ThreatExpert Report: Trojan.Win32.Buzus

Submission Summary:

Submission details:

Submission received: 27 September 2012, 03:02:55
Processing time: 8 min 32 sec
Submitted sample:

File MD5: 0x444A4DEC687CD02AAE2C393EFF5292E5
File SHA-1: 0x57B7EC3C4F5425520339C7930D182D6CF2D829C5
Filesize: 135,483 bytes

Summary of the findings:

What's been found	Severity Level
Downloads/requests other files from Internet.
Creates a startup registry entry.

Technical Details:

File System Modifications

The following files were created in the system:

#	Filename(s)	File Size	File Hash
1	%ProgramFiles%\enumerate_nm\nmeniem.dll %ProgramFiles%\enumerate_nm\nmenmgr.exe %ProgramFiles%\enumerate_nm\nmenup.exe %ProgramFiles%\enumerate_nm\uninst.exe	125 bytes	MD5: 0x7C5F5A68051F6B0C0E9A2AD33C40D415 SHA-1: 0x120865765927A61AF83F02B83DC297EEDE61EC41
2	[file and pathname of the sample #1]	135,483 bytes	MD5: 0x444A4DEC687CD02AAE2C393EFF5292E5 SHA-1: 0x57B7EC3C4F5425520339C7930D182D6CF2D829C5
3	%Windir%\Temp\scs8.tmp	2,686 bytes	MD5: 0x4A587187D760161311010B03417B3C3F SHA-1: 0x863BBF5F7F4114A1307C6BAD5DD89224D511FED5

Notes:

%ProgramFiles% is a variable that refers to the Program Files folder. A typical path is C:\Program Files.
%Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows or C:\Winnt.

The following directory was created:

%ProgramFiles%\enumerate_nm

Memory Modifications

There was a new process created in the system:

Process Name	Process Filename	Main Module Size
[filename of the sample #1]	[file and pathname of the sample #1]	237,568 bytes

Registry Modifications

The following Registry Keys were created:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\nmenum
HKEY_LOCAL_MACHINE\SOFTWARE\Dbenum
HKEY_LOCAL_MACHINE\SOFTWARE\nmenum

The newly created Registry Values are:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

nmenum = "%ProgramFiles%\enumerate_nm\nmenup.exe"

so that nmenup.exe runs every time Windows starts

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\nmenum]

DisplayName = "Enumerate-nm"
UninstallString = "%ProgramFiles%\enumerate_nm\uninst.exe"
DisplayIcon = "%ProgramFiles%\enumerate_nm\nmenup.exe"
DisplayVersion = "0.0.0.0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Dbenum]

chkinst = "1"

[HKEY_LOCAL_MACHINE\SOFTWARE\nmenum]

prg_id = "G40112092419211190478"
prg_ver = "G401.0.0.0.0"

Other details

The following Host Name was requested from a host database:

192.5.5.241

The following Internet Connection was established:

Server Name	Server Port	Connect as User	Connection Password
app.upline.kr	80	(null)	(null)

The following GET requests were made:

app/ipcheck.asp
app/urlcheck.asp?icd=G401
filenm/uninst.exe
filenm/nmenup.exe
filenm/nmenmgr.exe
filenm/nmeniem.dll
app/inst_ok.asp?uid=G40112092419211190478&ver=G401.0.0.0.0&cd=G400

Downloaded File Summary:

Download details:

Download retrieved: 27 September 2012 03:11:28
Processing time: 8 min 27 sec
Downloaded sample #1:

File MD5: 0x5C0F9E1354819C1147F306504CC3C867
File SHA-1: 0xDAC79D98143059478C056ADCA69EF0E106EEAB9B
Filesize: 43,578 bytes

Downloaded sample #2:

File MD5: 0x2185BACE4B1A467A669A26F64998BC5B
File SHA-1: 0x75B1B5DECF3169053C635FD8CA9A1755F6ACA803
Filesize: 28,672 bytes

Downloaded sample #3:

File MD5: 0x0EAD1FC2951E4DD5208235C86EF29A19
File SHA-1: 0xAAFAD00911B50DF613AA378B5C3F90818049CA24
Filesize: 294,912 bytes

Downloaded sample #4:

File MD5: 0x20832F8444D93CCB2AF06F70A2033B90
File SHA-1: 0x7B9384496B5A8EB2D91E04391B09DD50110ABB79
Filesize: 270,336 bytes
Alias: Trojan.Win32.Buzus [Ikarus]

Summary of the findings:

What's been found	Severity Level
Downloads/requests other files from Internet.
Registers a 32-bit in-process server DLL.
Registers a Browser Helper Object (Microsoft's Internet Explorer plugin module).

Technical Details:

File System Modifications

The following files were created in the system:

#	Filename(s)	File Size	File Hash	Alias
1	[file and pathname of the sample #1]	43,578 bytes	MD5: 0x5C0F9E1354819C1147F306504CC3C867 SHA-1: 0xDAC79D98143059478C056ADCA69EF0E106EEAB9B	(not available)
2	[file and pathname of the sample #2]	28,672 bytes	MD5: 0x2185BACE4B1A467A669A26F64998BC5B SHA-1: 0x75B1B5DECF3169053C635FD8CA9A1755F6ACA803	(not available)
3	[file and pathname of the sample #3]	294,912 bytes	MD5: 0x0EAD1FC2951E4DD5208235C86EF29A19 SHA-1: 0xAAFAD00911B50DF613AA378B5C3F90818049CA24	(not available)
4	[file and pathname of the sample #4]	270,336 bytes	MD5: 0x20832F8444D93CCB2AF06F70A2033B90 SHA-1: 0x7B9384496B5A8EB2D91E04391B09DD50110ABB79	Trojan.Win32.Buzus [Ikarus]

Memory Modifications

There were new processes created in the system:

Process Name	Process Filename	Main Module Size
[filename of the sample #3]	[file and pathname of the sample #3]	307,200 bytes
[generic host process]	[generic host process filename]	20,480 bytes
Au_.exe	%Temp%\~nsu.tmp\Au_.exe	237,568 bytes
[filename of the sample #1]	[file and pathname of the sample #1]	237,568 bytes
[filename of the sample #2]	[file and pathname of the sample #2]	28,672 bytes
Bu_.exe	%Temp%\~nsu.tmp\Bu_.exe	237,568 bytes

Notes:

[generic host process filename] is a full path filename of [generic host process].
%Temp% is a variable that refers to the temporary folder in the short path form. By default, this is C:\Documents and Settings\[UserName]\Local Settings\Temp\ (Windows NT/2000/XP).

The following modules were loaded into the address space of other process(es):

Module Name	Module Filename	Address Space Details
[filename of the sample #4]	[file and pathname of the sample #4]	Process name: [generic host process] Process filename: [generic host process filename] Address space: 0x11000000 - 0x11043000
[filename of the sample #4]	[file and pathname of the sample #4]	Process name: IEXPLORE.EXE Process filename: %ProgramFiles%\internet explorer\iexplore.exe Address space: 0x11000000 - 0x11043000

Notes:

%ProgramFiles% is a variable that refers to the Program Files folder. A typical path is C:\Program Files.

Registry Modifications

The following Registry Keys were created:

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2EEC9AFF-CA5E-4317-8A80-ED6B4FA7EBD3}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2EEC9AFF-CA5E-4317-8A80-ED6B4FA7EBD3}\Implemented Categories
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2EEC9AFF-CA5E-4317-8A80-ED6B4FA7EBD3}\Implemented Categories\{40FC6ED5-2438-11CF-A3DB-080036F12502}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2EEC9AFF-CA5E-4317-8A80-ED6B4FA7EBD3}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2EEC9AFF-CA5E-4317-8A80-ED6B4FA7EBD3}\ProgID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2EEC9AFF-CA5E-4317-8A80-ED6B4FA7EBD3}\Programmable
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2EEC9AFF-CA5E-4317-8A80-ED6B4FA7EBD3}\TypeLib
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2EEC9AFF-CA5E-4317-8A80-ED6B4FA7EBD3}\VERSION
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{A73857CF-6B3F-4719-8536-037D29BB4C80}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{A73857CF-6B3F-4719-8536-037D29BB4C80}\ProxyStubClsid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{A73857CF-6B3F-4719-8536-037D29BB4C80}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{A73857CF-6B3F-4719-8536-037D29BB4C80}\TypeLib
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{68CAC18C-F4CC-4DC6-8093-1356A6A26EE8}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{68CAC18C-F4CC-4DC6-8093-1356A6A26EE8}\1.0
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{68CAC18C-F4CC-4DC6-8093-1356A6A26EE8}\1.0\0
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{68CAC18C-F4CC-4DC6-8093-1356A6A26EE8}\1.0\0\win32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{68CAC18C-F4CC-4DC6-8093-1356A6A26EE8}\1.0\FLAGS
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{68CAC18C-F4CC-4DC6-8093-1356A6A26EE8}\1.0\HELPDIR
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\EnumIEMon.Mon2
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\EnumIEMon.Mon2\Clsid
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2EEC9AFF-CA5E-4317-8A80-ED6B4FA7EBD3}
HKEY_LOCAL_MACHINE\SOFTWARE\nmenum

The newly created Registry Values are:

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2EEC9AFF-CA5E-4317-8A80-ED6B4FA7EBD3}\VERSION]

(Default) = "1.0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2EEC9AFF-CA5E-4317-8A80-ED6B4FA7EBD3}\TypeLib]

(Default) = "{68CAC18C-F4CC-4DC6-8093-1356A6A26EE8}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2EEC9AFF-CA5E-4317-8A80-ED6B4FA7EBD3}\ProgID]

(Default) = "EnumIEMon.Mon2"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2EEC9AFF-CA5E-4317-8A80-ED6B4FA7EBD3}\InprocServer32]

(Default) = "[file and pathname of the sample #4]"
ThreadingModel = "Apartment"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2EEC9AFF-CA5E-4317-8A80-ED6B4FA7EBD3}]

(Default) = "EnumIEMon.Mon2"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{A73857CF-6B3F-4719-8536-037D29BB4C80}\TypeLib]

(Default) = "{68CAC18C-F4CC-4DC6-8093-1356A6A26EE8}"
Version = "1.0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{A73857CF-6B3F-4719-8536-037D29BB4C80}\ProxyStubClsid32]

(Default) = "{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{A73857CF-6B3F-4719-8536-037D29BB4C80}\ProxyStubClsid]

(Default) = "{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{A73857CF-6B3F-4719-8536-037D29BB4C80}]

(Default) = "Mon2"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{68CAC18C-F4CC-4DC6-8093-1356A6A26EE8}\1.0\0\win32]

(Default) = "[file and pathname of the sample #4]"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{68CAC18C-F4CC-4DC6-8093-1356A6A26EE8}\1.0\HELPDIR]

(Default) = "%Windir%\system32"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{68CAC18C-F4CC-4DC6-8093-1356A6A26EE8}\1.0\FLAGS]

(Default) = "0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{68CAC18C-F4CC-4DC6-8093-1356A6A26EE8}\1.0]

(Default) = "EnumIEMon"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\EnumIEMon.Mon2\Clsid]

(Default) = "{2EEC9AFF-CA5E-4317-8A80-ED6B4FA7EBD3}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\EnumIEMon.Mon2]

(Default) = "EnumIEMon.Mon2"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2EEC9AFF-CA5E-4317-8A80-ED6B4FA7EBD3}]

(Default) = ""
NoExplorer = 0x00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\nmenum]

prg_bc = ""
prg_bce = ""
prg_bcp = ""
prg_bcpe = ""
prg_first = "1"
prg_mrun = "20120927"

Other details

Analysis of the file resources indicate the following possible country of origin:

Republic of Korea

The data identified by the following URL was then requested from the remote web server:

http://app.upline.kr/app/linfo.asp?mid=&ver=&etcbr=0

All content ("Information") contained in this report is the copyrighted work of Threat Expert Ltd and its associated companies ("ThreatExpert") and may not be copied without the express permission of ThreatExpert.

The Information is provided on an "as is" basis. ThreatExpert disclaims all warranties, whether express or implied, to the maximum extent permitted by law, including the implied warranties that the Information is merchantable, of satisfactory quality, accurate, fit for a particular purpose or need, or non-infringing, unless such implied warranties are legally incapable of exclusion. Further, ThreatExpert does not warrant or make any representations regarding the use or the results of the use of the Information in terms of their correctness, accuracy, reliability, or otherwise.