Submission Summary:

• Submission details:
• Submission received: 6 June 2008, 06:14:14
• Processing time: 4 min 38 sec
• Submitted sample:
• File MD5: 0x3F1B402B22DD309610139CB1ECBF9394
• File SHA-1: 0x78BBEFBD5E14B698A6AACA3CC42D325E465CDB0F
• Filesize: 66,560 bytes
• Alias:
• Backdoor.Rima.C [PCTools]
• Backdoor.Trojan [Symantec]
• Backdoor.Win32.Rima.a [Kaspersky Lab]
• Generic.yy [McAfee]

• Summary of the findings:

What's been found	Severity Level
Hosts file modification that may block access to the security web sites.
Communication with a remote IRC server.
Creates a startup registry entry.
Contains characteristics of an identified security risk.

Technical Details:

Possible Security Risk

• Attention! The following threat categories were identified:

Threat Category	Description
	A malicious trojan horse or bot that may represent security risk for the compromised system and/or its network environment
	A malicious backdoor trojan that runs in the background and allows remote access to the compromised system

File System Modifications

• The following files were created in the system:

#	Filename(s)	File Size	File Hash	Alias
1	c:\autorun.inf	33 bytes	MD5: 0x9C49734333B9A605E093EFBFC1E6FD31 SHA-1: 0xC0B19FA6C55074963734E54577CEC1BC8D34EE47	(not available)
2	%Windir%\HOSTS	1,893 bytes	MD5: 0x86385123108E3DB7D0CA7BE1A2C8C019 SHA-1: 0x35FEE9DDC9765635334B6FBD716E831489B55958	Trojan.QHosts.U [PCTools] Trojan.Win32.Qhost.eo [Kaspersky Lab] QHosts-5 [McAfee] TROJ_Generic.Z [Trend Micro]
3	%System%\gangsta.exe [file and pathname of the sample #1] c:\WINUPDATE.EXE	66,560 bytes	MD5: 0x3F1B402B22DD309610139CB1ECBF9394 SHA-1: 0x78BBEFBD5E14B698A6AACA3CC42D325E465CDB0F	Backdoor.Rima.C [PCTools] Backdoor.Trojan [Symantec] Backdoor.Win32.Rima.a [Kaspersky Lab] Generic.yy [McAfee]

• Notes:
• %Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows or C:\Winnt.
• %System% is a variable that refers to the System folder. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

• The following file was modified:
• %System%\drivers\etc\hosts

Memory Modifications

• There were new processes created in the system:

Process Name	Process Filename	Main Module Size
[filename of the sample #1]	[file and pathname of the sample #1]	319,488 bytes
gangsta.exe	%System%\gangsta.exe	319,488 bytes

Registry Modifications

• The following Registry Keys were created:
• HKEY_CURRENT_USER\SYSTEM
• HKEY_CURRENT_USER\SYSTEM\ControlSet001
• HKEY_CURRENT_USER\SYSTEM\ControlSet001\Services
• HKEY_CURRENT_USER\SYSTEM\ControlSet002
• HKEY_CURRENT_USER\SYSTEM\ControlSet002\Services
• HKEY_CURRENT_USER\SYSTEM\CurrentControlSet
• HKEY_CURRENT_USER\SYSTEM\CurrentControlSet\Services

• The newly created Registry Value is:
• [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
• gangsta = "%System%\gangsta.exe"

so that gangsta.exe runs every time Windows starts

• The following Registry Values were modified:
• [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\comfile\shell\open\command]
• (Default) = "%System%\gangsta.exe "%1" %*"
• [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell\open\command]
• (Default) = "%System%\gangsta.exe "%1" %*"
• [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Terminal Server]
• fDenyTSConnections = 0x0015F844
• [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server]
• fDenyTSConnections = 0x0015F844

Other details

• The following ports were open in the system:

• The HOSTS file was updated with the following URL-to-IP mappings:

• The following Host Name was requested from a host database:
• Centuri.FR.Worldnet.Net

• There was application-defined hook procedure installed into the hook chain (e.g. to monitor keystrokes). The installed hook is handled by the following module:
• %System%\MSVBVM60.DLL

Outbound traffic (potentially malicious)

• Attention! There was a new connection established with a remote IRC Server. The generated outbound IRC traffic is provided below: