorControl = 0x00000000
ImagePath = "system32\sbunit.sys"
DisplayName = "Automated Power Control Unit"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]

rs32net = "%System%\rs32net.exe"

so that rs32net.exe runs every time Windows starts

Other details

To mark the presence in the system, the following Mutex object was created:

SYSNETSRV

The following Host Names were requested from a host database:

sanbiz.biz
seooss.info

There were registered attempts to establish connection with the remote hosts. The connection details are:

Remote Host	Port Number
209.66.122.238	80
200.63.45.46	80
216.195.56.22	80

The following HTTP URLs were started reading:

http://sanbiz.biz/stata/controller.php?action=bot&entity_list=&uid=UXXXX&first=1&guid=0&rnd=35142677
http://seooss.info/a.php?trackid=706172616 D3D636D64266C616E673D454E552669643D313030303126736 8656C6C3D3026736F636B73706F72743D34323334362676657 23D39412668747470706F72743D313336303526757074696D6 56D3D3426757074696D65683D30267569643D5B35424146463..
http://seooss.info/a.php?trackid=706172616 D3D636D64266C616E673D454E552669643D313030303126736 8656C6C3D3026736F636B73706F72743D34323334362676657 23D39412668747470706F72743D313336303526757074696D6 56D3D3526757074696D65683D30267569643D5B35424146463..
http://seooss.info/a.php?trackid=706172616 D3D636D64266C616E673D454E552669643D313030303126736 8656C6C3D3026736F636B73706F72743D35383233392676657 23D39412668747470706F72743D3026757074696D656D3D352 6757074696D65683D30267569643D5B3542414646393542333..
http://seooss.info/a.php?trackid=706172616 D3D636D64266C616E673D454E552669643D313030303126736 8656C6C3D3026736F636B73706F72743D32313434382676657 23D39412668747470706F72743D3026757074696D656D3D352 6757074696D65683D30267569643D5B3542414646393542333..
http://seooss.info/a.php?trackid=706172616 D3D636D64266C616E673D454E552669643D313030303126736 8656C6C3D3026736F636B73706F72743D35383233392676657 23D39412668747470706F72743D343838373226757074696D6 56D3D3526757074696D65683D30267569643D5B35424146463..
http://seooss.info/a.php?trackid=706172616 D3D636D64266C616E673D454E552669643D313030303126736 8656C6C3D3026736F636B73706F72743D32313434382676657 23D39412668747470706F72743D3135313926757074696D656 D3D3526757074696D65683D30267569643D5B3542414646393..
http://seooss.info/a.php?trackid=706172616 D3D636D64266C616E673D454E552669643D313030303126736 8656C6C3D3026736F636B73706F72743D35383233392676657 23D39412668747470706F72743D343838373226757074696D6 56D3D3626757074696D65683D30267569643D5B35424146463..
http://seooss.info/a.php?trackid=706172616 D3D636D64266C616E673D454E552669643D313030303126736 8656C6C3D3026736F636B73706F72743D34323334362676657 23D39412668747470706F72743D313336303526757074696D6 56D3D3626757074696D65683D30267569643D5B35424146463..
http://seooss.info/a.php?trackid=706172616 D3D636D64266C616E673D454E552669643D313030303126736 8656C6C3D3026736F636B73706F72743D32303738322676657 23D39412668747470706F72743D3026757074696D656D3D362 6757074696D65683D30267569643D5B3542414646393542333..
http://seooss.info/a.php?trackid=706172616 D3D636D64266C616E673D454E552669643D313030303126736 8656C6C3D3026736F636B73706F72743D32313434382676657 23D39412668747470706F72743D3135313926757074696D656 D3D3626757074696D65683D30267569643D5B3542414646393..
http://seooss.info/a.php?trackid=706172616 D3D636D64266C616E673D454E552669643D313030303126736 8656C6C3D3026736F636B73706F72743D32303738322676657 23D39412668747470706F72743D313934343726757074696D6 56D3D3626757074696D65683D30267569643D5B35424146463..

All content ("Information") contained in this report is the copyrighted work of Threat Expert Ltd and its associated companies ("ThreatExpert") and may not be copied without the express permission of ThreatExpert.

The Information is provided on an "as is" basis. ThreatExpert disclaims all warranties, whether express or implied, to the maximum extent permitted by law, including the implied warranties that the Information is merchantable, of satisfactory quality, accurate, fit for a particular purpose or need, or non-infringing, unless such implied warranties are legally incapable of exclusion. Further, ThreatExpert does not warrant or make any representations regarding the use or the results of the use of the Information in terms of their correctness, accuracy, reliability, or otherwise.