ThreatExpert Report: Trojan-Dropper.Agent, Hacktool.Rootkit

Submission Summary:

Submission details:

Submission received: 10 January 2010, 06:37:58
Processing time: 6 min 0 sec
Submitted sample:

File MD5: 0x4344EB2221D8684512F32DF607035CC8
File SHA-1: 0xE9E1A4292016AFA2BEEDF84FC1B272D107DAB781
Filesize: 664,888 bytes
Alias: Trojan-Dropper.Agent [Ikarus]

Summary of the findings:

What's been found	Severity Level
Contains characteristics of an identified security risk.

Technical Details:

Possible Security Risk

Attention! The following threat category was identified:

Threat Category	Description
	A hacktool that could be used by attackers to break into a system

File System Modifications

The following files were created in the system:

#	Filename(s)	File Size	File Hash	Alias
1	%Temp%\TCPZ_20090108\Files.EN.txt	1,309 bytes	MD5: 0xCCA571CEF868B4BA4AFE9E6AF349F8F5 SHA-1: 0x2556C76FFA3C500BBC0715ADC7E57B1093095F2C	(not available)
2	%Temp%\TCPZ_20090108\files.txt	1,906 bytes	MD5: 0xBC36F2397FE247A2E9AEBD9C3EE4797D SHA-1: 0xD43C79948939AAF16128D034740993062F9D9FC6	(not available)
3	%Temp%\TCPZ_20090108\ReadMe.en.txt	11,662 bytes	MD5: 0xE5F9BD11C7728BD5D585F27E2CDC4246 SHA-1: 0x1B990413C438F64959F252CAC42BC316F41DAF81	(not available)
4	%Temp%\TCPZ_20090108\ReadMe.txt	7,674 bytes	MD5: 0x9CF9A178334B49831F7C15D11BACB230 SHA-1: 0x75E4378301BBD6868F033C2AB95FA09721CEEA5B	(not available)
5	%Temp%\TCPZ_20090108\TCPZ.exe	589,160 bytes	MD5: 0x4D2BEBAD8EF7818035A263281C254C28 SHA-1: 0xD6A69EADA79D3157EE42703AB796FFB8E1127BC2	(not available)
6	%Temp%\TCPZ_20090108\TCPZ64.exe	790,376 bytes	MD5: 0x58804F544D9E46C37E827568D5C35E86 SHA-1: 0x929E83C4E450B346DF2D3FBF0BFBAF9C19D8591A	(not available)
7	%Temp%\TCPZ_20090108\VirtualDevice\Driver\tcpz-x64d.sys	15,208 bytes	MD5: 0x8F2B629FB8DB0B69B996B09D58BCD419 SHA-1: 0x863E86FE7FDBBAFD185C3B31DCF1CD98D5CC11AD	(not available)
8	%Temp%\TCPZ_20090108\VirtualDevice\Driver\tcpz-x86d.sys	12,136 bytes	MD5: 0x1D1E2AC3195B7D199337557CA9AB84CF SHA-1: 0x1AC8D3DB5647B3BCBA39C3B48A647207D4651BE7	Hacktool.Rootkit [PCTools] Hacktool.Rootkit [Symantec] Trojan-Dropper.Agent [Ikarus] packed with PE_Patch [Kaspersky Lab]
9	%Temp%\TCPZ_20090108\VirtualDevice\Driver\tcpz.cat	5,743 bytes	MD5: 0xCED67F4A8A97B3F70D615408EC6B61D5 SHA-1: 0xB7B980141EBCFC60AEFAD7954C04794D96C7E89F	(not available)
10	%Temp%\TCPZ_20090108\VirtualDevice\Driver\tcpz.inf	3,874 bytes	MD5: 0xD58EA370AC78C33BA61D1E78247E418A SHA-1: 0x05FF09EC32EFD774B0811AFAA61190FD98C80150	(not available)
11	%Temp%\TCPZ_20090108\VirtualDevice\Driver\TcpzPropPage-x64.DLL	29,544 bytes	MD5: 0x15188BA547CB20F803C7609F6B9A16CE SHA-1: 0x530140085B2C2F7BF7C6AA58CBF5FA0B79682A9C	(not available)
12	%Temp%\TCPZ_20090108\VirtualDevice\Driver\TcpzPropPage-x86.DLL	25,960 bytes	MD5: 0xDB843B5689C0A89BB2605073DA0127B1 SHA-1: 0x2560FD1CF0A31E8B5347E52E2C01BADCC4019734	(not available)
13	%Temp%\TCPZ_20090108\VirtualDevice\readme.EN.txt	3,433 bytes	MD5: 0x2FC255EAEA737ABE9A08D0781FC5EDB2 SHA-1: 0x5AC7479CB27304FCA84342AC108B0AAF9C89340D	(not available)
14	%Temp%\TCPZ_20090108\VirtualDevice\readme.txt	3,132 bytes	MD5: 0x8262A90777DE5CA59F5E72180C40CF50 SHA-1: 0x4A614D266CCDCEA33AEEC67BC33DE6B43AB79DB0	(not available)
15	%Temp%\TCPZ_20090108\VirtualDevice\RemoveWatermarkX64.exe	11,264 bytes	MD5: 0x45265B9ACB1185375D25C31A450DF367 SHA-1: 0xF5A03F00B8DECA799E29A1C08CF440C0DBBE40A4	(not available)
16	%Temp%\TCPZ_20090108\VirtualDevice\TCPZ_Setup-x64.exe	32,616 bytes	MD5: 0xDE8112218BBA2334FCBC5C1D400CB005 SHA-1: 0xE497BEEC9E63959E2CDDE33E2554A81BE53B0981	(not available)
17	%Temp%\TCPZ_20090108\VirtualDevice\TCPZ_Setup-x86.exe	25,960 bytes	MD5: 0x61D65D55CF363ECDA9976236DC8A9DBD SHA-1: 0xB21FF49CF29CF11975360FBBF1587D8E1D40FEF4	(not available)
18	[file and pathname of the sample #1]	664,888 bytes	MD5: 0x4344EB2221D8684512F32DF607035CC8 SHA-1: 0xE9E1A4292016AFA2BEEDF84FC1B272D107DAB781	Trojan-Dropper.Agent [Ikarus]

Note:

%Temp% is a variable that refers to the temporary folder in the short path form. By default, this is C:\Documents and Settings\[UserName]\Local Settings\Temp\ (Windows NT/2000/XP).

The following directories were created:

%Temp%\TCPZ_20090108
%Temp%\TCPZ_20090108\VirtualDevice
%Temp%\TCPZ_20090108\VirtualDevice\Driver

Memory Modifications

There were new processes created in the system:

Process Name	Process Filename	Main Module Size
[generic host process]	[generic host process filename]	45,056 bytes
TCPZ_Setup-x86.exe	%Temp%\TCPZ_20090108\VirtualDevice\TCPZ_Setup-x86.exe	32,768 bytes
tcpz.exe	%Temp%\tcpz_20090108\tcpz.exe	602,112 bytes

Notes:

[generic host process filename] is a full path filename of [generic host process].

Other details

Analysis of the file resources indicate the following possible country of origin:

China

To mark the presence in the system, the following Mutex objects were created:

TCP-Z
TCP-Z Network Monitor

All content ("Information") contained in this report is the copyrighted work of Threat Expert Ltd and its associated companies ("ThreatExpert") and may not be copied without the express permission of ThreatExpert.

The Information is provided on an "as is" basis. ThreatExpert disclaims all warranties, whether express or implied, to the maximum extent permitted by law, including the implied warranties that the Information is merchantable, of satisfactory quality, accurate, fit for a particular purpose or need, or non-infringing, unless such implied warranties are legally incapable of exclusion. Further, ThreatExpert does not warrant or make any representations regarding the use or the results of the use of the Information in terms of their correctness, accuracy, reliability, or otherwise.