Visit ThreatExpert web site |Close Report

Submission Summary:

What's been foundSeverity Level
Downloads/requests other files from Internet.
Compromises SafeBoot registry key(s) in an attempt to disable the Safe Mode.
Creates a startup registry entry.
Contains characteristics of an identified security risk.

 

Technical Details:

 

Possible Security Risk

Threat CategoryDescription
A network-aware worm that attempts to replicate across the existing network(s)
A program that downloads files to the local computer that may represent security risk

 

File System Modifications

#Filename(s)File SizeFile HashAlias
1 %Windir%\programs\desktop.ini 64 bytes MD5: 0x8E7B725A609DE7C5960087E14DAC2E3A
SHA-1: 0x20D14FAD9FD6C7304842A55D931EDF18638E5C91		 (not available)
2 %Windir%\programs\fuckme.vbs 98 bytes MD5: 0x0925BDAA312FECB530C1D48B220D31CE
SHA-1: 0xDE8D85A93ACB9BABFA71A74EBB40402B02853043		 (not available)
3 %Windir%\programs\ini.exe 27,402 bytes MD5: 0x7F55E221663B035514F75BD2E1F1B403
SHA-1: 0x6CF532DA38EBB573F3F4069897A91C74C66FF66B		 Worm:Win32/Chiviper.C [Microsoft]
Trojan-Downloader.Win32.Apher [Ikarus]
4 %Windir%\programs\wsock32.dll 17,408 bytes MD5: 0x71E5691185F83F92FE3D224234B9DC8F
SHA-1: 0x413A65D155EFD4B80A0852A64CF41395DAD7483D		 Downloader.Generic [PCTools]
Downloader [Symantec]
Worm.Win32.AutoRun.ajxv [Kaspersky Lab]
Downloader-BNC [McAfee]
Worm.Win32.AutoRun [Ikarus]
5 [file and pathname of the sample #1] 27,401 bytes MD5: 0x402A5B90850F792014BA4140C7A7A169
SHA-1: 0xFFD3F3FACDC47EBF898FD366E91B2BD2CE0BF40B		 Worm:Win32/Chiviper.C [Microsoft]
Trojan-Downloader.Win32.Apher [Ikarus]
6 %Windir%\system32����� 904 bytes MD5: 0xF7BAA0EF2A6E106253085D6C0A5C0F03
SHA-1: 0x5677225F1453B7153132F713B50BD3633594B057		 (not available)

 

Memory Modifications

Process NameProcess FilenameMain Module Size
[filename of the sample #1][file and pathname of the sample #1]57,344 bytes

 

Registry Modifications

 

Other details

China

Server NameServer PortConnect as UserConnection Password
127.0.0.280127.0.0.2127.0.0.2
127.0.0.380127.0.0.3127.0.0.3

URL to be downloadedFilename for the downloaded bits
http://8.5295sf.cn/123.txt%Temp%\\configmon.dat
http://8.5295sf.cn/me.exec:\__default.pif

 

 

Downloaded File Summary:

What's been foundSeverity Level
Produces outbound traffic.
Downloads/requests other files from Internet.
Compromises SafeBoot registry key(s) in an attempt to disable the Safe Mode.
Creates a startup registry entry.
Contains characteristics of an identified security risk.

 

Technical Details:

 

Possible Security Risk

Security RiskDescription
Backdoor.Hupigon.GEN Backdoor.Hupigon.GEN has rootkit functionality. It injects itself into Internet Explorer causing IE to hide itself. It also logs keystrokes and sends this information to remote servers.
Backdoor.Graybird.GEN Backdoor.Graybird.GEN has rootkit functionality. It injects itself into various processes causing them to be hidden. It also logs keystrokes and sends this information to remote servers.

Threat CategoryDescription
A malicious backdoor trojan that runs in the background and allows remote access to the compromised system
A network-aware worm that attempts to replicate across the existing network(s)
A program that downloads files to the local computer that may represent security risk

 

File System Modifications

#Filename(s)File SizeFile HashAlias
1 %Windir%\Ati2et.exe 9,984 bytes MD5: 0xD085A97851C336C1418CE27F1099CA43
SHA-1: 0xFACC20EE09D9400625144372D7B89C2462F65DB9		 Suspicious.MH690 [Symantec]
Mal/Emogen-R [Sophos]
Trojan:Win32/Chcod.A [Microsoft]
2 %Windir%\Hacker.com.cn.exe 761,344 bytes MD5: 0xD285D8E601E6AEABE552A87DF7A4E45A
SHA-1: 0x17963E53D3A2F8D6C9740A9376E00FE5FE09E3DF		 Backdoor.Hupigon.abo [PCTools]
Backdoor.Graybird [Symantec]
Backdoor.Win32.Hupigon.dsx [Kaspersky Lab]
BackDoor-AWQ.b [McAfee]
BKDR_HUPIGON.EWE [Trend Micro]
Troj/GrayBrd-CD [Sophos]
Backdoor:Win32/Hupigon [Microsoft]
Virus.Win32.Hupigon.EA [Ikarus]
Win-Trojan/Hupigon.761344.B [AhnLab]
3 %Windir%\programs\desktop.ini 64 bytes MD5: 0x8E7B725A609DE7C5960087E14DAC2E3A
SHA-1: 0x20D14FAD9FD6C7304842A55D931EDF18638E5C91		 (not available)
4 %Windir%\programs\fuckme.vbs 0 bytes MD5: 0xD41D8CD98F00B204E9800998ECF8427E
SHA-1: 0xDA39A3EE5E6B4B0D3255BFEF95601890AFD80709		 (not available)
5 %Windir%\programs\ini.exe 56,073 bytes MD5: 0x9311F63EF422EC8EA2FCC1B8923F9D46
SHA-1: 0x23360E76FDD15C7CBCC9BE4DD455276A76014F47		 HTML.Psyme.Gen [PCTools]
Downloader [Symantec]
Worm.Win32.AutoRun.aqcp [Kaspersky Lab]
Exploit-DcomRpc.gen [McAfee]
Mal/Behav-156 [Sophos]
Trojan-Downloader.Win32.Apher [Ikarus]
6 %Windir%\programs\wsock32.dll 17,408 bytes MD5: 0x71E5691185F83F92FE3D224234B9DC8F
SHA-1: 0x413A65D155EFD4B80A0852A64CF41395DAD7483D		 Downloader.Generic [PCTools]
Downloader [Symantec]
Worm.Win32.AutoRun.ajxv [Kaspersky Lab]
Downloader-BNC [McAfee]
Worm.Win32.AutoRun [Ikarus]
7 [file and pathname of the sample #1] 56,072 bytes MD5: 0x0DD6B486EFFE220E28AD2A8C2C82AC6B
SHA-1: 0xD736FF63B434F75E5C9903FFCD73C09FE2EE3854		 HTML.Psyme.Gen [PCTools]
Downloader [Symantec]
Worm.Win32.AutoRun.aqcp [Kaspersky Lab]
Exploit-DcomRpc.gen [McAfee]
Mal/Behav-156 [Sophos]
8 [file and pathname of the sample #2] 12,352 bytes MD5: 0xF11C3FBC74EFF45A63DDB7DB355D7EE1
SHA-1: 0x6E03DC70B4C763044043A6966FA647D9E74529F9		 Suspicious.MH690 [Symantec]
Downloader-BXG [McAfee]
Trojan:Win32/Chcod.A [Microsoft]
Trojan.Win32.Chcod [Ikarus]
9 %Windir%\system32����� 904 bytes MD5: 0xF7BAA0EF2A6E106253085D6C0A5C0F03
SHA-1: 0x5677225F1453B7153132F713B50BD3633594B057		 (not available)

 

Memory Modifications

Process NameProcess FilenameMain Module Size
Ati2et.exe%Windir%\ati2et.exe9,984 bytes
Hacker.com.cn.exe%Windir%\hacker.com.cn.exe794,624 bytes
[filename of the sample #3][file and pathname of the sample #3]794,624 bytes
[filename of the sample #1][file and pathname of the sample #1]57,344 bytes
[filename of the sample #2][file and pathname of the sample #2]12,352 bytes

Service NameDisplay NameStatusService Filename
Ati2etAti HotKt"Running"%Windir%\Ati2et.exe
smss.exesmss.exe"Stopped"%Windir%\Hacker.com.cn.exe

 

Registry Modifications

 

Other details

China

PortProtocolProcess
1033TCPAti2et.exe (%Windir%\Ati2et.exe)

Remote HostPort Number
dvd4.3322.org7890

 

Outbound traffic (potentially malicious)

 

 

All content ("Information") contained in this report is the copyrighted work of Threat Expert Ltd and its associated companies ("ThreatExpert") and may not be copied without the express permission of ThreatExpert.

The Information is provided on an "as is" basis. ThreatExpert disclaims all warranties, whether express or implied, to the maximum extent permitted by law, including the implied warranties that the Information is merchantable, of satisfactory quality, accurate, fit for a particular purpose or need, or non-infringing, unless such implied warranties are legally incapable of exclusion. Further, ThreatExpert does not warrant or make any representations regarding the use or the results of the use of the Information in terms of their correctness, accuracy, reliability, or otherwise.

Copyright © 2013 ThreatExpert. All rights reserved.