ThreatExpert Report: Suspicious.MH690

Submission Summary:

Submission details:

Submission received: 10 November 2009, 12:26:45
Processing time: 6 min 44 sec
Submitted sample:

File MD5: 0x3D4FDFB4559087A2542FC7D80D2C6428
File SHA-1: 0xFA5C411A1B0C2A9E267AC0D4CF2BF2A2D75F9B84
Filesize: 16,896 bytes

Summary of the findings:

What's been found	Severity Level
Downloads/requests other files from Internet.
Contains characteristics of an identified security risk.

Technical Details:

Possible Security Risk

Attention! Characteristics of the following security risk was identified in the system:

Security Risk	Description
Backdoor.Bredolab	Backdoor.Bredolab allows attackers unauthorized access to infected machines.

File System Modifications

The following files were created in the system:

#	Filename(s)	File Size	File Hash
1	[file and pathname of the sample #1]	16,896 bytes	MD5: 0x3D4FDFB4559087A2542FC7D80D2C6428 SHA-1: 0xFA5C411A1B0C2A9E267AC0D4CF2BF2A2D75F9B84
2	%Windir%\Temp\scs7.tmp	2,686 bytes	MD5: 0x88864006BC9FB6F150CEBEC2A66FA2B4 SHA-1: 0xBC41F2B0C6DC93266018703858BEF8CB8FA09F53
3	%Windir%\Temp\_ex-08.exe %Windir%\Temp\_ex-68.exe	125 bytes	MD5: 0x7C5F5A68051F6B0C0E9A2AD33C40D415 SHA-1: 0x120865765927A61AF83F02B83DC297EEDE61EC41

Note:

%Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows or C:\Winnt.

Memory Modifications

There was a new process created in the system:

Process Name	Process Filename	Main Module Size
[filename of the sample #1]	[file and pathname of the sample #1]	16,384 bytes

There was a new memory page created in the address space of the system process(es):

Process Name	Process Filename	Allocated Size
ntvdm.exe	%System%\ntvdm.exe	987,136 bytes

Notes:

%System% is a variable that refers to the System folder. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

Other details

The following Host Names were requested from a host database:

95.211.8.216
213.108.56.140

The following HTTP URLs were started reading:

http://95.211.8.216/pr/pic/birdiec_b.exe
http://213.108.56.140/pr/pic/build.exe

Downloaded File Summary:

Download details:

Download retrieved: 10 November 2009 12:38:35
Processing time: 6 min 46 sec
Downloaded sample #1:

File MD5: 0x13EB0A69828294B11D80692D21ABE5A3
File SHA-1: 0xE21020E637CEC7C127889323A77AD096F8D8893A
Filesize: 1,212,991 bytes

Downloaded sample #2:

File MD5: 0x5D1EBA3284A62710FA1848A615647928
File SHA-1: 0xC6E85098BE62FC684A04BA840026A2905AC7319F
Filesize: 409,088 bytes
Alias: Suspicious.MH690 [Symantec]

Summary of the findings:

What's been found	Severity Level
Capability to send out email message(s) with the built-in SMTP client engine.
Contains characteristics of Waledac, a worm that spreads by sending an email containing links to copies of itself.
Creates a startup registry entry.
Produces outbound traffic.
Downloads/requests other files from Internet.
Contains characteristics of an identified security risk.

Technical Details:

Possible Security Risk

Attention! Characteristics of the following security risk was identified in the system:

Security Risk	Description
RogueAntiSpyware.SecurityTool	RogueAntiSpyware.SecurityTool displays annoying fake alerts in malware payloads in order to persuade users into buying the rogue antispyware products.

File System Modifications

The following files were created in the system:

#	Filename(s)	File Size	File Hash	Alias
1	%CommonAppData%\57792636\57792636.bat	274 bytes	MD5: 0x1271AE9AE0CAC1E5CB05F450A6BD8699 SHA-1: 0x5BF05E230D4793008BE6EE50382C9AC902EEF4E1	(not available)
2	%CommonAppData%\57792636\57792636.exe [file and pathname of the sample #1]	1,212,991 bytes	MD5: 0x13EB0A69828294B11D80692D21ABE5A3 SHA-1: 0xE21020E637CEC7C127889323A77AD096F8D8893A	(not available)
3	%DesktopDir%\Security Tool.lnk	870 bytes	MD5: 0xFDF13BBD31F2F40ACA2E7DFD55F4530F SHA-1: 0xE770364FDD7F085797FB4CEB6293FD2D7631B1C7	(not available)
4	%Programs%\Security Tool.lnk	876 bytes	MD5: 0x9AB97DCCE0F1B5FF612CAF717784B676 SHA-1: 0x2A389472DA8EF73B5A58B6622B487F3C74E555ED	(not available)
5	[file and pathname of the sample #2]	409,088 bytes	MD5: 0x5D1EBA3284A62710FA1848A615647928 SHA-1: 0xC6E85098BE62FC684A04BA840026A2905AC7319F	Suspicious.MH690 [Symantec]

Notes:

%CommonAppData% is a variable that refers to the file system directory containing application data for all users. A typical path is C:\Documents and Settings\All Users\Application Data.
%DesktopDir% is a variable that refers to the file system directory used to physically store file objects on the desktop. A typical path is C:\Documents and Settings\[UserName]\Desktop.
%Programs% is a variable that refers to the file system directory that contains the user's program groups. A typical path is C:\Documents and Settings\[UserName]\Start Menu\Programs.

The following directory was created:

%CommonAppData%\57792636

Memory Modifications

There was a new process created in the system:

Process Name	Process Filename	Main Module Size
[filename of the sample #2]	[file and pathname of the sample #2]	987,136 bytes

Registry Modifications

The newly created Registry Values are:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion]

RList = 54 EE 20 3F 0C 33 A5 25 38 F6 C4 24 6A DB 59 20 08 74 0E E0 D0 9D BB F9 0F 3A 8B 94 A5 59 03 B1 E4 B9 EA 2A 07 C8 EB FE 81 F6 DD F0 95 73 2F 1F 98 2D 27 80 39 32 76 FC E9 2B 02 A3 E2 07 09 02 08 25 17 0B 6C A2 EF 8E 45 D8 52 E7 E8 BE 9A 42 69 65 88 5

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

PromoReg = "[file and pathname of the sample #2]"
57792636 = "%CommonAppData%\57792636\57792636.exe"

so that [file and pathname of the sample #2] runs every time Windows starts

so that 57792636.exe runs every time Windows starts

[HKEY_CURRENT_USER\Control Panel\Desktop]

_Wallpaper = ""

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion]

MyID = F9 79 B6 14 81 24 4B 11 DA 01 1A 29 83 2F FD
FWDone = 74 72 75 65

The following Registry Value was deleted:

[HKEY_CURRENT_USER\Control Panel\Desktop]

Wallpaper = ""

Other details

To mark the presence in the system, the following Mutex object was created:

Security Tool

The following port was open in the system:

Port	Protocol	Process
1056	TCP	[file and pathname of the sample #2]

The following Host Names were requested from a host database:

211.221.37.73
85.168.71.169
86.20.55.96
84.202.82.171
134.102.43.87
85.85.177.89
85.216.50.136
141.201.202.15
68.33.245.106
69.136.247.174
212.68.231.133
84.252.3.56
84.57.161.114
76.173.117.130
221.121.239.91
121.146.7.25
222.110.176.216
121.177.205.189
67.181.249.61
145.118.113.190
211.201.140.48
82.216.227.240
85.130.29.1
67.172.229.127
213.113.141.185
84.42.140.150
93.64.44.66
85.14.31.232
160.129.117.104
82.181.233.97
115.240.32.146
77.77.25.58
92.225.68.178
84.113.4.128
24.205.135.62
80.57.13.122
88.172.180.27
77.73.42.114
81.67.117.163
67.162.194.191
80.99.27.31
121.186.254.81
24.67.145.111
221.159.22.225
109.192.98.96
68.190.222.252
76.168.32.114
76.195.208.43
86.8.2.75
83.83.48.124
85.230.245.43
121.247.122.219
220.76.44.131
118.35.99.23
80.221.25.22
99.240.64.233
61.17.167.137
68.49.202.215
115.86.180.47
68.40.20.116
88.188.175.155
77.121.35.183
85.44.230.82
86.14.58.243
65.60.158.68
86.49.116.50
92.50.186.247
24.69.153.62
83.86.218.108
76.124.90.2
151.59.219.138
61.253.60.2
221.244.154.202
99.232.75.112
69.144.82.80
81.161.214.60
76.109.37.118
89.137.192.185
212.21.24.64
81.67.169.12
189.4.35.253
112.202.99.243
119.193.131.87
98.222.242.25
81.9.185.26
88.174.85.95
85.177.237.62
92.255.217.186
114.201.227.135
217.255.199.190
92.237.40.133
82.172.99.196
220.117.249.133
112.164.42.145
125.177.46.201
213.182.122.170
125.135.1.243
115.240.172.130
112.151.193.248
85.186.49.228

There were registered attempts to establish connection with the remote hosts. The connection details are:

Remote Host	Port Number
67.172.229.127	80
80.57.13.122	80
85.130.29.1	80

The data identified by the following URLs was then requested from the remote web server:

http://67.172.229.127/xovjvyucb.htm
http://80.57.13.122/voa.png
http://80.57.13.122/hpmmxnwa.png

Outbound traffic (potentially malicious)

There was an outbound traffic produced on port 80:

All content ("Information") contained in this report is the copyrighted work of Threat Expert Ltd and its associated companies ("ThreatExpert") and may not be copied without the express permission of ThreatExpert.

The Information is provided on an "as is" basis. ThreatExpert disclaims all warranties, whether express or implied, to the maximum extent permitted by law, including the implied warranties that the Information is merchantable, of satisfactory quality, accurate, fit for a particular purpose or need, or non-infringing, unless such implied warranties are legally incapable of exclusion. Further, ThreatExpert does not warrant or make any representations regarding the use or the results of the use of the Information in terms of their correctness, accuracy, reliability, or otherwise.