ThreatExpert Report: Trojan.ADH.2, Trojan.Win32.Scar.gnrr, Backdoor:Win32/Xyligan.A..

Visit ThreatExpert web site

Close Report

Submission Summary:

Submission details:

Submission received: 25 September 2012, 02:35:25
Processing time: 9 min 27 sec
Submitted sample:

File MD5: 0x40B1011FC64124A7DEB4518D3516B23D
File SHA-1: 0x47D32E2F3540F674327B70751995B8A4042B7B85
Filesize: 854,368 bytes
Alias:

Trojan.ADH.2 [Symantec]
Trojan.Win32.Scar.gnrr [Kaspersky Lab]
Backdoor:Win32/Xyligan.A [Microsoft]
Virus.Win32.Heur [Ikarus]

Summary of the findings:

What's been found	Severity Level
Is protected with Themida in order to prevent the sample from being reverse-engineered. Themida protection can potentially be used by a threat to complicate the manual threat analysis (e.g. the sample would not run under the Virtual Machine).
Contains characteristics of an identified security risk.

Technical Details:

Possible Security Risk

Attention! The following threat category was identified:

Threat Category	Description
	A malicious trojan horse or bot that may represent security risk for the compromised system and/or its network environment

File System Modifications

The following file was created in the system:

#	Filename(s)	File Size	File Hash	Alias
1	[file and pathname of the sample #1] %System%\utavfu.exe	854,368 bytes	MD5: 0x40B1011FC64124A7DEB4518D3516B23D SHA-1: 0x47D32E2F3540F674327B70751995B8A4042B7B85	Trojan.ADH.2 [Symantec] Trojan.Win32.Scar.gnrr [Kaspersky Lab] Backdoor:Win32/Xyligan.A [Microsoft] Virus.Win32.Heur [Ikarus]

Note:

%System% is a variable that refers to the System folder. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

Memory Modifications

There was a new process created in the system:

Process Name	Process Filename	Main Module Size
utavfu.exe	%System%\utavfu.exe	1,892,352 bytes

There was a new service created in the system:

Service Name	Display Name	Status	Service Filename
aszjh	people Command Service	"Running"	%System%\utavfu.exe

Registry Modifications

The following Registry Keys were created:

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_ASZJH
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_ASZJH\0000
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_ASZJH\0000\Control
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\aszjh
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\aszjh\Security
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\aszjh\Enum
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_ASZJH
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_ASZJH\0000
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_ASZJH\0000\Control
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\aszjh
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\aszjh\Security
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\aszjh\Enum

The newly created Registry Values are:

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_ASZJH\0000\Control]

*NewlyCreated* = 0x00000000
ActiveService = "aszjh"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_ASZJH\0000]

Service = "aszjh"
Legacy = 0x00000001
ConfigFlags = 0x00000000
Class = "LegacyDriver"
ClassGUID = "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
DeviceDesc = "people Command Service"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_ASZJH]

NextInstance = 0x00000001

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\aszjh\Enum]

0 = "Root\LEGACY_ASZJH\0000"
Count = 0x00000001
NextInstance = 0x00000001

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\aszjh\Security]

Security = 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 0

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\aszjh]

Type = 0x00000010
Start = 0x00000002
ErrorControl = 0x00000000
ImagePath = "%System%\utavfu.exe"
DisplayName = "people Command Service"
ObjectName = "LocalSystem"
Description = "Windows Resource fix"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_ASZJH\0000\Control]

*NewlyCreated* = 0x00000000
ActiveService = "aszjh"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_ASZJH\0000]

Service = "aszjh"
Legacy = 0x00000001
ConfigFlags = 0x00000000
Class = "LegacyDriver"
ClassGUID = "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
DeviceDesc = "people Command Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_ASZJH]

NextInstance = 0x00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\aszjh\Enum]

0 = "Root\LEGACY_ASZJH\0000"
Count = 0x00000001
NextInstance = 0x00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\aszjh\Security]

Security = 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\aszjh]

Type = 0x00000010
Start = 0x00000002
ErrorControl = 0x00000000
ImagePath = "%System%\utavfu.exe"
DisplayName = "people Command Service"
ObjectName = "LocalSystem"
Description = "Windows Resource fix"

The following Registry Values were modified:

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\ServiceCurrent]

(Default) =

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ServiceCurrent]

(Default) =

Other details

The following ports were open in the system:

Port	Protocol	Process
1034	TCP	utavfu.exe (%System%\utavfu.exe)
1035	TCP	utavfu.exe (%System%\utavfu.exe)
1036	TCP	utavfu.exe (%System%\utavfu.exe)
1037	TCP	utavfu.exe (%System%\utavfu.exe)
1038	TCP	utavfu.exe (%System%\utavfu.exe)
1039	TCP	utavfu.exe (%System%\utavfu.exe)
1040	TCP	utavfu.exe (%System%\utavfu.exe)
1041	TCP	utavfu.exe (%System%\utavfu.exe)
1042	TCP	utavfu.exe (%System%\utavfu.exe)
1044	TCP	utavfu.exe (%System%\utavfu.exe)
1045	TCP	utavfu.exe (%System%\utavfu.exe)
1046	TCP	utavfu.exe (%System%\utavfu.exe)
1047	TCP	utavfu.exe (%System%\utavfu.exe)
1048	TCP	utavfu.exe (%System%\utavfu.exe)
1049	TCP	utavfu.exe (%System%\utavfu.exe)
1050	TCP	utavfu.exe (%System%\utavfu.exe)
1051	TCP	utavfu.exe (%System%\utavfu.exe)
1052	TCP	utavfu.exe (%System%\utavfu.exe)
1053	TCP	utavfu.exe (%System%\utavfu.exe)
1054	TCP	utavfu.exe (%System%\utavfu.exe)
1055	TCP	utavfu.exe (%System%\utavfu.exe)
1056	TCP	utavfu.exe (%System%\utavfu.exe)

All content ("Information") contained in this report is the copyrighted work of Threat Expert Ltd and its associated companies ("ThreatExpert") and may not be copied without the express permission of ThreatExpert.

The Information is provided on an "as is" basis. ThreatExpert disclaims all warranties, whether express or implied, to the maximum extent permitted by law, including the implied warranties that the Information is merchantable, of satisfactory quality, accurate, fit for a particular purpose or need, or non-infringing, unless such implied warranties are legally incapable of exclusion. Further, ThreatExpert does not warrant or make any representations regarding the use or the results of the use of the Information in terms of their correctness, accuracy, reliability, or otherwise.