ThreatExpert Report: Trojan-Downloader.Win32.FraudLoad.exm, Mal/EncPk-IF, Gen.Trojan, Mal/Generic-A..

Visit ThreatExpert web site

Close Report

Submission Summary:

Submission details:

Submission received: 9 July 2009, 09:41:55
Processing time: 6 min 0 sec
Submitted sample:

File MD5: 0x513FFC855DAED8D0889188431ADD9D34
File SHA-1: 0xE333F28689DE9E1259983B1A1E094E3414EE1D3C
Filesize: 45,059 bytes
Alias:

Trojan-Downloader.Win32.FraudLoad.exm [Kaspersky Lab]
Mal/EncPk-IF [Sophos]
Gen.Trojan [Ikarus]

Summary of the findings:

What's been found	Severity Level
Downloads/requests other files from Internet.
Modifies some system settings that may have negative impact on overall system security state.
Creates a startup registry entry.
Contains characteristics of an identified security risk.

Technical Details:

The new window was created, as shown below:

NOTICE: The content shown in the above window is captured automatically and is not controlled or endorsed by ThreatExpert.
Please contact us on this link should any material be offensive or inappropriate and we will ensure any such content is blocked from future viewers of the report.

Possible Security Risk

Attention! Characteristics of the following security risk was identified in the system:

Security Risk	Description
RogueAntiSpyware.XPDeluxeProtector	RogueAntiSpyware.XPDeluxeProtector is a Rogue Anti-Spyware product which downloaded and installed without the users consent.

Attention! The following threat category was identified:

Threat Category	Description
	A program that downloads files to the local computer that may represent security risk

File System Modifications

The following files were created in the system:

#	Filename(s)	File Size	File Hash	Alias
1	%Temp%\defender32.exe [file and pathname of the sample #1]	45,059 bytes	MD5: 0x513FFC855DAED8D0889188431ADD9D34 SHA-1: 0xE333F28689DE9E1259983B1A1E094E3414EE1D3C	Trojan-Downloader.Win32.FraudLoad.exm [Kaspersky Lab] Mal/EncPk-IF [Sophos] Gen.Trojan [Ikarus]
2	%UserProfile%\XP Deluxe Protector\xpdeluxe.exe %System%\gdi32lib.dll	0 bytes	MD5: 0xD41D8CD98F00B204E9800998ECF8427E SHA-1: 0xDA39A3EE5E6B4B0D3255BFEF95601890AFD80709	(not available)

Notes:

%Temp% is a variable that refers to the temporary folder in the short path form. By default, this is C:\Documents and Settings\[UserName]\Local Settings\Temp\ (Windows NT/2000/XP).
%UserProfile% is a variable that specifies the current user's profile folder. By default, this is C:\Documents and Settings\[UserName] (Windows NT/2000/XP).
%System% is a variable that refers to the System folder. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

The following directory was created:

%UserProfile%\XP Deluxe Protector

Memory Modifications

There were new processes created in the system:

Process Name	Process Filename	Main Module Size
[generic host process]	[generic host process filename]	20,480 bytes
[filename of the sample #1]	[file and pathname of the sample #1]	73,728 bytes

Notes:

[generic host process filename] is a full path filename of [generic host process].

The following system service was modified:

Service Name	Display Name	New Status	Service Filename
wscsvc	Security Center	"Stopped"	%System%\svchost.exe -k netsvcs

Registry Modifications

The following Registry Key was created:

HKEY_CURRENT_USER\Software\XP Deluxe Protector

The newly created Registry Values are:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]

AntiVirusDisableNotify = "1"
FirewallDisableNotify = "1"
UpdatesDisableNotify = "1"

to disable notification of firewall, antivirus and/or update status through the Windows Security Center

[HKEY_CURRENT_USER\Control Panel\don't load]

scui.cpl = "No"
wscui.cpl = "No"

[HKEY_CURRENT_USER\Software]

1fd127a9-bf7b-40b4-9372-20cef48d6466 = ""

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]

defender32.exe = "%Temp%\defender32.exe"

so that defender32.exe runs every time Windows starts

[HKEY_CURRENT_USER\Software\XP Deluxe Protector]

Minimize = "0"
Start = "1"
Scan = "1"
id = "115"
UpdateDate = "02-07-2009"
fstart = "1"
site = "http://xp-deluxeprotector.com/pp/?id="

The following Registry Value was deleted:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]

AntiVirusDisableNotify = 0x00000001
FirewallDisableNotify = 0x00000001
UpdatesDisableNotify = 0x00000001

Other details

Analysis of the file resources indicate the following possible country of origin:

Russian Federation

The data identified by the following URLs was then requested from the remote web server:

http://downloadsoftwareserver3.com/gdi32lib.dll
http://downloadsoftwareserver3.com/xpdeluxe.exe

Downloaded File Summary:

Download details:

Download retrieved: 9 July 2009 09:47:56
Processing time: 6 min 47 sec
Downloaded sample #1:

File MD5: 0x05A283DF0D51A115E81ABDA21602010B
File SHA-1: 0xDE028244613CE95CDE8D1547CAAB75F5319D2693
Filesize: 29,184 bytes
Alias:

Mal/Generic-A [Sophos]
Trojan:Win32/Tibs.gen!lds [Microsoft]

Downloaded sample #2:

File MD5: 0x77CE19F00923C4A2525D24F56C3D700C
File SHA-1: 0x34F5963A4451A5F23F704C3FCB96F9653DC9D314
Filesize: 1,185,792 bytes
Alias:

not-a-virus:FraudTool.Win32.WinPCDefender.bj [Kaspersky Lab]
FakeAlert-CM [McAfee]
Mal/EncPk-IF [Sophos]
Trojan:Win32/FakeRean [Microsoft]
Trojan.Win32.FakeRean [Ikarus]

Summary of the findings:

What's been found	Severity Level
Downloads/requests other files from Internet.
Contains characteristics of an identified security risk.

Technical Details:

The new window was created, as shown below:

Possible Security Risk

Attention! Characteristics of the following security risk was identified in the system:

Security Risk	Description
RogueAntiSpyware.XPDeluxeProtector	RogueAntiSpyware.XPDeluxeProtector is a Rogue Anti-Spyware product which downloaded and installed without the users consent.

File System Modifications

The following files were created in the system:

#	Filename(s)	File Size	File Hash	Alias
1	%DesktopDir%\XP Deluxe Protector.LNK	1,518 bytes	MD5: 0xF2408CC6A110DB69D5AED52A19205554 SHA-1: 0x203773031D3A58B8A1E941042963978C9E014195	(not available)
2	%StartMenu%\XP Deluxe Protector.LNK	1,518 bytes	MD5: 0xCA1FC74F27EEBF880C5A787C5C48D717 SHA-1: 0x9F24E9683BBFDC283A650BC3A9D81A62FC23B87E	(not available)
3	[file and pathname of the sample #1]	29,184 bytes	MD5: 0x05A283DF0D51A115E81ABDA21602010B SHA-1: 0xDE028244613CE95CDE8D1547CAAB75F5319D2693	Mal/Generic-A [Sophos] Trojan:Win32/Tibs.gen!lds [Microsoft]
4	[file and pathname of the sample #2]	1,185,792 bytes	MD5: 0x77CE19F00923C4A2525D24F56C3D700C SHA-1: 0x34F5963A4451A5F23F704C3FCB96F9653DC9D314	not-a-virus:FraudTool.Win32.WinPCDefender.bj [Kaspersky Lab] FakeAlert-CM [McAfee] Mal/EncPk-IF [Sophos] Trojan:Win32/FakeRean [Microsoft] Trojan.Win32.FakeRean [Ikarus]

Notes:

%DesktopDir% is a variable that refers to the file system directory used to physically store file objects on the desktop. A typical path is C:\Documents and Settings\[UserName]\Desktop.
%StartMenu% is a variable that refers to the file system directory containing Start menu items. A typical path is C:\Documents and Settings\[UserName]\Start Menu.

Memory Modifications

There were new processes created in the system:

Process Name	Process Filename	Main Module Size
[generic host process]	[generic host process filename]	20,480 bytes
[filename of the sample #2]	[file and pathname of the sample #2]	4,321,280 bytes

Notes:

[generic host process filename] is a full path filename of [generic host process].

The following module was loaded into the address space of other process(es):

Module Name	Module Filename	Address Space Details
[filename of the sample #1]	[file and pathname of the sample #1]	Process name: [generic host process] Process filename: [generic host process filename] Address space: 0x3E0000 - 0x3EA000

Registry Modifications

The following Registry Key was created:

HKEY_CURRENT_USER\Software\XP Deluxe Protector

Other details

Analysis of the file resources indicate the following possible countries of origin:

	Ukraine
	Russian Federation

To mark the presence in the system, the following Mutex objects were created:

_!SHMSFTHISTORY!_
_SHuassist.mtx

The following Internet Connection was established:

Server Name	Server Port	Connect as User	Connection Password
xp-deluxeprotector.com	80	(null)	(null)

The following GET requests were made:

pp/?id=
pp/index.jpg

All content ("Information") contained in this report is the copyrighted work of Threat Expert Ltd and its associated companies ("ThreatExpert") and may not be copied without the express permission of ThreatExpert.

The Information is provided on an "as is" basis. ThreatExpert disclaims all warranties, whether express or implied, to the maximum extent permitted by law, including the implied warranties that the Information is merchantable, of satisfactory quality, accurate, fit for a particular purpose or need, or non-infringing, unless such implied warranties are legally incapable of exclusion. Further, ThreatExpert does not warrant or make any representations regarding the use or the results of the use of the Information in terms of their correctness, accuracy, reliability, or otherwise.