Submission Summary:

• Submission details:
• Submission received: 21 November 2009, 06:08:36
• Processing time: 7 min 29 sec
• Submitted sample:
• File MD5: 0x4D040E5210CB53D58764A7BB974895A7
• File SHA-1: 0x12C60FEFAE4865F8BFB8E9D169FA82A117F9BD1A
• Filesize: 29,184 bytes
• Alias:
• Hacktool.Rootkit!sd6 [PCTools]
• Hacktool.Rootkit [Symantec]
• Trojan-Downloader.Win32.Agent.cffj [Kaspersky Lab]
• Generic Downloader.x!fi [McAfee]
• Mal/Generic-A [Sophos]
• Dropper/Downloader.29184.O [AhnLab]

• Summary of the findings:

What's been found	Severity Level
Downloads/requests other files from Internet.
Registers a 32-bit in-process server DLL.
Contains characteristics of an identified security risk.

Technical Details:

Possible Security Risk

• Attention! Characteristics of the following security risks were identified in the system:

Security Risk	Description
Trojan-Dropper.Agent	Trojan-Dropper.Agent attempts to drop a malicious file and run it on the compromised computer.
Rootkit.Order	Rootkit.Order hides files with filenames containing the word "order" in them. It also tries to contact a remote server. The threat is known to target financial institutions by stealing sensitive information.
Trojan-PWS.Magania.BDU	Trojan-PWS.Magania.BDU is threat that tries to monitors user activities in hopes to obtain valuable information from the affected user, specifically gaming activity behaviors.
Hacktool.Rootkit!sd6	Hacktool.Rootkit!sd6 is a malicious application that could be used by attackers to break into a system.

• Attention! The following threat categories were identified:

Threat Category	Description
	A malicious trojan horse or bot that may represent security risk for the compromised system and/or its network environment
	A keylogger program that can capture all user keystrokes (including confidential details such username, password, credit card number, etc.)
	A program that downloads files to the local computer that may represent security risk
	A hacktool that could be used by attackers to break into a system

File System Modifications

• The following files were created in the system:

#	Filename(s)	File Size	File Hash	Alias
1	%Temp%\180213	25,616 bytes	MD5: 0x93CE9ED441614D5CEEA8A669C3718D03 SHA-1: 0x121EC9ECED5E8296A12FAE7B0B414F786EBD7DE0	Trojan-PSW.Gampass [PCTools] Infostealer.Gampass [Symantec] Trojan-Dropper.Win32.Agent.ayqa [Kaspersky Lab] Generic Dropper.eb [McAfee] Troj/PSW-HE [Sophos] Dropper/Agent.25616.B [AhnLab] packed with PE_Patch.UPX [Kaspersky Lab]
2	%DownloadedProgramFiles%\P5euE6tSs7CZBbaJhVDkUbG.Ttf	212 bytes	MD5: 0x1E490C179C001ED6DAFB3A87BB3938F9 SHA-1: 0x278C472EDB5C7DC83CB0CD1E158E5F8D49941240	(not available)
3	%DownloadedProgramFiles%\SURk9eZHgnrJjPxmC.Ttf	208 bytes	MD5: 0x409F23C9C52BA10A047B252604EBE131 SHA-1: 0xCD82FC958E40EB8599BF0483784C7DB34DDF3A2F	(not available)
4	%FontsDir%\eSEWZRdrSK3NeEJVy4.Ttf	1,750 bytes	MD5: 0x79F3EBE01186FAF734B831A576896F7D SHA-1: 0x20C8FEF4C76847630985FCE5F3EB7E3A95AC0868	(not available)
5	%System%\AwrctXwdeJxquap6bRhj4Cd6z4PDyT.dll	792,064 bytes	MD5: 0x6728270CB7DBB776ED086F5AC4C82310 SHA-1: 0xE913CC86F68627541DAE2A92509AB230F427E980	(not available)
6	%System%\BJusSQfKzY4fRMcWtcMZ.dll %Windir%\Tasks\Ces5WqX3ApQMPmMbYZUxPYh.inf	22,528 bytes	MD5: 0xB894D5CD1738629FF2BE73248FF26A17 SHA-1: 0x1A4EF07133A54E77FA76B1414133D55804EE3064	Trojan-PSW.Gampass [PCTools] Infostealer.Gampass [Symantec] Trojan-GameThief.Win32.Magania.cmvd [Kaspersky Lab] Troj/PWS-BCC [Sophos] Win-Trojan/Magania.22528.G [AhnLab]
7	%System%\drivers\Encionc_ch.dat	172 bytes	MD5: 0x4A9AB1B014EC3B003B3871B3D17A2A7C SHA-1: 0x75061530008DF69A0D7EDC8CDC0782C525935C1A	(not available)
8	%System%\imm32.dll.bak	110,080 bytes	MD5: 0x87CA7CE6469577F059297B9D6556D66D SHA-1: 0xF7615886A8782A1ECD3EA4188A89E6D710428856	(not available)
9	%System%\kb02161012.dll %System%\kb02161033.dll	14,542 bytes	MD5: 0x4CBAB172CDCF5929CBABE74BAC22AB55 SHA-1: 0x8423F3DB00B795008C63805C92E03D20C0ADB055	Rootkit.Order [PCTools] Infostealer.Gampass [Symantec] Trojan.Win32.Vilsel.ndb [Kaspersky Lab] Troj/Virtum-Gen [Sophos] Packed/Upack [AhnLab] packed with UPack [Kaspersky Lab]
10	%System%\PERrGx5DkqSbQdwauCRQH.dll	18,944 bytes	MD5: 0xD97F4EA285959EC6F8A7C6AC15560BAC SHA-1: 0x3F28B441FEF2235B7ACEAA60CA53F127094C1809	Trojan-PWS.Magania.BDU [PCTools] Infostealer.Gampass [Symantec] Trojan-GameThief.Win32.Magania.bvpp [Kaspersky Lab] PWS-OnlineGames.ek [McAfee] Troj/PWS-BCC [Sophos] Win-Trojan/OnlineGameHack.18944.EA [AhnLab]
11	%System%\RXNK8eR3xW8KTCWBCGTbqm.inf	19,562 bytes	MD5: 0xE8F7044944D36D4322F8AD680F5ABE2A SHA-1: 0xAABB829C5108F27F9CA58BB814DEB4A96FCCA8ED	Trojan-PSW.Gampass [PCTools] Infostealer.Gampass [Symantec] Trojan-GameThief.Win32.Magania.clvg [Kaspersky Lab] PWS-OnlineGames.ek [McAfee] packed with PE_Patch.UPX [Kaspersky Lab]
12	[file and pathname of the sample #1]	29,184 bytes	MD5: 0x4D040E5210CB53D58764A7BB974895A7 SHA-1: 0x12C60FEFAE4865F8BFB8E9D169FA82A117F9BD1A	Hacktool.Rootkit!sd6 [PCTools] Hacktool.Rootkit [Symantec] Trojan-Downloader.Win32.Agent.cffj [Kaspersky Lab] Generic Downloader.x!fi [McAfee] Mal/Generic-A [Sophos] Dropper/Downloader.29184.O [AhnLab]
13	%System%\wsconfig.db	43 bytes	MD5: 0x147CD368A8BD2CEDCBAF2B73F07910A0 SHA-1: 0x59EABC5BBD06E9723D08F9FD5AEB2B991D14F041	(not available)
14	%System%\YFwxJedmk5zygvbBT.inf	22,124 bytes	MD5: 0xA4D59E216D9E9469CFC79B075EF5E6C5 SHA-1: 0xF7316E62F765739D7450FEC3C0E4DAD2FAB780AE	Trojan-PSW.Gampass [PCTools] Infostealer.Gampass [Symantec] PWS-OnlineGames.ek [McAfee] Mal/Emogen-R [Sophos] packed with PE_Patch.UPX [Kaspersky Lab]
15	%Windir%\Tasks\bQduFebhDm3Gxtunb.ico	1,750 bytes	MD5: 0x3DD119852C5FF73790F573D576830D04 SHA-1: 0x9BEB4253B7865B950F8E77C0F5A6713F44007593	(not available)

• Notes:
• %Temp% is a variable that refers to the temporary folder in the short path form. By default, this is C:\Documents and Settings\[UserName]\Local Settings\Temp\ (Windows NT/2000/XP).
• %DownloadedProgramFiles% is a variable that refers to the file system directory containing downloaded program files. A typical path is C:\Windows\Downloaded Program Files.
• %FontsDir% is a variable that refers to a virtual folder containing fonts. A typical path is C:\Windows\Fonts.
• %System% is a variable that refers to the System folder. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
• %Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows or C:\Winnt.

• The following files were modified:
• %System%\comres.dll
• %System%\imm32.dll

Memory Modifications

• There was a new process created in the system:

• The following modules were loaded into the address space of other process(es):

Module Name	Module Filename	Address Space Details
YFwxJedmk5zygvbBT.inf	%System%\YFwxJedmk5zygvbBT.inf	Process name: explorer.exe Process filename: %Windir%\explorer.exe Address space: 0x1E80000 - 0x1E95000
Ces5WqX3ApQMPmMbYZUxPYh.inf	%Windir%\Tasks\Ces5WqX3ApQMPmMbYZUxPYh.inf	Process name: explorer.exe Process filename: %Windir%\explorer.exe Address space: 0x1EA0000 - 0x1EB6000
RXNK8eR3xW8KTCWBCGTbqm.inf	%System%\RXNK8eR3xW8KTCWBCGTbqm.inf	Process name: explorer.exe Process filename: %Windir%\explorer.exe Address space: 0x1FE0000 - 0x1FF3000
YFwxJedmk5zygvbBT.inf	%System%\YFwxJedmk5zygvbBT.inf	Process name: msmsgs.exe Process filename: %ProgramFiles%\messenger\msmsgs.exe Address space: 0x10000000 - 0x10015000
Ces5WqX3ApQMPmMbYZUxPYh.inf	%Windir%\Tasks\Ces5WqX3ApQMPmMbYZUxPYh.inf	Process name: msmsgs.exe Process filename: %ProgramFiles%\messenger\msmsgs.exe Address space: 0xB90000 - 0xBA6000
RXNK8eR3xW8KTCWBCGTbqm.inf	%System%\RXNK8eR3xW8KTCWBCGTbqm.inf	Process name: msmsgs.exe Process filename: %ProgramFiles%\messenger\msmsgs.exe Address space: 0xBB0000 - 0xBC3000
Ces5WqX3ApQMPmMbYZUxPYh.inf	%Windir%\Tasks\Ces5WqX3ApQMPmMbYZUxPYh.inf	Process name: dllhost.exe Process filename: %System%\dllhost.exe Address space: 0x10000000 - 0x10016000
YFwxJedmk5zygvbBT.inf	%System%\YFwxJedmk5zygvbBT.inf	Process name: sdnsmain.exe Process filename: %Windir%\dns\sdnsmain.exe Address space: 0x1620000 - 0x1635000
Ces5WqX3ApQMPmMbYZUxPYh.inf	%Windir%\Tasks\Ces5WqX3ApQMPmMbYZUxPYh.inf	Process name: sdnsmain.exe Process filename: %Windir%\dns\sdnsmain.exe Address space: 0x1740000 - 0x1756000
RXNK8eR3xW8KTCWBCGTbqm.inf	%System%\RXNK8eR3xW8KTCWBCGTbqm.inf	Process name: sdnsmain.exe Process filename: %Windir%\dns\sdnsmain.exe Address space: 0x1760000 - 0x1773000
Ces5WqX3ApQMPmMbYZUxPYh.inf	%Windir%\Tasks\Ces5WqX3ApQMPmMbYZUxPYh.inf	Process name: ~1d4d5.tmp Process filename: %Temp%\~1d4d5.tmp Address space: 0x10000000 - 0x10016000
YFwxJedmk5zygvbBT.inf	%System%\YFwxJedmk5zygvbBT.inf	Process name: ~1d4d5.tmp Process filename: %Temp%\~1d4d5.tmp Address space: 0xFB0000 - 0xFC5000

• Notes:
• %ProgramFiles% is a variable that refers to the Program Files folder. A typical path is C:\Program Files.

• The following system service was modified:

• There was a new kernel-mode driver installed in the system:

Registry Modifications

• The following Registry Keys were created:
• HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{09A8C189-03CC-48E9-A4E5-346B87F8A249}
• HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{09A8C189-03CC-48E9-A4E5-346B87F8A249}\InprocServer32
• HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F42FCDA4-76C1-4827-9BC3-1C95ADBD6035}
• HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F42FCDA4-76C1-4827-9BC3-1C95ADBD6035}\InprocServer32
• HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F8EC4F9D-F88B-41CF-BC8D-3DD1737B6451}
• HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F8EC4F9D-F88B-41CF-BC8D-3DD1737B6451}\InprocServer32
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\egui.exe
• HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_ZX
• HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_ZX\0000
• HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_ZX\0000\Control
• HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\zx
• HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\zx\Security
• HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\zx\Enum
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_ZX
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_ZX\0000
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_ZX\0000\Control
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\zx
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\zx\Security
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\zx\Enum

• The newly created Registry Values are:
• [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{09A8C189-03CC-48E9-A4E5-346B87F8A249}\InprocServer32]
• (Default) = "%System%\YFwxJedmk5zygvbBT.inf"
• ThreadingModel = "Apartment"
• [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F42FCDA4-76C1-4827-9BC3-1C95ADBD6035}\InprocServer32]
• (Default) = "%Windir%\Tasks\Ces5WqX3ApQMPmMbYZUxPYh.inf"
• ThreadingModel = "Apartment"
• [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F8EC4F9D-F88B-41CF-BC8D-3DD1737B6451}\InprocServer32]
• (Default) = "%System%\RXNK8eR3xW8KTCWBCGTbqm.inf"
• ThreadingModel = "Apartment"
• [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
• {F42FCDA4-76C1-4827-9BC3-1C95ADBD6035} = ""
• {09A8C189-03CC-48E9-A4E5-346B87F8A249} = ""
• {F8EC4F9D-F88B-41CF-BC8D-3DD1737B6451} = ""
• [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\egui.exe]
• Debugger = "services.exe"
• [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_ZX\0000\Control]
• *NewlyCreated* = 0x00000000
• ActiveService = "zx"
• [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_ZX\0000]
• Service = "zx"
• Legacy = 0x00000001
• ConfigFlags = 0x00000000
• Class = "LegacyDriver"
• ClassGUID = "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
• DeviceDesc = "zx"
• [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_ZX]
• NextInstance = 0x00000001
• [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\zx\Enum]
• 0 = "Root\LEGACY_ZX\0000"
• Count = 0x00000001
• NextInstance = 0x00000001
• [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\zx\Security]
• Security = 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 0
• [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\zx]
• Type = 0x00000001
• Start = 0x00000003
• ErrorControl = 0x00000001
• ImagePath = "\??\%Temp%\~1d4d6.tmp"
• DisplayName = "zx"
• [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_ZX\0000\Control]
• *NewlyCreated* = 0x00000000
• ActiveService = "zx"
• [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_ZX\0000]
• Service = "zx"
• Legacy = 0x00000001
• ConfigFlags = 0x00000000
• Class = "LegacyDriver"
• ClassGUID = "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
• DeviceDesc = "zx"
• [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_ZX]
• NextInstance = 0x00000001
• [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\zx\Enum]
• 0 = "Root\LEGACY_ZX\0000"
• Count = 0x00000001
• NextInstance = 0x00000001
• [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\zx\Security]
• Security = 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 0
• [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\zx]
• Type = 0x00000001
• Start = 0x00000003
• ErrorControl = 0x00000001
• ImagePath = "\??\%Temp%\~1d4d6.tmp"
• DisplayName = "zx"

Other details

• Analysis of the file resources indicate the following possible country of origin:

	China

• There were registered attempts to establish connection with the remote hosts. The connection details are:

• The data identified by the following URLs was then requested from the remote web server:
• http://mm.cj-vv.cn:8888/mm/lm/new1.exe
• http://mm.cj-vv.cn:8888/mm/lm/new2.exe
• http://mm.cj-vv.cn:8888/mm/lm/new3.exe
• http://txt.cj-vv.cn:889/txt1/ok.txt