Submission Summary:

• Submission details:
• Submission received: 23 May 2011, 06:21:27
• Processing time: 16 min 20 sec
• Submitted sample:
• File MD5: 0x4A5ED237B8E7908DA8E9F5A0A9709B83
• File SHA-1: 0x8052EAAD09863DBC75FE2E4F0261ECBA871A41D1
• Filesize: 146,944 bytes
• Alias:
• Packed.Protexor!gen1 [Symantec]
• Backdoor.Win32.Spammy.gf [Kaspersky Lab]
• Backdoor.Win32.Spammy [Ikarus]

• Summary of the findings:

What's been found	Severity Level
Produces outbound traffic.
Contains characteristics of an identified security risk.

Technical Details:

Possible Security Risk

• Attention! The following threat category was identified:

Threat Category	Description
	A malicious backdoor trojan that runs in the background and allows remote access to the compromised system

File System Modifications

• The following files were created in the system:

#	Filename(s)	File Size	File Hash	Alias
1	%Programs%\Startup\maswtjoy.exe [file and pathname of the sample #1]	146,944 bytes	MD5: 0x4A5ED237B8E7908DA8E9F5A0A9709B83 SHA-1: 0x8052EAAD09863DBC75FE2E4F0261ECBA871A41D1	Packed.Protexor!gen1 [Symantec] Backdoor.Win32.Spammy.gf [Kaspersky Lab] Backdoor.Win32.Spammy [Ikarus]
2	%ProgramFiles%\Internet Explorer\dmlconf.dat	16 bytes	MD5: 0x128BA31AB58C43ACE901DA9791AEC33E SHA-1: 0x016ACE5269AE925FE3D819569E67AFF01E123648	(not available)

• Notes:
• %Programs% is a variable that refers to the file system directory that contains the user's program groups. A typical path is C:\Documents and Settings\[UserName]\Start Menu\Programs.
• %ProgramFiles% is a variable that refers to the Program Files folder. A typical path is C:\Program Files.

Memory Modifications

• There was a new process created in the system:

Other details

• Analysis of the file resources indicate the following possible country of origin:

	Japan

• To mark the presence in the system, the following Mutex objects were created:
• {1976742A-5B71-7A19-AEFE-0C985AB850FD}
• {19766E13-5B71-7A19-AEFE-0C985A1C50FD}
• {1976795D-5B71-7A19-AEFE-0C985A1C50FD}
• {1976795D-5B71-7A19-AEFE-0C985A2050FD}
• {1976795D-5B71-7A19-AEFE-0C985BB050FD}
• {1976795D-5B71-7A19-AEFE-0C985BF450FD}
• {1976795D-5B71-7A19-AEFE-0C985C0C50FD}
• {1976795D-5B71-7A19-AEFE-0C985C3850FD}
• {1976795D-5B71-7A19-AEFE-0C985C4450FD}
• {1976795D-5B71-7A19-AEFE-0C985CD450FD}
• {1976795D-5B71-7A19-AEFE-0C985D2C50FD}
• {1976795D-5B71-7A19-AEFE-0C985D4850FD}
• {1976795D-5B71-7A19-AEFE-0C985D8050FD}
• {1976681C-5B71-7A19-AEFE-0C985A1C50FD}
• {1976742A-5B71-7A19-AEFE-0C985AEC50FD}
• {1976795D-5B71-7A19-AEFE-0C985D9C50FD}
• {1976795D-5B71-7A19-AEFE-0C985E8C50FD}
• {1976795D-5B71-7A19-AEFE-0C985EEC50FD}
• {1976795D-5B71-7A19-AEFE-0C985F8050FD}
• {1976795D-5B71-7A19-AEFE-0C98609C50FD}
• {1976795D-5B71-7A19-AEFE-0C98611050FD}
• {1976795D-5B71-7A19-AEFE-0C98614C50FD}
• {1976795D-5B71-7A19-AEFE-0C98615450FD}
• {1976795D-5B71-7A19-AEFE-0C985B1C50FD}
• {1976795D-5B71-7A19-AEFE-0C985CE850FD}
• {1976795D-5B71-7A19-AEFE-0C985CF050FD}
• {1976795D-5B71-7A19-AEFE-0C985FC850FD}
• {1976795D-5B71-7A19-AEFE-0C985AB850FD}
• {1976795D-5B71-7A19-AEFE-0C985AF450FD}
• {1976795D-5B71-7A19-AEFE-0C985AFC50FD}
• {1976742A-5B71-7A19-AEFE-0C985AF450FD}
• {1976795D-5B71-7A19-AEFE-0C985AEC50FD}
• {1976742A-5B71-7A19-AEFE-0C985AFC50FD}
• Iexplore.XPExceptionFilter

• The following Host Names were requested from a host database:
• 91.220.62.30
• google.com
• rterybrstutnrsbberve.com
• erwbtkidthetcwerc.com
• rvbwtbeitwjeitv.com

• There was registered attempt to establish connection with the remote host. The connection details are:

Outbound traffic (potentially malicious)

• There was an outbound traffic produced on port 443: