ThreatExpert Report: Adware:Win32/Koutodoor.A, Backdoor.Win32.Delf, Generic BackDoor!1rk..

Visit ThreatExpert web site

Close Report

Submission Summary:

Submission details:

Submission received: 25 October 2012, 15:03:12
Processing time: 9 min 4 sec
Submitted sample:

File MD5: 0x47B55983BBF9762205B932DB934FE3F3
File SHA-1: 0x42A78BF5F143E79BEE019A1D21C15DA493787325
Filesize: 806,101 bytes
Alias:

Adware:Win32/Koutodoor.A [Microsoft]
Backdoor.Win32.Delf [Ikarus]

Technical Details:

File System Modifications

The following files were created in the system:

#	Filename(s)	File Size	File Hash	Alias
1	%DesktopDir%\?????????.lnk	682 bytes	MD5: 0xB2F1AE974F94CA1F5E69F4B1E3B197FD SHA-1: 0x102652B1AFB8F61BBB3B8BAA9F49300996933535	(not available)
2	%Programs%\?????????\????????Â°?.lnk	1,596 bytes	MD5: 0xBE9A6601B5A7A70BD6BFA44F6E58CEA6 SHA-1: 0x8F1F58F7966069A838665CF3D474A6CD7DB3A084	(not available)
3	%Programs%\?????????\?????????.lnk	694 bytes	MD5: 0x40D04685C35793F00258BC7005E5B609 SHA-1: 0xA59431B5E8169EE1456D77310C9E91F7738A1DD8	(not available)
4	%Programs%\?????????\???????.lnk	507 bytes	MD5: 0xF8E1D3E0464858FB38B5AF14407B77A8 SHA-1: 0x08C98FD99790CAE93939723299A8F26914A4DB06	(not available)
5	%ProgramFiles%\speedsys\License.txt	2,164 bytes	MD5: 0x0D39EE058C7C1E0B4C62994E78C8E818 SHA-1: 0xF4BB7624C9E2299CC29A365AA037C204C2F10577	(not available)
6	%ProgramFiles%\speedsys\PORTTALK.SYS	3,567 bytes	MD5: 0x7D5A2D755B6C6579F63657B527D6FF1B SHA-1: 0xFD7D864B96BAFA21A76128BFB02DCCCB57EDDAD6	(not available)
7	%ProgramFiles%\speedsys\Readme.txt	251 bytes	MD5: 0x0063D7CF3B81D080F627E4EFD7974EED SHA-1: 0x66A39072D3637D75EBE274FE9745E27B51DAA040	(not available)
8	%ProgramFiles%\speedsys\speedsys.exe	501,248 bytes	MD5: 0xB1D9C523DC136780120519229DDBD5D2 SHA-1: 0xEB9097A9BF03B63ABFB5E12A59DF492D14DC4226	Generic BackDoor!1rk [McAfee] Mal/Emogen-P [Sophos] Backdoor.Win32.Delf [Ikarus] packed with ASPack [Kaspersky Lab]
9	%ProgramFiles%\speedsys\uninst.exe	54,872 bytes	MD5: 0xC930211FFE7C45176918C01A45C8E774 SHA-1: 0xA3C68CCB7FCD36B47BF3E4D03BF13C0ECA956DC5	(not available)
10	%ProgramFiles%\speedsys\?????????.url	97 bytes	MD5: 0x5DF2F24AF3E929137263504671024ACC SHA-1: 0x0899461A649FEC5D4180D0944F64C1A3DD660F5D	(not available)
11	[file and pathname of the sample #1]	806,101 bytes	MD5: 0x47B55983BBF9762205B932DB934FE3F3 SHA-1: 0x42A78BF5F143E79BEE019A1D21C15DA493787325	Adware:Win32/Koutodoor.A [Microsoft] Backdoor.Win32.Delf [Ikarus]

Notes:

%DesktopDir% is a variable that refers to the file system directory used to physically store file objects on the desktop. A typical path is C:\Documents and Settings\[UserName]\Desktop.
%Programs% is a variable that refers to the file system directory that contains the user's program groups. A typical path is C:\Documents and Settings\[UserName]\Start Menu\Programs.
%ProgramFiles% is a variable that refers to the Program Files folder. A typical path is C:\Program Files.

The following directories were created:

%Programs%\?????????
%ProgramFiles%\speedsys

Memory Modifications

There was a new process created in the system:

Process Name	Process Filename	Main Module Size
[filename of the sample #1]	[file and pathname of the sample #1]	208,896 bytes

Registry Modifications

The following Registry Keys were created:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\?????????
HKEY_CURRENT_USER\Software\speedsys

The newly created Registry Value is:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\?????????]

DisplayName = "????????? V2.6"
UninstallString = "%ProgramFiles%\speedsys\uninst.exe"
DisplayIcon = "%ProgramFiles%\speedsys\speedsys.exe"
DisplayVersion = "V2.6"
URLInfoAbout = "http://www.haote.com/update.php?name=?????????"
Publisher = "www.haote.com"

Other details

Analysis of the file resources indicate the following possible country of origin:

China

The following Host Names were requested from a host database:

192.5.5.241
www.kk3456.com
www.pp1234.net

There was registered attempt to establish connection with the remote host. The connection details are:

Remote Host	Port Number
192.5.5.241	1034

The following Internet Connections were established:

Server Name	Server Port	Connect as User	Connection Password
adsvc1.unadnet.com.cn	80	(null)	(null)
0.0.0.0	80	(null)	(null)

The following GET requests were made:

5.xml
ad/softad/popup.htm
count/softcount/?speedsys
ad/softad/tuijian.htm
ad/softad/index.jpg
count/softcount/index.jpg

All content ("Information") contained in this report is the copyrighted work of Threat Expert Ltd and its associated companies ("ThreatExpert") and may not be copied without the express permission of ThreatExpert.

The Information is provided on an "as is" basis. ThreatExpert disclaims all warranties, whether express or implied, to the maximum extent permitted by law, including the implied warranties that the Information is merchantable, of satisfactory quality, accurate, fit for a particular purpose or need, or non-infringing, unless such implied warranties are legally incapable of exclusion. Further, ThreatExpert does not warrant or make any representations regarding the use or the results of the use of the Information in terms of their correctness, accuracy, reliability, or otherwise.