ThreatExpert Report: Trojan.Win32.Genome, Mal/KeyGen-W, Win-Appcare/HackTool.62013, Trojan Horse..

Submission Summary:

Submission details:

Submission received: 15 August 2012, 11:56:05
Processing time: 9 min 2 sec
Submitted sample:

File MD5: 0x4A34AA0DFC704DF5476B3DFE35BEEF90
File SHA-1: 0xCB07E7BD0CB61FE510085A7744223CCCA49F1F7A
Filesize: 860,328 bytes
Alias: Trojan.Win32.Genome [Ikarus]

Summary of the findings:

What's been found	Severity Level
Registers a 32-bit in-process server DLL.
Contains characteristics of an identified security risk.

Technical Details:

Possible Security Risk

Attention! Characteristics of the following security risk was identified in the system:

Security Risk	Description
Trojan-Downloader.AZ	Trojan.Downloader.AZ downloads various other malware without the users knowledge, including a dialer which sits in your temp directory and can change your ISP phone number on your computer to a high rate phone number.

Attention! The following threat category was identified:

Threat Category	Description
	A malicious trojan horse or bot that may represent security risk for the compromised system and/or its network environment

File System Modifications

The following files were created in the system:

#	Filename(s)	File Size	File Hash	Alias
1	%Temp%\31.dll	212,992 bytes	MD5: 0x95CF9472DC328862B79C558AB294A5B1 SHA-1: 0x618262CA27A5FCE48BDF4182410038C641969E63	(not available)
2	%Temp%\32.EXE	5,408 bytes	MD5: 0x4E02F745DAFC1BCDDB04BD01B8F70D8E SHA-1: 0xFF781A9262A13E115E0D336FDEDCA8384373995C	(not available)
3	%Temp%\33.COM	4,975 bytes	MD5: 0x6F6CE35F213833201D91CF38220A2579 SHA-1: 0x984FD2238B473FB3EB6C9D0BAB9EBA2CA9DD5EC9	(not available)
4	%Temp%\34.exe	37,888 bytes	MD5: 0x71EAAAD4F50FB4FD11463FA51A96F1A7 SHA-1: 0xA3A3EE278864B6B0D1FA802EFCFD5009DBEEE71B	Mal/KeyGen-W [Sophos]
5	%Temp%\35.com	305 bytes	MD5: 0xC85F55B90EAB5E174BDCD127C8DEE60A SHA-1: 0x309D4DB735729504149ED4ABB42D6B057E7AAEE5	(not available)
6	%Temp%\36.com	333 bytes	MD5: 0xF83B0A9BFC1BEE548736F74233F14139 SHA-1: 0xC4585874E31E9DB8E42F18E1016230E10B55EF8C	(not available)
7	%Temp%\37.COM	4,975 bytes	MD5: 0x9E778B85CF73079F89DBC36B8D7654B2 SHA-1: 0x8610EEE3977A5B4CF19DA5BA7A4F708E73C7A496	(not available)
8	%Temp%\38.EXE	62,128 bytes	MD5: 0xEE0B2024D6DD4BE46F5A207AA90A9E4B SHA-1: 0x9288650324230EA8866503780BF31E4DC65E244A	Win-Appcare/HackTool.62013 [AhnLab]
9	%Temp%\39.EXE	13,774 bytes	MD5: 0xB6F4F4D10C9D682EBF1E705A3365ACCC SHA-1: 0x6827A43557E668CE4F98562AB6438ECF975E743A	(not available)
10	%Temp%\40.exe	37,376 bytes	MD5: 0x040CF371509A2FBDF82C53AEA05946AA SHA-1: 0xD3E2A938C5B2C38D01632D04CB2212D174CA25C9	Trojan Horse [Symantec] Trojan.Win32.Genome.eqiv [Kaspersky Lab] Mal/KeyGen-W [Sophos] Trojan:Win32/Bumat!rts [Microsoft] Trojan.Win32.Genome [Ikarus] Win-Trojan/Xema.variant [AhnLab]
11	%Temp%\41.exe	670,208 bytes	MD5: 0x38BD05D6C37DAB5A9BF50861991FBAFB SHA-1: 0xF742FA38B0811475EC5691792DF58CC888CB5A3A	Trojan Horse [Symantec] Mal/Packer [Sophos] packed with VGCrypt [Kaspersky Lab]
12	[file and pathname of the sample #1]	860,328 bytes	MD5: 0x4A34AA0DFC704DF5476B3DFE35BEEF90 SHA-1: 0xCB07E7BD0CB61FE510085A7744223CCCA49F1F7A	Trojan.Win32.Genome.eqiv [Kaspersky Lab] Trojan.Win32.Genome [Ikarus]

Note:

%Temp% is a variable that refers to the temporary folder in the short path form. By default, this is C:\Documents and Settings\[UserName]\Local Settings\Temp\ (Windows NT/2000/XP).

Memory Modifications

There were new processes created in the system:

Process Name	Process Filename	Main Module Size
38.EXE	%Temp%\38.exe	73,728 bytes
40.exe	%Temp%\40.exe	102,400 bytes
34.exe	%Temp%\34.exe	106,496 bytes
41.exe	%Temp%\41.exe	1,691,648 bytes
[generic host process]	[generic host process filename]	20,480 bytes

Notes:

[generic host process filename] is a full path filename of [generic host process].

The following module was loaded into the address space of other process(es):

Module Name	Module Filename	Address Space Details
31.dll	%Temp%\31.dll	Process name: [generic host process] Process filename: [generic host process filename] Address space: 0xAA0000 - 0xAD6000

Registry Modifications

The following Registry Keys were created:

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\PdfSecurity.DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{9FB631C3-188D-474B-9CB3-334FF4D1569E}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{44AA7D84-A2E1-4FA5-AEA1-EDBB2676555E}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{44AA7D84-A2E1-4FA5-AEA1-EDBB2676555E}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{44AA7D84-A2E1-4FA5-AEA1-EDBB2676555E}\ProgID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{44AA7D84-A2E1-4FA5-AEA1-EDBB2676555E}\Programmable
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{44AA7D84-A2E1-4FA5-AEA1-EDBB2676555E}\TypeLib
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{44AA7D84-A2E1-4FA5-AEA1-EDBB2676555E}\VersionIndependentProgID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{54E31B16-3C8A-4304-AF7A-DA0F25CCAB91}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{54E31B16-3C8A-4304-AF7A-DA0F25CCAB91}\ProxyStubClsid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{54E31B16-3C8A-4304-AF7A-DA0F25CCAB91}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{54E31B16-3C8A-4304-AF7A-DA0F25CCAB91}\TypeLib
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{9FB631C3-188D-474B-9CB3-334FF4D1569E}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{9FB631C3-188D-474B-9CB3-334FF4D1569E}\1.0
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{9FB631C3-188D-474B-9CB3-334FF4D1569E}\1.0\0
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{9FB631C3-188D-474B-9CB3-334FF4D1569E}\1.0\0\win32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{9FB631C3-188D-474B-9CB3-334FF4D1569E}\1.0\FLAGS
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{9FB631C3-188D-474B-9CB3-334FF4D1569E}\1.0\HELPDIR
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PdfSecurity.PdfCrypt
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PdfSecurity.PdfCrypt\CLSID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PdfSecurity.PdfCrypt\CurVer
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PdfSecurity.PdfCrypt.1
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PdfSecurity.PdfCrypt.1\CLSID

The newly created Registry Values are:

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\PdfSecurity.DLL]

AppID = "{9FB631C3-188D-474B-9CB3-334FF4D1569E}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{9FB631C3-188D-474B-9CB3-334FF4D1569E}]

(Default) = "PdfSecurity"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{44AA7D84-A2E1-4FA5-AEA1-EDBB2676555E}\VersionIndependentProgID]

(Default) = "PdfSecurity.PdfCrypt"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{44AA7D84-A2E1-4FA5-AEA1-EDBB2676555E}\TypeLib]

(Default) = "{9FB631C3-188D-474B-9CB3-334FF4D1569E}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{44AA7D84-A2E1-4FA5-AEA1-EDBB2676555E}\ProgID]

(Default) = "PdfSecurity.PdfCrypt.1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{44AA7D84-A2E1-4FA5-AEA1-EDBB2676555E}\InprocServer32]

(Default) = "%Temp%\31.dll"
ThreadingModel = "apartment"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{44AA7D84-A2E1-4FA5-AEA1-EDBB2676555E}]

(Default) = "CPdfCrypt Object"
AppID = "{9FB631C3-188D-474B-9CB3-334FF4D1569E}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{54E31B16-3C8A-4304-AF7A-DA0F25CCAB91}\TypeLib]

(Default) = "{9FB631C3-188D-474B-9CB3-334FF4D1569E}"
Version = "1.0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{54E31B16-3C8A-4304-AF7A-DA0F25CCAB91}\ProxyStubClsid32]

(Default) = "{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{54E31B16-3C8A-4304-AF7A-DA0F25CCAB91}\ProxyStubClsid]

(Default) = "{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{54E31B16-3C8A-4304-AF7A-DA0F25CCAB91}]

(Default) = "IPdfCrypt"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{9FB631C3-188D-474B-9CB3-334FF4D1569E}\1.0\0\win32]

(Default) = "%Temp%\31.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{9FB631C3-188D-474B-9CB3-334FF4D1569E}\1.0\HELPDIR]

(Default) = ""

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{9FB631C3-188D-474B-9CB3-334FF4D1569E}\1.0\FLAGS]

(Default) = "0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{9FB631C3-188D-474B-9CB3-334FF4D1569E}\1.0]

(Default) = "PdfSecurity 1.0 Type Library"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PdfSecurity.PdfCrypt\CurVer]

(Default) = "PdfSecurity.PdfCrypt.1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PdfSecurity.PdfCrypt\CLSID]

(Default) = "{44AA7D84-A2E1-4FA5-AEA1-EDBB2676555E}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PdfSecurity.PdfCrypt]

(Default) = "CPdfCrypt Object"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PdfSecurity.PdfCrypt.1\CLSID]

(Default) = "{44AA7D84-A2E1-4FA5-AEA1-EDBB2676555E}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PdfSecurity.PdfCrypt.1]

(Default) = "CPdfCrypt Object"

Other details

The following Host Name was requested from a host database:

192.5.5.241

All content ("Information") contained in this report is the copyrighted work of Threat Expert Ltd and its associated companies ("ThreatExpert") and may not be copied without the express permission of ThreatExpert.

The Information is provided on an "as is" basis. ThreatExpert disclaims all warranties, whether express or implied, to the maximum extent permitted by law, including the implied warranties that the Information is merchantable, of satisfactory quality, accurate, fit for a particular purpose or need, or non-infringing, unless such implied warranties are legally incapable of exclusion. Further, ThreatExpert does not warrant or make any representations regarding the use or the results of the use of the Information in terms of their correctness, accuracy, reliability, or otherwise.