Submission Summary:

• Submission details:
• Submission received: 8 September 2012, 13:05:17
• Processing time: 9 min 0 sec
• Submitted sample:
• File MD5: 0x524482449F9502145018D75F17636977
• File SHA-1: 0xF34000AB6210DFBB2E8AD8109C4095C0C92CDF78
• Filesize: 292,312 bytes
• Alias:
• W32.Pinfi [Symantec]
• Virus.Win32.Parite.b [Kaspersky Lab]
• W32/Pate.b [McAfee]
• PE_PARITE.A [Trend Micro]
• W32/Parite-B [Sophos]
• Virus:Win32/Parite.B [Microsoft]
• Trojan-GameThief.Win32.Magania [Ikarus]
• Win32/Parite [AhnLab]

• Summary of the findings:

What's been found	Severity Level
Produces outbound traffic.
Downloads/requests other files from Internet.
There were some system executable files modified, which might indicate the presence of a PE-file infector.
Contains characteristics of an identified security risk.

Technical Details:

Possible Security Risk

• Attention! The following threat categories were identified:

Threat Category	Description
	A virus capable to modify other files by infecting, prepending, or overwriting them them with its own body
	A malicious trojan horse or bot that may represent security risk for the compromised system and/or its network environment
	A malicious backdoor trojan that runs in the background and allows remote access to the compromised system

File System Modifications

• The following files were created in the system:

#	Filename(s)	File Size	File Hash	Alias
1	%Temp%\dpa2.tmp	114,354 bytes	MD5: 0xC496912443066457CEA7A5347EDABAD8 SHA-1: 0xCD7316497BA3E31933295F79DF14EEACF51558A3	Trojan.Gen [Symantec] BackDoor-DZB [McAfee] Backdoor:Win32/Delf.LB [Microsoft] Trojan-GameThief.Win32.Magania [Ikarus]
2	%Temp%\ema1.tmp	176,128 bytes	MD5: 0x685F1CBD4AF30A1D0C25F252D399A666 SHA-1: 0x6A1B978F5E6150B88C8634146F1406ED97D2F134	W32.Pinfi [Symantec] Virus.Win32.Parite.o [Kaspersky Lab] W32/Pate.b.dll [McAfee] PE_PARITE.A-O [Trend Micro] W32/Parite-B [Sophos] Virus:Win32/Parite.B.dll [Microsoft] Virus.Win32.Parite [Ikarus] Win32/Parite [AhnLab]
3	%System%\LoginoFStm.KEY	0 bytes	MD5: 0xD41D8CD98F00B204E9800998ECF8427E SHA-1: 0xDA39A3EE5E6B4B0D3255BFEF95601890AFD80709	(not available)
4	%System%\ntuser.dll	100,937 bytes	MD5: 0x7535C9E770F7A261AE33CA3DACE16EF9 SHA-1: 0x0B633DD1BD411D0CF0104A550D2DF5F268F42B75	Backdoor.Trojan [Symantec] Backdoor.Win32.Torr.bze [Kaspersky Lab] BackDoor-DVB.gen.p [McAfee] Mal/Behav-228 [Sophos] Backdoor:Win32/Hupigon.ZAI [Microsoft] Trojan.Win32.MMM [Ikarus] Win-Trojan/Redosdru.Gen [AhnLab]
5	[file and pathname of the sample #1]	292,312 bytes	MD5: 0x524482449F9502145018D75F17636977 SHA-1: 0xF34000AB6210DFBB2E8AD8109C4095C0C92CDF78	W32.Pinfi [Symantec] Virus.Win32.Parite.b [Kaspersky Lab] W32/Pate.b [McAfee] PE_PARITE.A [Trend Micro] W32/Parite-B [Sophos] Virus:Win32/Parite.B [Microsoft] Trojan-GameThief.Win32.Magania [Ikarus] Win32/Parite [AhnLab]

• Notes:
• %Temp% is a variable that refers to the temporary folder in the short path form. By default, this is C:\Documents and Settings\[UserName]\Local Settings\Temp\ (Windows NT/2000/XP).
• %System% is a variable that refers to the System folder. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

• The following files were modified:
• [pathname with a string SHARE]\DW20.EXE
• [pathname with a string SHARE]\DWTRIG20.EXE
• [pathname with a string SHARE]\msinfo32.exe
• [pathname with a string SHARE]\sapisvr.exe
• %ProgramFiles%\Internet Explorer\Connection Wizard\icwconn1.exe
• %ProgramFiles%\Internet Explorer\Connection Wizard\icwconn2.exe
• %ProgramFiles%\Internet Explorer\Connection Wizard\icwrmind.exe
• %ProgramFiles%\Internet Explorer\Connection Wizard\icwtutor.exe
• %ProgramFiles%\Internet Explorer\Connection Wizard\inetwiz.exe
• %ProgramFiles%\Internet Explorer\Connection Wizard\isignup.exe
• %ProgramFiles%\Internet Explorer\iedw.exe
• %ProgramFiles%\MSN\MSNCoreFiles\Install\MSN9Components\Digcore.exe
• %ProgramFiles%\MSN\MSNCoreFiles\Install\MSN9Components\Msncli.exe
• %ProgramFiles%\MSN\MSNCoreFiles\Install\msnsusii.exe
• %ProgramFiles%\MSN\MSNIA\msniasvc.exe
• %ProgramFiles%\MSN\MSNIA\prestp.exe
• %ProgramFiles%\MSN\MsnInstaller\msninst.exe
• %ProgramFiles%\NetMeeting\conf.exe
• %ProgramFiles%\NetMeeting\wb32.exe
• %ProgramFiles%\Outlook Express\msimn.exe
• %ProgramFiles%\Outlook Express\oemig50.exe
• %ProgramFiles%\Outlook Express\setup50.exe
• %ProgramFiles%\Outlook Express\wab.exe
• %ProgramFiles%\Outlook Express\wabmig.exe

• Notes:
• %ProgramFiles% is a variable that refers to the Program Files folder. A typical path is C:\Program Files.

Memory Modifications

• There was a new process created in the system:

• The following module was loaded into the address space of other process(es):

Module Name	Module Filename	Address Space Details
ntuser.dll	%System%\ntuser.dll	Process name: svchost.exe Process filename: %System%\svchost.exe Address space: 0x5A0000 - 0x5BC000

• There was a new service created in the system:

Registry Modifications

• The following Registry Keys were created:
• HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\MediaResources\msvideo
• HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_360SVC
• HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_360SVC\0000
• HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_360SVC\0000\Control
• HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\360svc
• HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\360svc\Parameters
• HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\360svc\Security
• HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\360svc\Enum
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\MediaResources\msvideo
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_360SVC
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_360SVC\0000
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_360SVC\0000\Control
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\360svc
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\360svc\Parameters
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\360svc\Security
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\360svc\Enum

• The newly created Registry Values are:
• [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_360SVC\0000\Control]
• *NewlyCreated* = 0x00000000
• ActiveService = "360svc"
• [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_360SVC\0000]
• Service = "360svc"
• Legacy = 0x00000001
• ConfigFlags = 0x00000000
• Class = "LegacyDriver"
• ClassGUID = "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
• DeviceDesc = "Microsoft Device Manager"
• [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_360SVC]
• NextInstance = 0x00000001
• [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\360svc\Enum]
• 0 = "Root\LEGACY_360SVC\0000"
• Count = 0x00000001
• NextInstance = 0x00000001
• [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\360svc\Security]
• Security = 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 0
• [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\360svc\Parameters]
• ServiceDll = "%System%\ntuser.dll"
• [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\360svc]
• Type = 0x00000120
• Start = 0x00000002
• ErrorControl = 0x00000001
• ImagePath = "%System%\svchost.exe -k netsvcs"
• DisplayName = "Microsoft Device Manager"
• ObjectName = "LocalSystem"
• Description = "???????????????????????????????"
• [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_360SVC\0000\Control]
• *NewlyCreated* = 0x00000000
• ActiveService = "360svc"
• [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_360SVC\0000]
• Service = "360svc"
• Legacy = 0x00000001
• ConfigFlags = 0x00000000
• Class = "LegacyDriver"
• ClassGUID = "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
• DeviceDesc = "Microsoft Device Manager"
• [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_360SVC]
• NextInstance = 0x00000001
• [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\360svc\Enum]
• 0 = "Root\LEGACY_360SVC\0000"
• Count = 0x00000001
• NextInstance = 0x00000001
• [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\360svc\Security]
• Security = 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 0
• [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\360svc\Parameters]
• ServiceDll = "%System%\ntuser.dll"
• [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\360svc]
• Type = 0x00000120
• Start = 0x00000002
• ErrorControl = 0x00000001
• ImagePath = "%System%\svchost.exe -k netsvcs"
• DisplayName = "Microsoft Device Manager"
• ObjectName = "LocalSystem"
• Description = "???????????????????????????????"

• The following Registry Values were modified:
• [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost]
• netsvcs =
• [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\ServiceCurrent]
• (Default) =
• [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ServiceCurrent]
• (Default) =

Other details

• Analysis of the file resources indicate the following possible country of origin:

	China

• To mark the presence in the system, the following Mutex object was created:
• longzurq6mva61tb20sr2mr6m1sKevnw==

• The following Host Names were requested from a host database:
• 119.166.75.90
• 0.0.0.0

• There was registered attempt to establish connection with the remote host. The connection details are:

• The following Internet Connection was established:

• There was application-defined hook procedure installed into the hook chain (e.g. to monitor keystrokes). The installed hook is handled by the following module:
• %Temp%\ema1.tmp
• the hook is handled by its export "AttachHook()"

Outbound traffic (potentially malicious)

• There was an outbound traffic produced on port 6380: