ThreatExpert Report: P2P-Worm.Win32.Palevo.cqmm, BackDoor-DVB.gen.w, Mal/Redos-I..

Visit ThreatExpert web site

Close Report

Submission Summary:

Submission details:

Submission received: 11 September 2012, 16:19:53
Processing time: 11 min 49 sec
Submitted sample:

File MD5: 0x5055888E45EA74DB4C20AF27592D1D17
File SHA-1: 0x906D00D9B289A13CBBC27D77C20CE6B49E3DAA9E
Filesize: 336,016 bytes
Alias:

P2P-Worm.Win32.Palevo.cqmm [Kaspersky Lab]
BackDoor-DVB.gen.w [McAfee]
Mal/Redos-I [Sophos]
Backdoor:Win32/Morix.B [Microsoft]
Win32.SuspectCrc [Ikarus]

Summary of the findings:

What's been found	Severity Level
Produces outbound traffic.
Contains characteristics of an identified security risk.

Technical Details:

Possible Security Risk

Attention! The following threat category was identified:

Threat Category	Description
	A network-aware worm that attempts to replicate across the existing network(s)

File System Modifications

The following files were created in the system:

#	Filename(s)	File Size	File Hash	Alias
1	%System%\GroupPolicy\User\Scripts\scripts.ini	64 bytes	MD5: 0x14560E302914C04D753213A402AE49EC SHA-1: 0xDDD024DE2FC0A54A2A32B9E4B293EF2F1E120310	(not available)
2	[file and pathname of the sample #1] %Windir%\Temp\svchost.exe	336,016 bytes	MD5: 0x5055888E45EA74DB4C20AF27592D1D17 SHA-1: 0x906D00D9B289A13CBBC27D77C20CE6B49E3DAA9E	P2P-Worm.Win32.Palevo.cqmm [Kaspersky Lab] BackDoor-DVB.gen.w [McAfee] Mal/Redos-I [Sophos] Backdoor:Win32/Morix.B [Microsoft] Win32.SuspectCrc [Ikarus]

Notes:

%System% is a variable that refers to the System folder. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
%Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows or C:\Winnt.

The following file was modified:

%System%\GroupPolicy\gpt.ini

The following directories were created:

%System%\GroupPolicy\User\Scripts
%System%\GroupPolicy\User\Scripts\Shutdown
%System%\GroupPolicy\User\Scripts\Startu?

Memory Modifications

There were new processes created in the system:

Process Name	Process Filename	Main Module Size
[filename of the sample #1]	[file and pathname of the sample #1]	348,160 bytes
svchost.exe	%Windir%\temp\svchost.exe	348,160 bytes

There was a new memory page created in the address space of the system process(es):

Process Name	Process Filename	Allocated Size
IEXPLORE.EXE	%ProgramFiles%\internet explorer\iexplore.exe	987,136 bytes

Notes:

%ProgramFiles% is a variable that refers to the Program Files folder. A typical path is C:\Program Files.

Registry Modifications

The following Registry Keys were created:

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\MediaResources\msvideo
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Ball
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Ball\20116110405
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\MediaResources\msvideo
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Ball
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Ball\20116110405
HKEY_LOCAL_MACHINE\SYSTEM\InfoTime

The newly created Registry Values are:

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Ball\20116110405]

Group = "Default"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Ball\20116110405]

Group = "Default"

[HKEY_LOCAL_MACHINE\SYSTEM\InfoTime]

InfoTime = "20120911"

Other details

Analysis of the file resources indicate the following possible country of origin:

China

To mark the presence in the system, the following Mutex object was created:

AAAAAArqaxva61p72uva6vrqmnr6evnw==CCCCCC0Nfe2uDknw==

The following Host Name was requested from a host database:

192.168.1.101

There was registered attempt to establish connection with the remote host. The connection details are:

Remote Host	Port Number
192.168.1.101	8080

Outbound traffic (potentially malicious)

There was an outbound traffic produced on port 8080:

00000000 | 4768 3073 74E1 0000 002C 0100 0078 9C4B | Gh0st....,...x.K
00000010 | 5B29 C830 8781 8181 1588 1981 5883 8B81 | [).0........X...
00000020 | 8109 4807 A716 9565 26A7 2A04 2426 672B | ..H....e&.*.$&g+
00000030 | 1831 30EC 01AA CB88 B564 B802 A42F C8AE | .10......d.../..
00000040 | 2E2C 5A25 C8C0 22B2 BA50 03A8 9601 C8BE | .,Z%.."..P......
00000050 | 3C7B 620D 0790 590A C433 A556 16FE 915E | <{b...Y..3.V...^
00000060 | 5D08 52C7 0035 B700 A806 C616 00E2 0F0C | ].R..5..........
00000070 | AB0B 67B0 5842 F840 B9A9 1C13 6B18 1820 | ..g.XB.@....k..
00000080 | EA05 80E2 4C60 C58C 0CDB B921 7AFC 598D | ....L`.....!z.Y.
00000090 | 19EB 814C E7FC DC82 D292 D422 BFC4 DC54 | ...L......."...T
000000A0 | 066C 00A8 38D0 8E81 E13F 90E9 9498 9303 | .l..8....?......
000000B0 | 124A 582D 0834 EF23 974B 6A5A 6269 4E09 | .JX-.4.#.KjZbiN.
000000C0 | 8342 8D08 D07E 0858 BC1A E4AE F060 105B | .B...~.X.....`.[
000000D0 | 5717 2296 C188 69EC 8318 4B06 0064 6D35 | W."...i...K..dm5
000000E0 | 6E                                      | n
00000000 | 4768 3073 74E2 0000 002C 0100 0078 9C4B | Gh0st....,...x.K
000000A0 | 066C 00A8 F88B 2D03 C37F 20D3 2931 2707 | .l....-... .)1'.
000000B0 | 2494 B05A 1068 DE47 5E97 D4B4 C4D2 9C12 | $..Z.h.G^.......
000000C0 | 060E 0F11 8617 50E5 8B57 83DC 151E 0C62 | ......P..W.....b
000000D0 | EBEA 42C4 5218 318D 7D10 63C9 0000 8A75 | ..B.R.1.}.c....u
000000E0 | 35BB                                    | 5.

All content ("Information") contained in this report is the copyrighted work of Threat Expert Ltd and its associated companies ("ThreatExpert") and may not be copied without the express permission of ThreatExpert.

The Information is provided on an "as is" basis. ThreatExpert disclaims all warranties, whether express or implied, to the maximum extent permitted by law, including the implied warranties that the Information is merchantable, of satisfactory quality, accurate, fit for a particular purpose or need, or non-infringing, unless such implied warranties are legally incapable of exclusion. Further, ThreatExpert does not warrant or make any representations regarding the use or the results of the use of the Information in terms of their correctness, accuracy, reliability, or otherwise.