ThreatExpert Report: Virus.Win32.Sality.aa, W32/Sality.gen.b, W32/Sality-AM, Virus.Win32.Sality..

Submission Summary:

Submission details:

Submission received: 17 June 2012, 09:00:15
Processing time: 12 min 30 sec
Submitted sample:

File MD5: 0x41B4ECE520E0DE1B64D051D4AB52EF7B
File SHA-1: 0x6CD5FFFA2D5927E68B0239CAED08E69FE0BA09D7
Filesize: 305,426 bytes
Alias:

Summary of the findings:

What's been found	Severity Level
Creates a startup registry entry.
There were some system executable files modified, which might indicate the presence of a PE-file infector.
Contains characteristics of an identified security risk.

Technical Details:

The new window was created, as shown below:

NOTICE: The content shown in the above window is captured automatically and is not controlled or endorsed by ThreatExpert.
Please contact us on this link should any material be offensive or inappropriate and we will ensure any such content is blocked from future viewers of the report.

Possible Security Risk

Attention! Characteristics of the following security risks were identified in the system:

Security Risk	Description
Backdoor.Bifrose	Backdoor.Bifrose is a backdoor trojan that attempts to propagate by exploiting local network shares. It will also attempt to join a predefined IRC server and channel in order to participate in DDoS attacks.
Backdoor.Optix	Backdoor.Optix is a backdoor Trojan program which opens ports on the infected computer and allows the attackers to gain unauthorized access to the system.

Attention! The following threat categories were identified:

Threat Category	Description
	A virus capable to modify other files by infecting, prepending, or overwriting them them with its own body
	A malicious backdoor trojan that runs in the background and allows remote access to the compromised system

File System Modifications

The following files were created in the system:

#	Filename(s)	File Size	File Hash	Alias
1	%AppData%\addon.dat	25,254 bytes	MD5: 0x3118E11522E21E5DAAAC51611D51DA90 SHA-1: 0x6B9D9CB029E4598E3967249C33C7C2EC55131373	(not available)
2	%AppData%\Bifrost\klog.dat %System%\Bifrost\klog.dat	0 bytes	MD5: 0xD41D8CD98F00B204E9800998ECF8427E SHA-1: 0xDA39A3EE5E6B4B0D3255BFEF95601890AFD80709	(not available)
3	%AppData%\Bifrost\server.exe c:\Extracted\Nashy.exe %System%\Bifrost\server.exe	84,871 bytes	MD5: 0x449ABADFCE3792E49B72C7D3C97AA8E0 SHA-1: 0xFD4DA097709300122A214114CB7E7AC0DCA31105	Backdoor.Bifrose [Symantec] Virus.Win32.Virut.ce [Kaspersky Lab] W32/Virut.n.gen [McAfee] W32/Scribble-B [Sophos] Virus.Win32.Bifrose [Ikarus]
4	%Temp%\00017E24_Rar\[filename of the sample #1] %Temp%\00017EA1_Rar\[filename of the sample #1] %Temp%\00032125_Rar\[filename of the sample #1] %Temp%\00032145_Rar\[filename of the sample #1] %Temp%\000323C5_Rar\[filename of the sample #1] %Temp%\000324FE_Rar\[filename of the sample #1] [file and pathname of the sample #1]	305,426 bytes	MD5: 0x41B4ECE520E0DE1B64D051D4AB52EF7B SHA-1: 0x6CD5FFFA2D5927E68B0239CAED08E69FE0BA09D7	Virus.Win32.Sality.aa [Kaspersky Lab] W32/Sality.gen.b [McAfee] W32/Sality-AM [Sophos] Virus.Win32.Sality [Ikarus] Win-Trojan/Buzus.98304.X [AhnLab]
5	c:\Extracted\MPS-15-SE.exe	130,560 bytes	MD5: 0x5DC3321D633DCBA6B26828C2772F4A9C SHA-1: 0xC57285C084546A7CD387AF7FCFB9BFEA3ADFAB37	W32.Virut.CF [Symantec] Virus.Win32.Virut.ce [Kaspersky Lab] W32/Virut.n.gen [McAfee] W32/Scribble-B [Sophos] Trojan-Dropper.Delf [Ikarus]

Notes:

%AppData% is a variable that refers to the file system directory that serves as a common repository for application-specific data. A typical path is C:\Documents and Settings\[UserName]\Application Data.
%System% is a variable that refers to the System folder. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
%Temp% is a variable that refers to the temporary folder in the short path form. By default, this is C:\Documents and Settings\[UserName]\Local Settings\Temp\ (Windows NT/2000/XP).

The following files were modified:

[pathname with a string SHARE]\msinfo32.exe
[pathname with a string SHARE]\sapisvr.exe
%ProgramFiles%\Internet Explorer\Connection Wizard\icwconn1.exe
%ProgramFiles%\Internet Explorer\Connection Wizard\icwconn2.exe
%ProgramFiles%\Internet Explorer\Connection Wizard\icwrmind.exe
%ProgramFiles%\Internet Explorer\Connection Wizard\icwtutor.exe
%ProgramFiles%\Internet Explorer\Connection Wizard\inetwiz.exe
%ProgramFiles%\Internet Explorer\Connection Wizard\isignup.exe
%ProgramFiles%\Internet Explorer\iedw.exe
%ProgramFiles%\Internet Explorer\IEXPLORE.EXE
%ProgramFiles%\MSN\MSNIA\msniasvc.exe
%ProgramFiles%\MSN\MSNIA\prestp.exe
%ProgramFiles%\MSN\MsnInstaller\msninst.exe
%ProgramFiles%\NetMeeting\cb32.exe
%ProgramFiles%\NetMeeting\conf.exe
%ProgramFiles%\NetMeeting\wb32.exe
%ProgramFiles%\Outlook Express\msimn.exe
%ProgramFiles%\Outlook Express\oemig50.exe
%ProgramFiles%\Outlook Express\setup50.exe
%ProgramFiles%\Outlook Express\wab.exe
%ProgramFiles%\Outlook Express\wabmig.exe
%ProgramFiles%\Web Publish\WPWIZ.EXE
%ProgramFiles%\Windows Media Player\migrate.exe
%ProgramFiles%\Windows Media Player\mplayer2.exe
%ProgramFiles%\Windows Media Player\setup_wm.exe
%ProgramFiles%\Windows Media Player\wmplayer.exe
%ProgramFiles%\Windows NT\Accessories\wordpad.exe
%ProgramFiles%\Windows NT\dialer.exe
%ProgramFiles%\Windows NT\hypertrm.exe
%ProgramFiles%\Windows NT\Pinball\PINBALL.EXE
%Windir%\Cache\Adobe Reader 6.0.1\ENUBIG\setup.exe
%Windir%\hh.exe
%Windir%\inf\unregmp2.exe
%Windir%\Installer\{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}\places.exe
%Windir%\Microsoft.NET\Framework\NETFXSBS10.exe
%Windir%\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe
%Windir%\Microsoft.NET\Framework\v2.0.50727\aspnet_regbrowsers.exe
%Windir%\Microsoft.NET\Framework\v2.0.50727\aspnet_regsql.exe
%Windir%\Microsoft.NET\Framework\v2.0.50727\CasPol.exe
%Windir%\Microsoft.NET\Framework\v2.0.50727\dfsvc.exe
%Windir%\Microsoft.NET\Framework\v2.0.50727\IEExec.exe
%Windir%\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
%Windir%\Microsoft.NET\Framework\v2.0.50727\jsc.exe
%Windir%\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
%Windir%\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
%Windir%\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
%Windir%\msagent\agentsvr.exe
%Windir%\mui\muisetup.exe
%Windir%\NOTEPAD.EXE
%Windir%\pchealth\helpctr\binaries\HelpCtr.exe
%Windir%\pchealth\helpctr\binaries\HelpHost.exe
%Windir%\pchealth\helpctr\binaries\HelpSvc.exe
%Windir%\pchealth\helpctr\binaries\HscUpd.exe
%Windir%\pchealth\helpctr\binaries\msconfig.exe
%Windir%\pchealth\helpctr\binaries\notiflag.exe
%Windir%\pchealth\UploadLB\Binaries\UploadM.exe
%Windir%\regedit.exe
%System%\accwiz.exe
%System%\actmovie.exe
%System%\ahui.exe
%System%\arp.exe
%System%\asr_fmt.exe
%System%\asr_ldm.exe
%System%\asr_pfu.exe
%System%\at.exe
%System%\atmadm.exe
%System%\attrib.exe
%System%\auditusr.exe
%System%\blastcln.exe
%System%\bootcfg.exe
%System%\bootok.exe
%System%\bootvrfy.exe
%System%\cacls.exe
%System%\calc.exe
%System%\charmap.exe
%System%\chkdsk.exe
%System%\chkntfs.exe
%System%\cidaemon.exe
%System%\cipher.exe
%System%\cisvc.exe
%System%\ckcnv.exe
%System%\cleanmgr.exe
%System%\clean_all.exe
%System%\cliconfg.exe
%System%\clipbrd.exe
%System%\clipsrv.exe
%System%\cmd.exe
%System%\cmdl32.exe
%System%\cmmon32.exe
%System%\cmstp.exe
%System%\Com\comrepl.exe
%System%\Com\comrereg.exe
%System%\comp.exe
%System%\compact.exe
%System%\conime.exe
%System%\control.exe
%System%\convert.exe
%System%\cscript.exe
%System%\ctfmon.exe
%System%\dcomcnfg.exe

Notes:

%ProgramFiles% is a variable that refers to the Program Files folder. A typical path is C:\Program Files.
%Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows or C:\Winnt.

The following directories were created:

%AppData%\Bifrost
%Temp%\00032125_Rar
%Temp%\00032145_Rar
%Temp%\000323C5_Rar
%Temp%\000324FE_Rar
c:\System Volume Information\.
c:\System Volume Information\..
%Temp%\00017E24_Rar
%Temp%\00017EA1_Rar
c:\Extracted
%System%\Bifrost

Memory Modifications

There were new processes created in the system:

Process Name	Process Filename	Main Module Size
server.exe	%System%\Bifrost\server.exe	63,840 bytes
[filename of the sample #1]	[file and pathname of the sample #1]	163,840 bytes
MPS-15-SE.exe	C:\Extracted\MPS-15-SE.exe	241,664 bytes
Nashy.exe	C:\Extracted\Nashy.exe	63,840 bytes
[filename of the sample #1]	%Temp%\00017ea1_rar\[filename of the sample #1]	163,840 bytes

Registry Modifications

The following Registry Keys were created:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{52DA5F11-F3F2-3BB2-1A6E-E8037652B1F9}
HKEY_LOCAL_MACHINE\SOFTWARE\Bifrost
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\MediaResources\msvideo
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\MediaResources\msvideo
HKEY_CURRENT_USER\Software\Bifrost

The newly created Registry Values are:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{52DA5F11-F3F2-3BB2-1A6E-E8037652B1F9}]

stubpath = "%System%\Bifrost\server.exe s"

so that server.exe runs every time Windows starts

[HKEY_LOCAL_MACHINE\SOFTWARE\Bifrost]

nck = ED 1B E6 27 B9 28 D6 32 74 C3 CD 74 FA 93 5B 67

[HKEY_CURRENT_USER\Software\Bifrost]

klg = 01
plg1 = EA 44 DC 02 A3 27 D7 5F 11 AD B9 07 DA F2 35 03 2A 35 8E 58 1B 0E 11 94 D4 F9 28 1F 11 4D 98 BC D2 64 44 8E CD F9 B9 BA 23 BD 45 ED 15 A6 77 AF B8 7C 04 4D 90 91 58 5F 81 3C 53 77 15 3A 53 7A E1 AB E6 8B 30 CA 34 56 F9 AD AD F8 4D 41 0F F6 9F 90 A2 1

Other details

Analysis of the file resources indicate the following possible countries of origin:

	Croatia
	Iran

To mark the presence in the system, the following Mutex objects were created:

Bif127
Op1mutx9

The following Host Names were requested from a host database:

aaaaaaaaaaa1234.no-ip.biz
ilo.brenz.pl
rxgioz.com
yctaty.com
bffyjb.com
proaua.com
njasvx.com
jaumau.com
gokhvl.com
tpahqo.com
tfcqvx.com
kynjyo.com
ant.trenz.pl
pjjeif.com
dybolh.com
hiemxc.com
ohjmqa.com
qixitx.com
fttawc.com
eibyon.com
rysyrd.com
iuxrdl.com
aplkxh.com
hwrykn.com
jfijfm.com
uuujct.com
cqfusm.com
koabwk.com
libifq.com
nyyyyt.com
rtqmrf.com
unjhjh.com
pkmkaa.com
ajjjwz.com
pptyhh.com
musyya.com
neduuy.com
vviyoh.com
ziudcg.com
inidtd.com
huqaqx.com
degqce.com
ebsazb.com
ciibpy.com
gksiuz.com
uyozni.com
srlaxz.com
miuxgm.com
ewqheh.com
rakziy.com
nppwem.com
nxusdv.com
odxzyy.com
ofmhre.com
urkwtz.com
fmowpu.com
stcxym.com
econoe.com
seqqbu.com
rrphpa.com
hudiai.com
fwsewu.com
lnloxk.com
zqgvwl.com
xisixe.com
yahvvo.com
psyfci.com
udamef.com
lutfuw.com
cyejmi.com
wzlgmm.com
ywhkvo.com
xiiyqp.com
acgadv.com
riirma.com
uwuhcy.com
oqiecu.com
ikgira.com
maeapk.com
uzbtqf.com
oogyvl.com
rlihqv.com
rewesk.com
hsbeet.com
hftupm.com
yuakra.com
qooqth.com
zjvrfq.com
esoeel.com
jipcln.com
ppoijq.com
agwocz.com
tgvoei.com
mccqnu.com
kooofi.com
afaxey.com
zomguu.com
aqvewp.com
drwnqt.com
rjlaoi.com

There were registered attempts to establish connection with the remote hosts. The connection details are:

Remote Host	Port Number
aaaaaaaaaaa1234.no-ip.biz	81
rxgioz.com	443
60.190.222.139	80

There was application-defined hook procedure installed into the hook chain (e.g. to monitor keystrokes). The installed hook is handled by the following module:

%ProgramFiles%\Internet Explorer\iexplore.exe

All content ("Information") contained in this report is the copyrighted work of Threat Expert Ltd and its associated companies ("ThreatExpert") and may not be copied without the express permission of ThreatExpert.

The Information is provided on an "as is" basis. ThreatExpert disclaims all warranties, whether express or implied, to the maximum extent permitted by law, including the implied warranties that the Information is merchantable, of satisfactory quality, accurate, fit for a particular purpose or need, or non-infringing, unless such implied warranties are legally incapable of exclusion. Further, ThreatExpert does not warrant or make any representations regarding the use or the results of the use of the Information in terms of their correctness, accuracy, reliability, or otherwise.