ThreatExpert Report: New Malware.as, Trojan:Win32/FakeSmoke

Visit ThreatExpert web site

Close Report

Submission Summary:

Submission details:

Submission received: 6 October 2009, 10:43:51
Processing time: 9 min 9 sec
Submitted sample:

File MD5: 0x468DD5162C435F2E659EC840DE358DFB
File SHA-1: 0x4FCBEA4BA4224D23E95E796E763057509AD7FB94
Filesize: 53,332 bytes
Alias & packer info:

New Malware.as [McAfee]
packed with: UPX [Kaspersky Lab]

Summary of the findings:

What's been found	Severity Level
Downloads/requests other files from Internet.

Technical Details:

The new window was created, as shown below:

NOTICE: The content shown in the above window is captured automatically and is not controlled or endorsed by ThreatExpert.
Please contact us on this link should any material be offensive or inappropriate and we will ensure any such content is blocked from future viewers of the report.

File System Modifications

The following files were created in the system:

#	Filename(s)	File Size	File Hash	Alias
1	%Temp%\0n0lcomy.exe %Temp%\pbvuizgc.exe	125 bytes	MD5: 0x7C5F5A68051F6B0C0E9A2AD33C40D415 SHA-1: 0x120865765927A61AF83F02B83DC297EEDE61EC41	(not available)
2	[file and pathname of the sample #1]	53,332 bytes	MD5: 0x468DD5162C435F2E659EC840DE358DFB SHA-1: 0x4FCBEA4BA4224D23E95E796E763057509AD7FB94	New Malware.as [McAfee] packed with UPX [Kaspersky Lab]

Note:

%Temp% is a variable that refers to the temporary folder in the short path form. By default, this is C:\Documents and Settings\[UserName]\Local Settings\Temp\ (Windows NT/2000/XP).

Memory Modifications

There was a new process created in the system:

Process Name	Process Filename	Main Module Size
[filename of the sample #1]	[file and pathname of the sample #1]	3,891,200 bytes

Other details

The following Host Name was requested from a host database:

www.securewarrior.com

The following HTTP URLs were started reading:

http://www.securewarrior.com/securewarrior.php?p=CvwsDjorajTI22%2FhkeIBYrz2GzOselxogSmwXVaJYkE%3D
http://www.securewarrior.com/securewarrior.php?s=CvwsDjorajTI22%2FhkeIBYrz2GzOselxogSmwXVaJYkE%3D

Downloaded File Summary:

Download details:

Download retrieved: 6 October 2009 10:53:00
Processing time: 10 min 0 sec
Downloaded sample #1:

File MD5: 0x68C96EE22699244810C8CC1FB191AC37
File SHA-1: 0xE7E80129F5ECDEAFAE3B7825698ED6ED8AE5D32C
Filesize: 431,616 bytes

Downloaded sample #2:

File MD5: 0x63D85D048486C074739701F9295361A1
File SHA-1: 0x51A0A502E0DDFF1DC58BFF4E2F73F6F09261F704
Filesize: 886,806 bytes

Summary of the findings:

What's been found	Severity Level
Creates a startup registry entry.

Technical Details:

File System Modifications

The following files were created in the system:

#	Filename(s)	File Size	File Hash	Alias
1	%CommonDesktopDir%\SecureWarrior.lnk	949 bytes	MD5: 0x08D3A17512384B477B333C466655AA74 SHA-1: 0x947227C2423EDFD937C8D4783F654BAD2BD0C81E	(not available)
2	%CommonPrograms%\SecureWarrior\1 SecureWarrior.lnk	1,893 bytes	MD5: 0x31C709CD1AE484D546E0B46ACFC49BB2 SHA-1: 0x57509F7A933B8E3F0CA476E2864326C3FE683FC3	(not available)
3	%CommonPrograms%\SecureWarrior\2 Homepage.lnk	1,212 bytes	MD5: 0xF2DF624CB43806B7E414011F556B008B SHA-1: 0xB2E8B3D907C2D9CA8EF9EE3901D091B7F7C31AAA	(not available)
4	%CommonPrograms%\SecureWarrior\3 Uninstall.lnk	1,865 bytes	MD5: 0x8CB8B61FC3E5E6FB0C0F51708268C09F SHA-1: 0x67E6414FDB52BD2B525881D692E25EF88CBFBFFE	(not available)
5	%Temp%\nsk2.tmp\nsProcess.dll	4,096 bytes	MD5: 0x05450FACE243B3A7472407B999B03A72 SHA-1: 0xFFD88AF2E338AE606C444390F7EAAF5F4AEF2CD9	(not available)
6	%Temp%\nsk2.tmp\nsSCM.dll	5,632 bytes	MD5: 0x62EFA7B730EB0523A026EA4325403B77 SHA-1: 0x806ED3BD677CCF5D9817C9B464015E347F2C8F3C	(not available)
7	%ProgramFiles%\SecureWarrior Software\SecureWarrior\SecureWarrior.exe	786,432 bytes	MD5: 0x7B4D26689F693AE5F2ED69D822A1C435 SHA-1: 0xF1E2EDC14CA1B59002E0E73BC46FD85E30D5FB87	Trojan:Win32/FakeSmoke [Microsoft]
8	%ProgramFiles%\SecureWarrior Software\SecureWarrior\uninstall.exe	81,220 bytes	MD5: 0xB7B47C6A5791014CE26A46A8F9E18DD5 SHA-1: 0x33FCF1E285AFABE4856BC5C8EBABFD0AA13F3D54	(not available)
9	%Windir%\1054vir1z339.cpl	16,176 bytes	MD5: 0x19BCFBFCA49C638D6790BBCF80596259 SHA-1: 0x6CC6E2ECBA86DEE979620D23DAD3FAC7F9B56745	(not available)
10	%Windir%\10609sp5mbotz29.exe	16,815 bytes	MD5: 0x15266C73A762F801C642FEB71AB9C35F SHA-1: 0xA4B8BB4947A785A5842B54371AA72A56A1D1CC60	(not available)
11	%Windir%\10754zir9s6a5.bin	4,363 bytes	MD5: 0xD6D45678125BDC3901E3B01F21B0D487 SHA-1: 0x82EA4F874B3C4CA7FAB6FA5DDDCF6A3D576D2F42	(not available)
12	%Windir%\1081szambo58a9.bin	14,069 bytes	MD5: 0x86318CE3B8371F00A4177DF5E1E91E49 SHA-1: 0x87B052A8F7C6D6DAC3327E6C457386735AE0AD94	(not available)
13	%Windir%\10b9tzief5159.exe	17,217 bytes	MD5: 0x705285872536B045142FA98318C4D89B SHA-1: 0xFBC000DF79F13E334FE685A366F66C7B0952F807	(not available)
14	%Windir%\11812s5z69d.dll	12,024 bytes	MD5: 0x5432095A9496DBE38625140E4BB72182 SHA-1: 0xF34D30D54163A848941DDE949F207ACBC24C1CEC	(not available)
15	%Windir%\12559w9rmzb5.bin	13,535 bytes	MD5: 0x426EE7F37BA8EF4C2C4A83CC979EADB2 SHA-1: 0x4B5F232DF3F974E9451BABC3DCBE7DF69EC45F5C	(not available)
16	%Windir%\12574nz9-a-virus514.ocx	6,334 bytes	MD5: 0x3FBF7B2BAA503A9154598255D214183D SHA-1: 0x4607AF904E5B7EAA30A2E3A4D02E1FA4F0BE5F47	(not available)
17	%Windir%\12969spz5925.cpl	9,376 bytes	MD5: 0xFD92E805C52EFAB7B97741FA6D1885B5 SHA-1: 0x2B072F298C166DB8552CDD07DCC36F4AD0E9E0C7	(not available)
18	%Windir%\13000zorm9a95.exe	5,585 bytes	MD5: 0xA3A173A82984698AAC48B80C88352B36 SHA-1: 0xA1F542072EBA5CB454C0BF85C9468320BBD38AF2	(not available)
19	%Windir%\13092z5rm9c7.exe	7,606 bytes	MD5: 0xB0177BEBE25C62F3C3AD31D03556BCF0 SHA-1: 0xE2AA1E865C5C94AA4A7622493966B708BFECCE6A	(not available)
20	%Windir%\1322s95zse2953.dll	17,944 bytes	MD5: 0xA943CE578836B23EA3D818A809B0D3F9 SHA-1: 0x4E77C9A826388F67995557592B46D8BD4FA277B7	(not available)
21	%Windir%\13824hackto5l6cz9.ocx	15,083 bytes	MD5: 0x38657A436162012FB4DA72160F2B26CC SHA-1: 0xCED3905D133CD96FE97E8DFCBE1122E358615EBE	(not available)
22	%Windir%\13917hazkto59255.exe	15,161 bytes	MD5: 0x31A9BCCE3E189A3699F1FBC9060E3614 SHA-1: 0x4F012F588ED60794F75F581A0F846B187B99C449	(not available)
23	%Windir%\1394zvi5us554.bin	5,528 bytes	MD5: 0xAC673A4FECD1E09E3D28E12BB2B70CF4 SHA-1: 0xC41061486E0B2E0DC2903DB55D10286C2D8802AA	(not available)
24	%Windir%\13z45not9a-vir5s3a.dll	14,712 bytes	MD5: 0xE1432D374BE8193F6082499E34F71BB3 SHA-1: 0x4A5D23EE843074C889123A0B6AEF352734F0CD82	(not available)
25	%Windir%\14085spy595z.cpl	12,672 bytes	MD5: 0x48BA1B2ACC4A84AFE60B107109BB9BEE SHA-1: 0x88D9BC2D8D1AE7F6684609E629589805435EAF20	(not available)
26	%Windir%\14157worz97d.bin	13,515 bytes	MD5: 0x2D9280A6873B7AD575246C471166F764 SHA-1: 0x9E95F330091FAF8D0CCB147DE53F9760FE698740	(not available)
27	%Windir%\14525not-a-virzs9c8.dll	6,447 bytes	MD5: 0x234CBC1413DC4E287AC32EC07FD81E08 SHA-1: 0xF3164BFC4E8A708D73377BA46AE7F85482596CB8	(not available)
28	%Windir%\1459szyware2096.bin	7,303 bytes	MD5: 0x29CB0405F4141D70F344C9A7F38025A8 SHA-1: 0x44CF6DD0F937B1EC4178E1CF3C5CB50DDB53825B	(not available)
29	%Windir%\14654noz-a9virus4f5.exe	12,937 bytes	MD5: 0xDBE0DDBDA9F07B77CA20A30C15B32E38 SHA-1: 0xCBA56D0FB320170EC26E9D234E4DF6179EFB6144	(not available)
30	%Windir%\1490spywzr92455.dll	14,447 bytes	MD5: 0xD5E247EDC861C7FC887DC618983A222E SHA-1: 0xB49D2BC551052386919133E703FA927286179E81	(not available)
31	%Windir%\15149vi5z949e.cpl	17,369 bytes	MD5: 0x344FA9EB7313EB081C098C994BF713C6 SHA-1: 0x6E73999A23F2C958A65B6B2ABAEFB9EEE6EB9A54	(not available)
32	%Windir%\15388not9azvirus24d.cpl	4,415 bytes	MD5: 0x2E631B8A998D8D7E7977E6BB3A5D1B05 SHA-1: 0x34AD453C3CDC880FC9E27ADDA6E43EB330346CEE	(not available)
33	%Windir%\15392spamb5t279z.bin	4,716 bytes	MD5: 0x31501E9781131E0DEADAAA27E1308D6C SHA-1: 0x11EBD544774C34BCF8BDFB307DD3175419A6BBED	(not available)
34	%Windir%\154spam95t1bz.cpl	8,441 bytes	MD5: 0x7867EF780167D6BD9291F32B7FF66C9E SHA-1: 0xB0732B66D0FB4EC17DD9521E0C9303E1B0F1764F	(not available)
35	%Windir%\1555nzt-a-virus961.ocx	12,654 bytes	MD5: 0x1878C6D63AEF58E62F9C805012E99B93 SHA-1: 0x366B9BAEB6DDFEA0165573CDB5C3C2F820B4F27B	(not available)
36	%Windir%\15569pambot6f6z.bin	10,451 bytes	MD5: 0xA5040F53E79FB6D9F06CB7F2E729E111 SHA-1: 0x9E58A736F40225241CAAD1846A6ECB65A792DD50	(not available)
37	%Windir%\15569trzj24a9.dll	15,996 bytes	MD5: 0xCDBAE311C2C58848A44DB875D0185941 SHA-1: 0x42AE67C9D74F79A7225A02244375B272BE580BAC	(not available)
38	%Windir%\159549iru53ze.bin	12,301 bytes	MD5: 0x758BDD14190ED86F67CA759AD080D67B SHA-1: 0xF8B4047C0104F753BAB0895BAC182A049F015985	(not available)
39	%Windir%\16035haczt9ol5fd5.exe	17,287 bytes	MD5: 0x756A815CB4F2CDEF7AC490E619C23067 SHA-1: 0xC158FCC152814E0FEECEC4C09EF78093C4207968	(not available)
40	%Windir%\16507sza5bo955b.ocx	4,114 bytes	MD5: 0xEA6B6E4AFF361CAC914E7894FFBC2BA4 SHA-1: 0x2B33BD196719504F373CD16970525434469E2A88	(not available)
41	%Windir%\16a5zhreat503859.exe	13,784 bytes	MD5: 0x15404450535D87842C35E787FBF75B5D SHA-1: 0x0C2B354C8438CCC2E7EC82CE268450382A9E775C	(not available)
42	%Windir%\17077z9r5s71c.exe	4,454 bytes	MD5: 0x7FA12C0C6F2FBDB5FE58981A2131D7AD SHA-1: 0x4BE33D5AEFD0A0665B33F09DFB77C46C1D7A8E94	(not available)
43	%Windir%\1743z9py56.dll	10,037 bytes	MD5: 0x3EAEFA77434D464581F9694F04445075 SHA-1: 0x74673378AB5D121153D12B362037E566048C0127	(not available)
44	%Windir%\17509not-a-vzrus6685.bin	17,071 bytes	MD5: 0x1323461CB0D75C0D04067B7A89BF518A SHA-1: 0x302C426B79DC0514072B653F4C6AD68D639D4DBB	(not available)
45	%Windir%\176z8troj9565.exe	3,192 bytes	MD5: 0x786475AA2CD6525D555A3E2EF5F6378F SHA-1: 0x2534E20769024B0E1B41EE089A1DFD9B5CB99AFD	(not available)
46	%Windir%\17z69hac9too57d4.dll	16,162 bytes	MD5: 0x00CA9D843DCF859746A1CAD565C8E42A SHA-1: 0xC53D643015B882227D7FF4A6D60859F41B13E416	(not available)
47	%Windir%\17z8vi9u598.exe	14,917 bytes	MD5: 0xF98B937EDBF8C2158F7B9D3C9A3DB5A7 SHA-1: 0x36EF2B206F658877ECB1EAC0C6EB81F3E6325554	(not available)
48	%Windir%\1846s9ywarez358.exe	6,266 bytes	MD5: 0x2950860FE1E226910540DB12A159DD19 SHA-1: 0x91D746E67B08EC9858E6D302F8C137C38A6976C8	(not available)
49	%Windir%\185ddzwnload9r2402.ocx	15,439 bytes	MD5: 0x990484C0381483E75EE4F58065592BBD SHA-1: 0xD13AFB045E7AB85597D3249FF29FE38B22E422D9	(not available)
50	%Windir%\189705ro946dz.ocx	13,571 bytes	MD5: 0x15B77F74CFED9795331F6D258BCAEF2C SHA-1: 0xDC4E90FA500D302218978DB34E7178E5C6274FBB	(not available)
51	%Windir%\19560wormzd9.dll	15,379 bytes	MD5: 0xDED0533677108621BDE39AC608C9FD30 SHA-1: 0x175AA5C70CBE102383EBF0ED8B886E862D2CB6EB	(not available)
52	%Windir%\19561sp9mzot723.bin	10,492 bytes	MD5: 0xEB896DF54A86E076958418212E287AA8 SHA-1: 0xC0BD61AFA4E151D92B055E3DD81FEE694340D002	(not available)
53	%Windir%\1977st5al1z90.cpl	7,063 bytes	MD5: 0x5E1160EE642B07883A77762B540BC40E SHA-1: 0xE75C8EC78320F1A99722484FA42E6A4721759927	(not available)
54	%Windir%\19818not-a-v5rusz75.cpl	2,711 bytes	MD5: 0x2360F5F4307346AF4CAB6A01FFF70C82 SHA-1: 0xE2E9AA1F12722996C3293FDA79660714C9B3C2AE	(not available)
55	%Windir%\19952spz5cb.exe	14,588 bytes	MD5: 0x5F98F4826E5219FEC86997FD07B699B9 SHA-1: 0x22810AB4B45FC6C535C9E92941545182D57D9FEE	(not available)
56	%Windir%\19b8ad95are2z19.ocx	4,725 bytes	MD5: 0xB0E8104580B63C00761BE2DF52360962 SHA-1: 0xB95FDC786875D433B285EC02638D9341CD6C4B9F	(not available)
57	%Windir%\19z075roj94.ocx	7,671 bytes	MD5: 0x1E326EE0397DE163CB1448B5D28998C5 SHA-1: 0x606FA1AAAE64235A771B189EB1E1C880858E8E2B	(not available)
58	%Windir%\1aezd9wnload5r766.exe	16,559 bytes	MD5: 0x7441FFB41811E4220CC818B915F5BCAA SHA-1: 0x2DEA6CADE704986868EF9DC7B34FAE4B8199929D	(not available)
59	%Windir%\1b85vi92895z.ocx	16,043 bytes	MD5: 0x5F21814F5F948627BB9A133657BB7635 SHA-1: 0x453B335AA44F05F66E9085F7E6A8714BE5953DB4	(not available)
60	%Windir%\1c59tzief2757.dll	6,677 bytes	MD5: 0x08AC257F627482CFB4A0463C3E00B372 SHA-1: 0x7BFB0BA4FD95155BCECCF87A99478D3333A5A54F	(not available)
61	%Windir%\1c74addzare5199.bin	18,005 bytes	MD5: 0x9200161C6547D9A056AF98862DD45C3B SHA-1: 0xD28580A3C87FC854F6FA7734AA03F5C254B53466	(not available)
62	%Windir%\1c9aspa9sz5671.ocx	8,486 bytes	MD5: 0x3F05ED333D76F83BFB912F1541EEAA7F SHA-1: 0x5712E0AC5C9A5C3EFE67EAF74DB8EFFCF5BEF686	(not available)
63	%Windir%\1f05spar952849z.exe	11,258 bytes	MD5: 0x67AAAA1DA4CE8235264200A586C36E1E SHA-1: 0x8F4918FF8B938934251EDCBEF156E85A6BA684FB	(not available)
64	%Windir%\1f155i9188z.cpl	16,012 bytes	MD5: 0x36CD91D0E2EBB726013FD7EF231FDD1B SHA-1: 0x24F5D22E532159C6588A4198DF1FD73867830B97	(not available)
65	%Windir%\1fd9virz065.bin	11,745 bytes	MD5: 0xD94C13B1C81DE66D7B70C613DBAC316E SHA-1: 0x91CCE1CA709CB4E7812B811598E2ABD33C3EA4D9	(not available)
66	%Windir%\1z339sp5456.cpl	5,612 bytes	MD5: 0x9D2D0B3E67E08DAAB6D29DF7543F6ED3 SHA-1: 0x043CAE333F4B20FF375F25C2E694AC2C7885BC4F	(not available)
67	%Windir%\1z385a9kdoor1295.dll	13,870 bytes	MD5: 0xB8E22616E243006B1D3FC705243452D9 SHA-1: 0xEEAF656CE9EE368867CCED8BF92BE827ABEC5C2C	(not available)
68	%Windir%\1z510n9t-a-v5rus310.bin	4,847 bytes	MD5: 0x43A0CD7F1EF31D14AE87C593F266780B SHA-1: 0xCD452323C0E4C119A6B1C3F8EEA0BD4F47951033	(not available)
69	%Windir%\1z693t9oj5f1.dll	5,074 bytes	MD5: 0x3C79A5F53189D369834B5EC4B2455F15 SHA-1: 0x3405E4C6DFB26B6D2F28B23D8FBCED73971E3A21	(not available)
70	%Windir%\1z764spa5bo9261.ocx	17,136 bytes	MD5: 0x99DD5C7947ABAD60E52955A70D2DD06F SHA-1: 0xDD6D2F7A32D4DFF908C0CC94FDBD81C408DE2FE3	(not available)
71	%Windir%\203z3spambo95ad.cpl	17,156 bytes	MD5: 0x391846ADC47931CC77BC6ED6A71F19D0 SHA-1: 0xC43FD8AF67BBB1F231D4613C9BA0CD9C043DCB90	(not available)
72	%Windir%\20654trzj91b.bin	15,480 bytes	MD5: 0xF832A5D9B35391B9AC2550443FD553F5 SHA-1: 0xB5B5041AD26D852AF619865B9CD29C426FCA83A8	(not available)
73	%Windir%\2125s5ambot9a9z.cpl	11,422 bytes	MD5: 0x6B0EFF62E950C90BC4BBAB77D52A528B SHA-1: 0xA0E2241BC057808A50B597641092ABCEB240EE27	(not available)
74	%Windir%\21710zacktoo59.ocx	18,422 bytes	MD5: 0xAE647870C8CE5172F5F6E7CB308F0E9F SHA-1: 0x00630D2F357EB992FCE4EAD42DDC5559B56D2538	(not available)
75	%Windir%\21799wor5z5.dll	5,792 bytes	MD5: 0xCBEF96B4E273D3E8648A6C12E613FDF4 SHA-1: 0x6A7E3A60B2F20249B8256E029424EA898EC4CA72	(not available)
76	%Windir%\2255zteal249.dll	7,603 bytes	MD5: 0x5BCADB92D90330646B84D2C3AFFE208B SHA-1: 0x6B73D975CEFF498F28F59DC01169A873BA00291F	(not available)
77	%Windir%\22570nzt-a9vi5us6ae.dll	2,628 bytes	MD5: 0x6AA3C19A28EBB1EB999A9FD0B1E8C841 SHA-1: 0x9347DC2ED37E923EC43921C9786EBCD2D6D5B67A	(not available)
78	%Windir%\2291spzware5088.dll	11,950 bytes	MD5: 0xA88C97B7FA8724627FBFF3CABCBA0D5A SHA-1: 0xEC99DBAF12DAF8AD9CF80F09240E69FE719EE1BD	(not available)
79	%Windir%\23317s9am5ot5z0.ocx	2,610 bytes	MD5: 0x8CF108E1D934C836E10719F3D1C4DCC1 SHA-1: 0x6718BE604129747611905C94F760FA1F67C1AC65	(not available)
80	%Windir%\23508not-a-vz5u954f.bin	9,044 bytes	MD5: 0xE5C1137469D3A2D5B3F7B2BFF1341C66 SHA-1: 0x0BAE91E1738D70A219B74AEBC5DE16DB48BA5977	(not available)
81	%Windir%\23551zi9us259.cpl	9,859 bytes	MD5: 0xC8C82B9C64021137DB71918FF7574889 SHA-1: 0xD933E708C8A6609F0D5A072757111874FA056581	(not available)
82	%Windir%\235cspyzar95009.cpl	5,121 bytes	MD5: 0xC167516B8458DB89CF11E74253B2EA3F SHA-1: 0x801A5EBC790825BF83096536BCE43A61522692EB	(not available)
83	%Windir%\23725not9a-5irus39z.bin	9,229 bytes	MD5: 0x5404C6D589DCAF11418CB15AFFBA2285 SHA-1: 0x8A3F3ED40B685436EC7DAA5ACE2605486CFDF1A7	(not available)
84	%Windir%\23922hacktoo549cz.bin	3,871 bytes	MD5: 0xEF92E884BA063FEF45E4BC5299BA4356 SHA-1: 0x9794B240D38880B74058C606C9577A230777B203	(not available)
85	%Windir%\249z4tr5j393.ocx	17,896 bytes	MD5: 0x43E9126F90B8490955F76EB5C40119B1 SHA-1: 0xACF2D0F59F54EC1D68CB3641D263DA2172724A92	(not available)
86	%Windir%\24z53v9rus21.cpl	16,132 bytes	MD5: 0xBA420B88DC26DF97031A21113AF38EB9 SHA-1: 0xC99D98DC15C7D3CB95FE022F33D9A47229F488E8	(not available)
87	%Windir%\24zthie59315.dll	14,132 bytes	MD5: 0xFA3AE6AAF48A0B418F94DC863A73CD4A SHA-1: 0x3C25AABC554A04F05040EA03FD1E591A98F3F48C	(not available)
88	%Windir%\25346wozm498.dll	15,194 bytes	MD5: 0x6F4C5D8124B3970CB972688D38D5453D SHA-1: 0x4047F7FE38793625AA98840909DFC52084304359	(not available)
89	%Windir%\25634vizu9100.bin	9,908 bytes	MD5: 0xFE09E1AD94A78AC8EE1F71836811D91E SHA-1: 0x11CC96CFD603142C0FB9A24CA23F37E5F021DB34	(not available)
90	%Windir%\25924hzckto5l1ca.cpl	8,627 bytes	MD5: 0x27273CD706FC26D2B17ABE8F7BD78458 SHA-1: 0xF5526C9F9EB8C968A6AB461226776A8B666AC630	(not available)
91	%Windir%\25987wor93za.dll	14,694 bytes	MD5: 0xD8F11058AAEFECCA5E9E54045FD2044C SHA-1: 0xE2F79081C4EF29720738AA6EB869EC851C55547F	(not available)
92	%Windir%\25eds9eal883z.cpl	17,785 bytes	MD5: 0x4681BBAB7134051A082586B601F8522A SHA-1: 0xA41326C7D2649BAF4FD7CE599CA0C600DDBDD992	(not available)
93	%Windir%\25z079irus6a6.ocx	13,334 bytes	MD5: 0x2D555C1EE867CCB1FBCD704A6A6EC76D SHA-1: 0x46FFB5C0D4E4D88FEDBABD35E02FE6E03E7294EF	(not available)
94	%Windir%\25zd9parse5742.dll	13,730 bytes	MD5: 0x9998231D94C0910432AB2430FBE93D08 SHA-1: 0x69A3FB26A9A0318F74D942651C06BF5F387B8909	(not available)
95	%Windir%\2607dow9loader2z55.ocx	17,424 bytes	MD5: 0x390779D8EDBBAAFF3B1E1DA3985B83CC SHA-1: 0xA759FEDBA54437A1B0BAC4F5663BFF42AB5B0692	(not available)
96	%Windir%\269075oz-a-virus92.bin	7,788 bytes	MD5: 0xC57491232AA5C45A7FE2553766FB659D SHA-1: 0x81D8CA2AE8DF44C88BD0AB8B12DB04CDF74DADB6	(not available)
97	%Windir%\2740z5rus6d9.cpl	4,691 bytes	MD5: 0xD10A5D35583CAD4E41903C961596E3C9 SHA-1: 0x32221418B4767866399F9C4E50521F279911C1C6	(not available)
98	%Windir%\27424h5z9tool146.dll	3,846 bytes	MD5: 0x1163006A1912541AC9705D529C750AC9 SHA-1: 0xC301371A8A2F2700ED97E1A1CC428301F8FE8481	(not available)
99	%Windir%\27567szam5ot9be.cpl	3,276 bytes	MD5: 0x670DB958BE60F294EF8EAFE077A03B41 SHA-1: 0x8218968944C1C98D1E21C81F6B0ADC9084175896	(not available)
100	%Windir%\2785spz9se922.cpl	5,835 bytes	MD5: 0xA5CC38244DA707833879E3CDFB01C6D8 SHA-1: 0x18D9D8570DC12687F23D985EF506A48EC1379377	(not available)

Notes:

%CommonDesktopDir% is a variable that refers to the file system directory that contains files and folders that appear on the desktop for all users. A typical path is C:\Documents and Settings\All Users\Desktop (Windows NT/2000/XP).
%CommonPrograms% is a variable that refers to the file system directory that contains the directories for the common program groups that appear on the Start menu for all users. A typical path is C:\Documents and Settings\All Users\Start Menu\Programs (Windows NT/2000/XP).
%Temp% is a variable that refers to the temporary folder in the short path form. By default, this is C:\Documents and Settings\[UserName]\Local Settings\Temp\ (Windows NT/2000/XP).
%ProgramFiles% is a variable that refers to the Program Files folder. A typical path is C:\Program Files.
%Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows or C:\Winnt.

The following directories were created:

%CommonPrograms%\SecureWarrior
%Temp%\nsk2.tmp
%ProgramFiles%\SecureWarrior Software
%ProgramFiles%\SecureWarrior Software\SecureWarrior

Memory Modifications

There were new processes created in the system:

Process Name	Process Filename	Main Module Size
[filename of the sample #2]	[file and pathname of the sample #2]	266,240 bytes
[filename of the sample #1]	[file and pathname of the sample #1]	N/A
securewarrior.exe	%ProgramFiles%\securewarrior software\securewarrior\securewarrior.exe	N/A

There was a new service created in the system:

Service Name	Display Name	Status	Service Filename
SecureWarriorSvc	SecureWarrior Security Service	"Stopped"	%ProgramFiles%\SecureWarrior Software\SecureWarrior\SecureWarriorSvc.exe

Registry Modifications

The following Registry Keys were created:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SecureWarrior
HKEY_LOCAL_MACHINE\SOFTWARE\SecureWarrior
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_SECUREWARRIORSVC
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_SECUREWARRIORSVC\0000
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_SECUREWARRIORSVC\0000\Control
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SecureWarriorSvc
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SecureWarriorSvc\Security
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SecureWarriorSvc\Enum
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SECUREWARRIORSVC
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SECUREWARRIORSVC\0000
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SECUREWARRIORSVC\0000\Control
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SecureWarriorSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SecureWarriorSvc\Security
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SecureWarriorSvc\Enum

The newly created Registry Values are:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion]

cf = ""
tr = ""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SecureWarrior]

DisplayName = "SecureWarrior"
UninstallString = ""%ProgramFiles%\SecureWarrior Software\SecureWarrior\uninstall.exe""
NoModify = 0x00000001
NoRepair = 0x00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\SecureWarrior]

Lang = "English"
Install_Dir = "%ProgramFiles%\SecureWarrior Software\SecureWarrior"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_SECUREWARRIORSVC\0000\Control]

*NewlyCreated* = 0x00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_SECUREWARRIORSVC\0000]

Service = "SecureWarriorSvc"
Legacy = 0x00000001
ConfigFlags = 0x00000000
Class = "LegacyDriver"
ClassGUID = "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
DeviceDesc = "SecureWarrior Security Service"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_SECUREWARRIORSVC]

NextInstance = 0x00000001

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SecureWarriorSvc\Enum]

0 = "Root\LEGACY_SECUREWARRIORSVC\0000"
Count = 0x00000001
NextInstance = 0x00000001

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SecureWarriorSvc\Security]

Security = 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 0

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SecureWarriorSvc]

Type = 0x00000010
Start = 0x00000002
ErrorControl = 0x00000001
ImagePath = "%ProgramFiles%\SecureWarrior Software\SecureWarrior\SecureWarriorSvc.exe"
DisplayName = "SecureWarrior Security Service"
ObjectName = "LocalSystem"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SECUREWARRIORSVC\0000\Control]

*NewlyCreated* = 0x00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SECUREWARRIORSVC\0000]

Service = "SecureWarriorSvc"
Legacy = 0x00000001
ConfigFlags = 0x00000000
Class = "LegacyDriver"
ClassGUID = "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
DeviceDesc = "SecureWarrior Security Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SECUREWARRIORSVC]

NextInstance = 0x00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SecureWarriorSvc\Enum]

0 = "Root\LEGACY_SECUREWARRIORSVC\0000"
Count = 0x00000001
NextInstance = 0x00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SecureWarriorSvc\Security]

Security = 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SecureWarriorSvc]

Type = 0x00000010
Start = 0x00000002
ErrorControl = 0x00000001
ImagePath = "%ProgramFiles%\SecureWarrior Software\SecureWarrior\SecureWarriorSvc.exe"
DisplayName = "SecureWarrior Security Service"
ObjectName = "LocalSystem"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]

SecureWarrior = "%ProgramFiles%\SecureWarrior Software\SecureWarrior\SecureWarrior.exe -min"
[filename of the sample #1] = "[file and pathname of the sample #1]"

so that SecureWarrior.exe runs every time Windows starts

so that [file and pathname of the sample #1] runs every time Windows starts

Other details

To mark the presence in the system, the following Mutex objects were created:

DDrawWindowListMutex
DDrawDriverObjectListMutex
__DDrawExclMode__
{4317c2b1-0bc0-49ca-ba05-424581ec8ea0}

All content ("Information") contained in this report is the copyrighted work of Threat Expert Ltd and its associated companies ("ThreatExpert") and may not be copied without the express permission of ThreatExpert.

The Information is provided on an "as is" basis. ThreatExpert disclaims all warranties, whether express or implied, to the maximum extent permitted by law, including the implied warranties that the Information is merchantable, of satisfactory quality, accurate, fit for a particular purpose or need, or non-infringing, unless such implied warranties are legally incapable of exclusion. Further, ThreatExpert does not warrant or make any representations regarding the use or the results of the use of the Information in terms of their correctness, accuracy, reliability, or otherwise.