ThreatExpert Report: Trojan.Zlob

Submission Summary:

Submission details:

Submission received: 19 October 2009, 20:53:14
Processing time: 5 min 25 sec
Submitted sample:

File MD5: 0x4CC0AC489A3BD5081E287C67C7528731
File SHA-1: 0x6977B3D43FB4B999579A96B398F22F08CD231F74
Filesize: 207,675 bytes

Summary of the findings:

What's been found	Severity Level
Downloads/requests other files from Internet.
Creates a startup registry entry.
Registers a 32-bit in-process server DLL.
Registers a Browser Helper Object (Microsoft's Internet Explorer plugin module).
Contains characteristics of an identified security risk.

Technical Details:

The new window was created, as shown below:

NOTICE: The content shown in the above window is captured automatically and is not controlled or endorsed by ThreatExpert.
Please contact us on this link should any material be offensive or inappropriate and we will ensure any such content is blocked from future viewers of the report.

Possible Security Risk

Attention! Characteristics of the following security risk was identified in the system:

Security Risk	Description
Spyware.Known_Bad_Sites	Indicates that a known bad site may have hijacked. Adware, Spyware and Phishing sites may use the Windows hosts file to redirect your browser to a malicious site when you try to access a valid site such as your Bank.

File System Modifications

The following files were created in the system:

#	Filename(s)	File Size	File Hash	Alias
1	[file and pathname of the sample #1]	207,675 bytes	MD5: 0x4CC0AC489A3BD5081E287C67C7528731 SHA-1: 0x6977B3D43FB4B999579A96B398F22F08CD231F74	(not available)
2	%System%\shdqmlecfe.exe	48,232 bytes	MD5: 0x25C9F46076B84A54FB1F22B2BA894AC6 SHA-1: 0x3D5C4ED88B836FD2BC6732A44D1F7DDBBA636C21	(not available)
3	%System%\yexwtvdndumljhu.dll	402,432 bytes	MD5: 0xB18390F1FBB2DC0142B4A4C87A27007C SHA-1: 0x1D42DE63AC9F7638DE32E92DA46CE480416C3EA8	Trojan.Zlob [Ikarus]

Note:

%System% is a variable that refers to the System folder. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

Memory Modifications

There was a new process created in the system:

Process Name	Process Filename	Main Module Size
Au_.exe	%Temp%\~nsu.tmp\Au_.exe	204,800 bytes

Notes:

%Temp% is a variable that refers to the temporary folder in the short path form. By default, this is C:\Documents and Settings\[UserName]\Local Settings\Temp\ (Windows NT/2000/XP).

The following modules were loaded into the address space of other process(es):

Module Name	Module Filename	Address Space Details
yexwtvdndumljhu.dll	%System%\yexwtvdndumljhu.dll	Process name: [generic host process] Process filename: [generic host process filename] Address space: 0x10000000 - 0x10069000
yexwtvdndumljhu.dll	%System%\yexwtvdndumljhu.dll	Process name: IEXPLORE.EXE Process filename: %ProgramFiles%\internet explorer\iexplore.exe Address space: 0xD70000 - 0xDD9000
yexwtvdndumljhu.dll	%System%\yexwtvdndumljhu.dll	Process name: IEXPLORE.EXE Process filename: %ProgramFiles%\internet explorer\iexplore.exe Address space: 0xD70000 - 0xDD9000

Notes:

[generic host process filename] is a full path filename of [generic host process].
%ProgramFiles% is a variable that refers to the Program Files folder. A typical path is C:\Program Files.

Registry Modifications

The following Registry Keys were created:

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{149C4E72-CB5B-9A9D-6778-3469ACF39EF5}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{149C4E72-CB5B-9A9D-6778-3469ACF39EF5}\InProcServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{149C4E72-CB5B-9A9D-6778-3469ACF39EF5}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\shdqmlecfe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database
HKEY_CURRENT_USER\Software\AppDataLow
HKEY_CURRENT_USER\Software\AppDataLow\Software
HKEY_CURRENT_USER\Software\AppDataLow\Software\{2BB221CA-30B8-F5BF-3FCB-B6E3F16DEC05}

The newly created Registry Values are:

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{149C4E72-CB5B-9A9D-6778-3469ACF39EF5}\InProcServer32]

ThreadingModel = "Apartment"
(Default) = "%System%\yexwtvdndumljhu.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{149C4E72-CB5B-9A9D-6778-3469ACF39EF5}]

(Default) = "primeadserving browser enhancer"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{149C4E72-CB5B-9A9D-6778-3469ACF39EF5}]

NoExplorer = 0x00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

uvhrivnrjxz = "%System%\regsvr32.exe /s "%System%\yexwtvdndumljhu.dll""

so that yexwtvdndumljhu.dll runs every time Windows starts

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\shdqmlecfe]

DisplayName = "RON Too1 Primeadserving"
UninstallString = "%System%\shdqmlecfe.exe"
NoModify = 0x00000000
NoRepair = 0x00000000
DisplayVersion = "2.6.0.4"

[HKEY_CURRENT_USER\Software\AppDataLow\Software\{2BB221CA-30B8-F5BF-3FCB-B6E3F16DEC05}]

aff_id = "primeadserving"

Other details

There were registered attempts to establish connection with the remote hosts. The connection details are:

Remote Host	Port Number
168.75.207.20	80
174.129.137.196	80
204.0.5.17	80
204.0.5.32	80
204.0.5.9	80
209.200.63.68	80
209.200.63.75	80
64.237.101.84	80
66.114.51.44	80
66.94.242.24	80

The data identified by the following URLs was then requested from the remote web server:

http://this.content.served.by.adshuffle.com/p/kl/46/799/r/12/4/8/ast0k3n/PDZtSLI5dR8vPFJTKlSwVnU7wGSAXSV3ASaGqBEUU6H7XbgAMOWD6g==/view.html
http://this.content.served.by.adshuffle.com/p/kl/46/799/r/12/4/8/1815906439/v/576462385090011167/ac/20/b/249119/c/304018/view.gif
http://t.invitemedia.com/track_imp?partnerID=77&campID=5100&crID=8362&auctionID=1256003887501386-8362&cost=0.1078&pubICode=633509&pub=124175&url=http%3A%2F%2Fservedby%2Ebetteradssolution%2Ecom%2Fservlet%2Fajrotator%2F43%2F0%2Fvh%3Fz%3Dast%26ch%3D158%26dim%3D5
http://t.invitemedia.com/track_imp?partnerID=77&campID=5100&crID=8432&auctionID=1256003887501389-8432&cost=0.1694&pubICode=633509&pub=124175&url=http%3A%2F%2Fservedby%2Ebetteradssolution%2Ecom%2Fservlet%2Fajrotator%2F43%2F0%2Fvh%3Fz%3Dast%26ch%3D142%26dim%3D7
http://t.invitemedia.com/track_imp?partnerID=77&campID=5100&crID=8361&auctionID=1256003887619956-8361&cost=0.5280&pubICode=528024&pub=138758&url=http%3A%2F%2Fservedby%2Ebetteradssolution%2Ecom%2Fservlet%2Fajrotator%2F43%2F0%2Fvh%3Fz%3Dast%26ch%3D235%26dim%3D3
http://t.invitemedia.com/track_imp?partnerID=77&campID=5100&crID=8362&auctionID=1256003887501389-8362&cost=0.1260&pubICode=633509&pub=124175&url=http%3A%2F%2Fservedby%2Ebetteradssolution%2Ecom%2Fservlet%2Fajrotator%2F43%2F0%2Fvh%3Fz%3Dast%26ch%3D160%26dim%3D5
http://t.invitemedia.com/track_imp?partnerID=77&campID=5100&crID=8432&auctionID=1256003887501370-8432&cost=0.1694&pubICode=633509&pub=124175&url=http%3A%2F%2Fservedby%2Ebetteradssolution%2Ecom%2Fservlet%2Fajrotator%2F43%2F0%2Fvh%3Fz%3Dast%26ch%3D97%26dim%3D7
http://t.invitemedia.com/track_imp?partnerID=77&campID=5100&crID=8362&auctionID=1256003888639746-8362&cost=0.2469&pubICode=519731&pub=145644&url=http%3A%2F%2Fservedby%2Ebetteradssolution%2Ecom%2Fservlet%2Fajrotator%2F43%2F0%2Fvh%3Fz%3Dast%26ch%3D68%26dim%3D5
http://rmd.atdmt.com/tl/DocumentDotWrite.js
http://content.yieldmanager.edgesuite.net/atoms/ad/7b/97/9e/ad7b979e837f789241d44315928569b6.jpg
http://content.yieldmanager.edgesuite.net/atoms/03/3b/b7/65/033bb765f100c87a47ef894ec90570aa.jpg
http://s0.2mdn.net/879366/flashwrite_1_2.js
http://s0.2mdn.net/1137660/SUB_2009_TruckMonth_160x600.swf
http://s0.2mdn.net/1137660/SUB_2009_TruckMonth_300x250.swf
http://s0.2mdn.net/1137660/SIL_2009_TruckMonth_728x90.swf
http://s0.2mdn.net/1137660/AVA_2009_TruckMonth_728x90.swf
http://s0.2mdn.net/1137660/160x600S_2009_CHV_TS_INM_GM_SilCD_V1.swf
http://s0.2mdn.net/1137660/inm_sil_gen_fuel_V4_728x90.swf
http://content.yieldmanager.com/ak/q.gif
http://aplatupla.com/imprss/1stads.php
http://aplatupla.com/bnnrs43/728x90/4a573eb6aac27.html
http://aplatupla.com/bnnrs43/160x600/4a573eb69d586.html
http://aplatupla.com/bnnrs43/468x60/4a537563e8310.html
http://aplatupla.com/bnnrs43/728x90/4a537563e8310.html
http://aplatupla.com/bnnrs43/160x600/4a573eb6ad7fa.html
http://aplatupla.com/bnnrs43/120x600/49ec4770ef063.html
http://aplatupla.com/bnnrs43/728x90/49ec4770ef063.html
http://aplatupla.com/bnnrs43/728x90/4a573eb6a5721.html
http://aplatupla.com/bnnrs43/300x250/4a97dc54d193f.html
http://aplatupla.com/bnnrs43/728x90/4a573eb6ad7fa.html
http://servedby.betteradssolution.com/servlet/ajrotator/43/0/vh?z=ast&ch=160&dim=5
http://servedby.betteradssolution.com/servlet/ajrotator/43/0/vh?z=ast&ch=158&dim=5
http://servedby.betteradssolution.com/servlet/ajrotator/43/0/vh?z=ast&ch=97&dim=7
http://servedby.betteradssolution.com/servlet/ajrotator/43/0/vh?z=ast&ch=68&dim=5
http://servedby.betteradssolution.com/servlet/ajrotator/43/0/vh?z=ast&ch=142&dim=7
http://servedby.betteradssolution.com/servlet/ajrotator/43/0/vh?z=ast&ch=67&dim=4
http://servedby.betteradssolution.com/servlet/ajrotator/43/0/vh?z=ast&ch=235&dim=3
http://servedby.betteradssolution.com/servlet/ajrotator/43/0/vh?z=ast&ch=130&dim=5
http://rotator.its.adjuggler.com/servlet/ajrotator/263541/0/vh?z=icm&dim=186262
http://rotator.its.adjuggler.com/servlet/ajrotator/263541/0/vh?ajecscp=1256003887118&z=icm&dim=186262
http://rotator.its.adjuggler.com/servlet/ajrotator/263541/0/vh?z=icm&dim=186155
http://rotator.its.adjuggler.com/servlet/ajrotator/263541/0/vh?ajecscp=1256003888797&z=icm&dim=186155
http://media2.adshuffle.com/images/unknown/a14d0ff3acfa458697e63bf55213b58a.jpg
http://ad.adserverplus.com/st?ad_type=ad&ad_size=468x60&section=639746
http://ad.adserverplus.com/imp?Z=468x60&s=639746&_salt=3060123383&B=10&r=0
http://ad.adserverplus.com/st?ad_type=ad&ad_size=728x90&section=639746
http://ad.adserverplus.com/imp?Z=728x90&s=639746&_salt=3914922999&B=10&r=0
http://ad.ad-flow.com/imp?Z=728x90&s=501380&_salt=133671329&B=10&u=http%3A%2F%2Fservedby.betteradssolution.com%2Fservlet%2Fajrotator%2F43%2F0%2Fvh%3Fz%3Dast%26ch%3D130%26dim%3D5&r=0
http://ad.ad-flow.com/st?ad_type=iframe&ad_size=160x600&section=501389
http://ad.ad-flow.com/imp?Z=160x600&s=501389&_salt=3193305674&B=10&u=http%3A%2F%2Fservedby.betteradssolution.com%2Fservlet%2Fajrotator%2F43%2F0%2Fvh%3Fz%3Dast%26ch%3D142%26dim%3D7&r=0
http://ad.ad-flow.com/st?ad_type=iframe&ad_size=728x90&section=501386
http://ad.ad-flow.com/imp?Z=728x90&s=501386&_salt=3910531471&B=10&u=http%3A%2F%2Fservedby.betteradssolution.com%2Fservlet%2Fajrotator%2F43%2F0%2Fvh%3Fz%3Dast%26ch%3D158%26dim%3D5&r=0
http://ad.ad-flow.com/st?ad_type=iframe&ad_size=728x90&section=501389
http://ad.ad-flow.com/imp?Z=728x90&s=501389&_salt=3588468123&B=10&u=http%3A%2F%2Fservedby.betteradssolution.com%2Fservlet%2Fajrotator%2F43%2F0%2Fvh%3Fz%3Dast%26ch%3D160%26dim%3D5&r=0
http://ad.ad-flow.com/st?ad_type=iframe&ad_size=160x600&section=501370
http://ad.ad-flow.com/imp?Z=160x600&s=501370&_salt=4020483616&B=10&u=http%3A%2F%2Fservedby.betteradssolution.com%2Fservlet%2Fajrotator%2F43%2F0%2Fvh%3Fz%3Dast%26ch%3D97%26dim%3D7&r=0
http://ad.ad-flow.com/st?ad_type=iframe&ad_size=728x90&section=501380
http://ad.yieldmanager.com/imp?Z=120x600&s=517445&_salt=3727910419&B=10&u=http%3A%2F%2Frotator.its.adjuggler.com%2Fservlet%2Fajrotator%2F263541%2F0%2Fvh%3Fajecscp%3D1256003888797%26z%3Dicm%26dim%3D186155&r=0
http://ad.yieldmanager.com/imp?Z=468x60&s=639746&_salt=3060123383&B=10&r=0
http://ad.yieldmanager.com/imp?Z=160x600&s=501389&_salt=3193305674&B=10&u=http%3A%2F%2Fservedby.betteradssolution.com%2Fservlet%2Fajrotator%2F43%2F0%2Fvh%3Fz%3Dast%26ch%3D142%26dim%3D7&r=0
http://ad.yieldmanager.com/imp?Z=300x250&s=619956&_salt=122759750&B=10&r=0
http://ad.yieldmanager.com/imp?Z=728x90&s=501386&_salt=3910531471&B=10&u=http%3A%2F%2Fservedby.betteradssolution.com%2Fservlet%2Fajrotator%2F43%2F0%2Fvh%3Fz%3Dast%26ch%3D158%26dim%3D5&r=0
http://ad.yieldmanager.com/imp?Z=468x60&s=639746&_salt=3060123383&B=10&r=0&SIG=10vfg75d1;x-cookie=7zybbw15qd69r&o=4&f=tg
http://ad.yieldmanager.com/imp?Z=160x600&s=501389&_salt=3193305674&B=10&u=http%3A%2F%2Fservedby.betteradssolution.com%2Fservlet%2Fajrotator%2F43%2F0%2Fvh%3Fz%3Dast%26ch%3D142%26dim%3D7&r=0&SIG=10vv0p41v;x-cookie=q41zq9c5qd69r&o=4&f=sg
http://ad.yieldmanager.com/imp?Z=300x250&s=619956&_salt=122759750&B=10&r=0&SIG=10voidh0n;x-cookie=1tb0wz15qd69r&o=4&f=q7
http://ad.yieldmanager.com/imp?Z=728x90&s=501386&_salt=3910531471&B=10&u=http%3A%2F%2Fservedby.betteradssolution.com%2Fservlet%2Fajrotator%2F43%2F0%2Fvh%3Fz%3Dast%26ch%3D158%26dim%3D5&r=0&SIG=10vfg75d1;x-cookie=7zybbw15qd69r&o=4&f=tg
http://ad.yieldmanager.com/imp?Z=728x90&s=501389&_salt=3588468123&B=10&u=http%3A%2F%2Fservedby.betteradssolution.com%2Fservlet%2Fajrotator%2F43%2F0%2Fvh%3Fz%3Dast%26ch%3D160%26dim%3D5&r=0
http://ad.yieldmanager.com/imp?Z=160x600&s=501370&_salt=4020483616&B=10&u=http%3A%2F%2Fservedby.betteradssolution.com%2Fservlet%2Fajrotator%2F43%2F0%2Fvh%3Fz%3Dast%26ch%3D97%26dim%3D7&r=0
http://ad.yieldmanager.com/imp?Z=728x90&s=639746&_salt=3914922999&B=10&r=0
http://ad.yieldmanager.com/imp?Z=720x90&s=266189&_salt=2426070770&B=10&u=http%3A%2F%2Frotator.its.adjuggler.com%2Fservlet%2Fajrotator%2F263541%2F0%2Fvh%3Fajecscp%3D1256003887118%26z%3Dicm%26dim%3D186262&r=0
http://ad.spot200.com/st?ad_type=ad&ad_size=300x250&section=619956
http://ad.spot200.com/imp?Z=300x250&s=619956&_salt=122759750&B=10&r=0
http://ads.pubmatic.com/AdServer/js/showad.js
http://ads.pubmatic.com/AdServer/js/freq.html
http://ads.pubmatic.com/AdServer/js/syncuppixels.html
http://ads.pubmatic.com/AdServer/js/adtrackJ.js
http://t.adbuyer.com/imp?cr=3122813&bl=1112970&sl=557157&se=639746&si=&pu=145644&v=6708680&ci=Houston&c1=10000
http://t.adbuyer.com/imp?ul_cb=1&cr=3122813&bl=1112970&sl=557157&se=639746&si=&pu=145644&v=6708680&ci=Houston&c1=10000
http://ib.adnxs.com/getuid?http://image2.pubmatic.com/AdServer/Pug?vcode=bz0xJnR5cGU9MSZqcz0xJmNvZGU9NzkmdGw9MTQ0MCZkcF9pZD01Nw==&vcode=bz0yJnR5cGU9MSZqcz0xJmNvZGU9NzgmdGw9MTU3NjgwMCZkcF9pZD01Nw==&piggybackCookie=uid:$UID
http://ib.adnxs.com/setuid?entity=20&code=7697157735586518195
http://ib.adnxs.com/px?bidder=3&qsdata=5100,27839
http://ib.adnxs.com/px?bidder=3&qsdata=5100,27838
http://ib.adnxs.com/px?bidder=3&qsdata=5100,27840
http://cookex.amp.yahoo.com/v2/cexposer/SIG=160tr1kaa/*http%3A//ad.yieldmanager.com/imp?Z=160x600&s=501389&_salt=3193305674&B=10&u=http%3A%2F%2Fservedby.betteradssolution.com%2Fservlet%2Fajrotator%2F43%2F0%2Fvh%3Fz%3Dast%26ch%3D142%26dim%3D7&r=0
http://cookex.amp.yahoo.com/v2/cexposer/SIG=12eplegoj/*http%3A//ad.yieldmanager.com/imp?Z=468x60&s=639746&_salt=3060123383&B=10&r=0
http://cookex.amp.yahoo.com/v2/cexposer/SIG=12ejipttf/*http%3A//ad.yieldmanager.com/imp?Z=300x250&s=619956&_salt=122759750&B=10&r=0
http://cookex.amp.yahoo.com/v2/cexposer/SIG=15vbospb0/*http%3A//ad.yieldmanager.com/imp?Z=728x90&s=501386&_salt=3910531471&B=10&u=http%3A%2F%2Fservedby.betteradssolution.com%2Fservlet%2Fajrotator%2F43%2F0%2Fvh%3Fz%3Dast%26ch%3D158%26dim%3D5&r=0
http://ad.103092804.com/st?ad_type=iframe&ad_size=720x90&section=266189
http://ad.103092804.com/imp?Z=720x90&s=266189&_salt=2426070770&B=10&u=http%3A%2F%2Frotator.its.adjuggler.com%2Fservlet%2Fajrotator%2F263541%2F0%2Fvh%3Fajecscp%3D1256003887118%26z%3Dicm%26dim%3D186262&r=0
http://ad.harrenmedianetwork.com/st?ad_type=iframe&ad_size=120x600&section=517445
http://ad.harrenmedianetwork.com/imp?Z=120x600&s=517445&_salt=3727910419&B=10&u=http%3A%2F%2Frotator.its.adjuggler.com%2Fservlet%2Fajrotator%2F263541%2F0%2Fvh%3Fajecscp%3D1256003888797%26z%3Dicm%26dim%3D186155&r=0

All content ("Information") contained in this report is the copyrighted work of Threat Expert Ltd and its associated companies ("ThreatExpert") and may not be copied without the express permission of ThreatExpert.

The Information is provided on an "as is" basis. ThreatExpert disclaims all warranties, whether express or implied, to the maximum extent permitted by law, including the implied warranties that the Information is merchantable, of satisfactory quality, accurate, fit for a particular purpose or need, or non-infringing, unless such implied warranties are legally incapable of exclusion. Further, ThreatExpert does not warrant or make any representations regarding the use or the results of the use of the Information in terms of their correctness, accuracy, reliability, or otherwise.