ThreatExpert Report: Downloader, Trojan.Retapu, Rootkit.Win32.TDSS.phm, Mal/TDSS-B..

Visit ThreatExpert web site

Close Report

Submission Summary:

Submission details:

Submission received: 21 February 2009, 22:04:47
Processing time: 8 min 29 sec
Submitted sample:

File MD5: 0x55C80A5760969CFD69674FACDBE27634
File SHA-1: 0x1E492222C44C8C71B304E937CCBF03F6CC558782
Filesize: 318,472 bytes
Alias:

Downloader [Symantec]
Trojan.Retapu [Ikarus]

Summary of the findings:

What's been found	Severity Level
Threat characteristics of Vundo (aka VirtuMonde/VirtuMundo), a trojan horse that cause popups and advertises rogue antispyware programs. Vundo can be installed by visiting a Web site link contained in a spammed email. It is known to create a DLL file in the Windows system32 directory and inject it into system processes winlogon.exe and explorer.exe.
Downloads/requests other files from Internet.
Registers a Winlogon notification package so that the installed module is loaded into the address space of winlogon.exe.
Registers a 32-bit in-process server DLL.
Contains characteristics of an identified security risk.

Technical Details:

The new window was created, as shown below:

NOTICE: The content shown in the above window is captured automatically and is not controlled or endorsed by ThreatExpert.
Please contact us on this link should any material be offensive or inappropriate and we will ensure any such content is blocked from future viewers of the report.

Possible Security Risk

Attention! Characteristics of the following security risks were identified in the system:

Security Risk	Description
Trojan.Virtumonde	Virtumonde modifies the Windows Internet connection mechanism and display various pop-up advertisements.
Rootkit.TDSS	Rootkit.TDSS can hide the presence of any process on the infected machine in order to perform malicious actions without users knowledge

Attention! The following threat categories were identified:

Threat Category	Description
	A code with the rootkit-specific techniques designed to hide the software presence in the system
	A program that downloads files to the local computer that may represent security risk

File System Modifications

The following files were created in the system:

#	Filename(s)	File Size	File Hash	Alias
1	%Temp%\wvUoNDwu.bat	111 bytes	MD5: 0x2047D91825EBD823DB5CB25DD6E61898 SHA-1: 0x9A5E5DAF8848E4D0D511C8C346866B4E0731D160	(not available)
2	%System%\drivers\senekanselwkpp.sys	67,584 bytes	MD5: 0x44ED732E8B2A6D4E06D6C256AD6FD20D SHA-1: 0xB6BCD14F563432C9F43B6CB3E8E28963A0BCFAF7	Rootkit.Win32.TDSS.phm [Kaspersky Lab] Mal/TDSS-B [Sophos] Trojan.Win32.Monderc [Ikarus]
3	%System%\ljJBttRJ.dll	46,592 bytes	MD5: 0x377C66D2F85D5715F797B418FB6791CB SHA-1: 0x92DFA620E2B3BA3FF507FDF7720BBD88F90E0C86	Vundo.gen.y [McAfee] Virus.Trojan.Win32.Monderb [Ikarus] packed with UPX [Kaspersky Lab]
4	%System%\readme.bat	44 bytes	MD5: 0x6CFD43BD78E8069C684DA5FB312D0080 SHA-1: 0xFC92A9565A62982B1F5E4A0B001E2ADEC2F1714B	(not available)
5	[file and pathname of the sample #1]	318,472 bytes	MD5: 0x55C80A5760969CFD69674FACDBE27634 SHA-1: 0x1E492222C44C8C71B304E937CCBF03F6CC558782	Downloader [Symantec] Trojan.Retapu [Ikarus]
6	%System%\senekaplnkerrf.dat	3,067 bytes	MD5: 0x04FFEF7B52AB96E0D46E7DC4CBDE7FCD SHA-1: 0xDF438DB5BD7B229772D2FD815DCA63A03BFF0FAD	(not available)
7	%System%\senekattatnktu.dll	14,336 bytes	MD5: 0xC42AC7239C4E5E5E81D2F829ED7D89D7 SHA-1: 0x54FEA787A8717FD0394BA0AF45EDED6D809CB9B8	Mal/EncPk-GU [Sophos] Trojan.TDss [Ikarus]
8	%System%\senekauxxyymfl.dll	49,152 bytes	MD5: 0xF4C627A4F0DB738A4B7E2502C7A6D1E6 SHA-1: 0xF32689278BC2C34814AE2041649DD7B0D4550381	Mal/EncPk-GU [Sophos] Trojan.TDss [Ikarus]
9	%System%\senekaybaqhxvm.dll	15,872 bytes	MD5: 0x59C07C9E38795DD60DF1A48B879ADE4E SHA-1: 0x2AE4539691BB01E846CB218ECB85897AE2611D2B	Mal/EncPk-GU [Sophos]
10	%System%\serial.exe	10,240 bytes	MD5: 0x32B077C1635BCDBAA3AE5B4F6BCA3A5C SHA-1: 0xE88E01976125B8CC45C73D76A41914D5BAF8CC7C	Trojan.Spammer [Ikarus] packed with PE_Patch.UPX [Kaspersky Lab]
11	%System%\setup.exe	38,480 bytes	MD5: 0x01178E113C52E6C27B313C9C6310D6D7 SHA-1: 0x384A54CB963B6775D6CB214F5B29DDC14A5F88E7	Downloader [Symantec] Trojan.Retapu [Ikarus] packed with PE_Patch.UPX [Kaspersky Lab]

Notes:

%Temp% is a variable that refers to the temporary folder in the short path form. By default, this is C:\Documents and Settings\[UserName]\Local Settings\Temp\ (Windows NT/2000/XP).
%System% is a variable that refers to the System folder. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

Memory Modifications

There were new processes created in the system:

Process Name	Process Filename	Main Module Size
serial.exe	%System%\serial.exe	184,320 bytes
[filename of the sample #1]	[file and pathname of the sample #1]	135,168 bytes
keygen.exe	%System%\keygen.exe	118,784 bytes
readme.exe	%System%\readme.exe	98,304 bytes

There were new memory pages created in the address space of the system process(es):

Process Name	Process Filename	Allocated Size
svchost.exe	%System%\svchost.exe	16,384 bytes
svchost.exe	%System%\svchost.exe	16,384 bytes
svchost.exe	%System%\svchost.exe	32,768 bytes

The following module was loaded into the address space of other process(es):

Module Name	Module Filename	Address Space Details
ljJBttRJ.dll	%System%\ljJBttRJ.dll	Process name: explorer.exe Process filename: %Windir%\explorer.exe Address space: 0x1A00000 - 0x1A1A000

Notes:

%Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows or C:\Winnt.

There was a new kernel-mode driver installed in the system:

Driver Name	Driver Filename
senekanselwkpp.sys	%System%\drivers\senekanselwkpp.sys

Registry Modifications

The following Registry Keys were created:

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\Settings
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ljJBttRJ
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\00cd0861
HKEY_LOCAL_MACHINE\SOFTWARE\ThinPrint
HKEY_LOCAL_MACHINE\SOFTWARE\ThinPrint\TPAutoConnect
HKEY_LOCAL_MACHINE\SOFTWARE\ThinPrint\TPPrnUI
HKEY_LOCAL_MACHINE\SOFTWARE\ThinPrint\TPVMMon
HKEY_LOCAL_MACHINE\SOFTWARE\ThinPrint\TPVMW32
HKEY_CURRENT_USER\Software\Microsoft\cs41275
HKEY_LOCAL_MACHINE\SOFTWARE\seneka
HKEY_LOCAL_MACHINE\SOFTWARE\seneka\delete
HKEY_LOCAL_MACHINE\SOFTWARE\seneka\injector
HKEY_LOCAL_MACHINE\SOFTWARE\seneka\tasks
HKEY_LOCAL_MACHINE\SOFTWARE\seneka\versions
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\seneka
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\seneka\modules

The newly created Registry Values are:

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}\InprocServer32]

(Default) = "%System%\ljJBttRJ.dll"
ThreadingModel = "Both"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\Settings]

Time = C0 01 21 8C B3 94 C9 01 00 00 00 00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]

{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} = ""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ljJBttRJ]

Asynchronous = 0x00000001
DllName = "ljJBttRJ.dll"
Impersonate = 0x00000000
Logon = "o"
Logoff = "f"

so that ljJBttRJ.dll is installed as a Winlogon notification package

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\00cd0861]

(Default) = "5D3D0DD0B6794134A50A464B295A0730&"

[HKEY_LOCAL_MACHINE\SOFTWARE\ThinPrint\TPVMMon]

(Default) = ""

[HKEY_LOCAL_MACHINE\SOFTWARE\ThinPrint\TPAutoConnect]

NameTranslationEx = ",,,,,,,,,, *,*,*,*,*,true,false,false,false,VMwareVirtualPrinter, *,*,*,*,*,false,true,true,true,PCL, ,,,,,,,,,!P, ,,,,,,,,,!C,"
ForceListenToWTS = 0x00000001
AllowedProcesses = "Explorer.exe"
(Default) = ""
ListenToWTSCreatCmd = "TPAutoConnect.exe -q -i vmware -a COM1 -F 30"
TimeOutVirtualChannelRead = 0x00000064
ListenToWTS = 0x00000001
ListenToWTSOnDisconnect = 0x00000001
ListenToWTSTrys = 0x00000014
ListenToWTSTryDelay = 0x000007D0
PrinterProperties = 0x00000001
ConnectToClient = "AUTO"
Protocol = "AUTO"
RightsWin2000 = 0x00000003
RightsWinNT = 0x00000000
ListenToWTSDeleteCmd = "TPAutoConnect -q -d"

[HKEY_LOCAL_MACHINE\SOFTWARE\ThinPrint]

(Default) = ""

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]

ProxyEnable = 0x00000000

[HKEY_CURRENT_USER\Software\Microsoft\Installer]

(Default) = 54 A8 9A 8C B3 94 C9 01

[HKEY_LOCAL_MACHINE\SOFTWARE\seneka\injector]

iexplore.exe = "senekawi.dll"
explorer.exe = "senekaff.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\seneka]

inst = 0x00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\seneka\modules]

seneka.dll = "%System%\senekauxxyymfl.dll"
seneka.sys = "%System%\drivers\senekanselwkpp.sys"
senekalog.dat = "%System%\senekaplnkerrf.dat"
senekawi.dll = "%System%\senekaybaqhxvm.dll"
senekaff.dll = "%System%\senekattatnktu.dll"
seneka.dat = "%System%\senekaqnidwfhq.dat"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\seneka]

start = 0x00000001
type = 0x00000001
imagepath = "%System%\drivers\senekanselwkpp.sys"
group = "file system"

The following Registry Values were modified:

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\ServiceCurrent]

(Default) = 0x0000000C

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ServiceCurrent]

(Default) = 0x0000000C

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]

Cookies = "%System%\config\systemprofile\Cookies"
Cache = "%System%\config\systemprofile\Local Settings\Temporary Internet Files"
History = "%System%\config\systemprofile\Local Settings\History"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3]

1A10 = 0x00000000
{AEBA21FA-782A-4A90-978D-B72164C80120} = 1A 37 61 59 23 52 35 0C 7A 5F 20 17 2F 1E 1A 19 0E 2B 01 73 13 37 13 12 14 1A 15 2A
{A8A88C49-5EB2-4990-A1A2-0876022C854F} = 1A 37 61 59 23 52 35 0C 7A 5F 20 17 2F 1E 1A 19 0E 2B 01 73 13 37 13 12 14 1A 15 2A

Other details

Analysis of the file resources indicate the following possible country of origin:

Russian Federation

To mark the presence in the system, the following Mutex objects were created:

DDrawWindowListMutex
DDrawDriverObjectListMutex
__DDrawExclMode__

The following Internet Connections were established:

Server Name	Server Port	Connect as User	Connection Password
78.26.144.210	80	(null)	(null)
directitfast.com	80	(null)	(null)
onseneka.net	80	(null)	(null)
onseneka.com	80	(null)	(null)

The following GET request was made:

seneka/engine/engine.php?bot_id=13441600-606747145-764733703-839522115&affid=303418&subid=&build=icv004&os=5.1+2600+SP2.0&lang=en-us&browser=iexplore.exe&name=ComputerName

The following Internet download was started (the retrieved bits are saved into the local file):

URL to be downloaded	Filename for the downloaded bits
http://childhe.com/pas/apstpldr.dll.html?affid=154350&uid=&guid=5D3D0DD0B6794134A50A464B295A0730	%System%\ssqRHBRl.dll

There was application-defined hook procedure installed into the hook chain (e.g. to monitor keystrokes). The installed hook is handled by the following module:

%System%\ljJBttRJ.dll

Downloaded File Summary:

Download details:

Download retrieved: 21 February 2009 22:13:41
Processing time: 7 min 37 sec
Downloaded sample:

File MD5: 0x4A56334F3F65D45D90AA15C1BD2F3484
File SHA-1: 0x9DC0C1484500C73C5B39EA589532BD4E4833F7C0
Filesize: 48,128 bytes
Alias:

Trojan.Virtumonde [PCTools]
Trojan.Vundo [Symantec]
Trojan.Win32.Monder.atxg [Kaspersky Lab]
Vundo [McAfee]
Troj/Virtum-Gen [Sophos]
Trojan.Win32.Monder [Ikarus]

Summary of the findings:

What's been found	Severity Level
Downloads/requests other files from Internet.
Contains characteristics of an identified security risk.

Technical Details:

Possible Security Risk

Attention! Characteristics of the following security risk was identified in the system:

Security Risk	Description
Trojan.Virtumonde	Virtumonde modifies the Windows Internet connection mechanism and display various pop-up advertisements.

Attention! The following threat category was identified:

Threat Category	Description
	A malicious trojan horse or bot that may represent security risk for the compromised system and/or its network environment

File System Modifications

The following files were created in the system:

#	Filename(s)	File Size	File Hash	Alias
1	%Temp%\tmp3.exe	125 bytes	MD5: 0x7C5F5A68051F6B0C0E9A2AD33C40D415 SHA-1: 0x120865765927A61AF83F02B83DC297EEDE61EC41	(not available)
2	%Temp%\tmp3.tmp	0 bytes	MD5: 0xD41D8CD98F00B204E9800998ECF8427E SHA-1: 0xDA39A3EE5E6B4B0D3255BFEF95601890AFD80709	(not available)
3	[file and pathname of the sample #1]	48,128 bytes	MD5: 0x4A56334F3F65D45D90AA15C1BD2F3484 SHA-1: 0x9DC0C1484500C73C5B39EA589532BD4E4833F7C0	Trojan.Virtumonde [PCTools] Trojan.Vundo [Symantec] Trojan.Win32.Monder.atxg [Kaspersky Lab] Vundo [McAfee] Troj/Virtum-Gen [Sophos] Trojan.Win32.Monder [Ikarus]
4	%Windir%\Tasks\vykikgdj.job	322 bytes	MD5: 0xED6861E780F8B14070E33209363C1AC7 SHA-1: 0x933DC842F5638CA7E5392D24C56E17A540892EFE	(not available)

Notes:

%Temp% is a variable that refers to the temporary folder in the short path form. By default, this is C:\Documents and Settings\[UserName]\Local Settings\Temp\ (Windows NT/2000/XP).
%Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows or C:\Winnt.

Memory Modifications

There was a new process created in the system:

Process Name	Process Filename	Main Module Size
[generic host process]	[generic host process filename]	20,480 bytes

Notes:

[generic host process filename] is a full path filename of [generic host process].

The following module was loaded into the address space of other process(es):

Module Name	Module Filename	Address Space Details
[filename of the sample #1]	[file and pathname of the sample #1]	Process name: [generic host process] Process filename: [generic host process filename] Address space: 0xB10000 - 0xB31000

Registry Modifications

The following Registry Key was created:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Preinstall

The newly created Registry Values are:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main]

Check_Associations = "no"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Preinstall]

ncache_ntp = 5E 83 12 C5 B4 94 C9 01

Other details

To mark the presence in the system, the following Mutex objects were created:

Global\zB50080
Global\zB50098
Global\f3c76214
arefitopentaloju
_!SHMSFTHISTORY!_
_SHuassist.mtx
Global\zB500A0
Global\zB100B4

The following Internet Connection was established:

Server Name	Server Port	Connect as User	Connection Password
childhe.com	80	(null)	(null)

The following GET requests were made:

pldr8?uid=&guid=&affid=169170&tid=txd30019&wci=b8cdd2b5g8b556139761968af718g8g8&vi=0&ci=0&li=0&hi=0&bi=0&ai=0
index.jpg

The data identified by the following URLs was then requested from the remote web server:

http://childhe.com/pldr8?uid=&guid=&affid=169170&tid=txd30019&wci=b8cdd2b5g8b556139761968af718g8g8&vi=0&ci=0&li=0&hi=0&bi=0&ai=0
localhost

All content ("Information") contained in this report is the copyrighted work of Threat Expert Ltd and its associated companies ("ThreatExpert") and may not be copied without the express permission of ThreatExpert.

The Information is provided on an "as is" basis. ThreatExpert disclaims all warranties, whether express or implied, to the maximum extent permitted by law, including the implied warranties that the Information is merchantable, of satisfactory quality, accurate, fit for a particular purpose or need, or non-infringing, unless such implied warranties are legally incapable of exclusion. Further, ThreatExpert does not warrant or make any representations regarding the use or the results of the use of the Information in terms of their correctness, accuracy, reliability, or otherwise.