Submission Summary:

What's been foundSeverity Level
Creates a startup registry entry.
Contains characteristics of an identified security risk.


Technical Details:


Possible Security Risk

Threat CategoryDescription
A malicious trojan horse or bot that may represent security risk for the compromised system and/or its network environment


File System Modifications

#Filename(s)File SizeFile HashAlias
1 %AppData%\SystemProc\lsass.exe 197,632 bytes MD5: 0xAB2A342BCB98E4EDF2CDED6A64CBA8DB
SHA-1: 0x83198BD92A9EAC86790119D6FBEB0ED7A2BEF920
Malware.Ackantta [PCTools]
W32.Ackantta!gen [Symantec]
Trojan.Win32.Buzus.dckk [Kaspersky Lab]
W32/Xirtem@MM [McAfee]
Troj/Bckdr-RAT [Sophos]
Worm:Win32/Prolaco.gen!E [Microsoft]
Worm.Win32.Prolaco [Ikarus]
Win-Trojan/Buzus.197632.I [AhnLab]
2 %ProgramFiles%\Mozilla Firefox\extensions\{9CE11043-9A15-4207-A565-0C94C42D590D}\chrome\content\timer.xul 1,141 bytes MD5: 0x463C40D54ECA0946AE65B03B9614AB35
SHA-1: 0xE5E80E4DB099C47575A876AC3228B42661D5F8D9
Trojan.Gen [PCTools]
Trojan.Gen [Symantec]
Trojan.JS.Dursg [Ikarus]
3 %ProgramFiles%\Mozilla Firefox\extensions\{9CE11043-9A15-4207-A565-0C94C42D590D}\chrome.manifest 151 bytes MD5: 0x2FA89BB5EC500C62CC40D5A46A6A8CD3
SHA-1: 0xAB2C5FED92FB203FF7CA8B3353A9E086377AFEBD
(not available)
4 %ProgramFiles%\Mozilla Firefox\extensions\{9CE11043-9A15-4207-A565-0C94C42D590D}\install.rdf 773 bytes MD5: 0xF3551A2C70B1A421F0DDF9306D92A1A0
SHA-1: 0x0DD06C1DF1152D7E89EB01651C7FA705F1A40B68
(not available)
5 %System%\GoogleUpdates.exe
[file and pathname of the sample #1]
419,328 bytes MD5: 0x46F11CD0EE392974B1AE340C36251FF6
SHA-1: 0x43DA8532FAFD3DBC681F062810FB12FA0944FC96
Malware.Ackantta [PCTools]
W32.Ackantta!gen [Symantec]
Trojan.Win32.Buzus.dckk [Kaspersky Lab]
W32/Xirtem@MM [McAfee]
Mal/CryptBox-A [Sophos]
Worm:Win32/Prolaco.gen!C [Microsoft]
Trojan.Win32.Buzus [Ikarus]
Win32/Prolaco.worm.419328 [AhnLab]


Memory Modifications

Process NameMain Module Size
[filename of the sample #1]348,160 bytes

Service NameDisplay NameNew StatusService Filename
ERSvcError Reporting Service"Stopped"%System%\svchost.exe -k netsvcs
wscsvcSecurity Center"Stopped"%System%\svchost.exe -k netsvcs


Registry Modifications


Other details

1069UDP[file and pathname of the sample #1]
1070UDP[file and pathname of the sample #1]
1071UDP[file and pathname of the sample #1]
1072UDP[file and pathname of the sample #1]



All content ("Information") contained in this report is the copyrighted work of Threat Expert Ltd and its associated companies ("ThreatExpert") and may not be copied without the express permission of ThreatExpert.

The Information is provided on an "as is" basis. ThreatExpert disclaims all warranties, whether express or implied, to the maximum extent permitted by law, including the implied warranties that the Information is merchantable, of satisfactory quality, accurate, fit for a particular purpose or need, or non-infringing, unless such implied warranties are legally incapable of exclusion. Further, ThreatExpert does not warrant or make any representations regarding the use or the results of the use of the Information in terms of their correctness, accuracy, reliability, or otherwise.

Copyright © 2015 ThreatExpert. All rights reserved.