ThreatExpert Report: PWS-Zbot.gen.aju, AdWare.Win32.Hebogo

Submission Summary:

Submission details:

Submission received: 17 September 2012, 20:46:14
Processing time: 8 min 40 sec
Submitted sample:

File MD5: 0x57FF7A501351797C8C3EE5EF705A1F60
File SHA-1: 0xB95FF44C2CDDA8793273C0797BDC1895F25F7A83
Filesize: 867,000 bytes

Summary of the findings:

What's been found	Severity Level
Downloads/requests other files from Internet.
Creates a startup registry entry.

Technical Details:

File System Modifications

The following files were created in the system:

#	Filename(s)	File Size	File Hash	Alias
1	%AppData%\GuardSupport\GuardConvert.exe	171,040 bytes	MD5: 0x57B8A5F586D4FF594F9CF3B61A29119C SHA-1: 0xACDC1D6892DF40CBBE293DA37BF12DE2CF17A41E	PWS-Zbot.gen.aju [McAfee] AdWare.Win32.Hebogo [Ikarus]
2	%AppData%\MicroLab\MyEngin\Common\MicroProCon.exe	105,504 bytes	MD5: 0xF1976AB1BFC229C2CB3D45FCCAAE111A SHA-1: 0xEC1220601C8F9D799406C2005AA95C5D23FF716C	AdWare.Win32.Hebogo [Ikarus]
3	%AppData%\MicroLab\MyEngin\Common\Uninstall\IRIMG1.JPG	2,362 bytes	MD5: 0xAF18F3F894BE69733E04750B236E219A SHA-1: 0x8E552822666E75F5B6054787E827FF51D3425A2E	(not available)
4	%AppData%\MicroLab\MyEngin\Common\Uninstall\IRIMG2.JPG	29,054 bytes	MD5: 0xAC40DED6736E08664F2D86A65C47EF60 SHA-1: 0xC352715BBF5AE6C93EEB30DF2C01B6F44FAEDAAA	(not available)
5	%AppData%\MicroLab\MyEngin\Common\Uninstall\uninstall.dat	127,656 bytes	MD5: 0x5CE201052EDF355485F054D1C3C04239 SHA-1: 0xBF089C72A6CF70212C04A6D3611C804BEBE9D431	(not available)
6	%AppData%\MicroLab\MyEngin\Common\Uninstall\Uninstall.exe %Temp%\_ir_sf_temp_0\irsetup.exe	580,096 bytes	MD5: 0x3FE7C92DBA5C9240B4AB0D6A87E6166A SHA-1: 0x7980D7DFFC073515B621834246DDA33AB00C308D	packed with UPX [Kaspersky Lab]
7	%AppData%\MicroLab\MyEngin\Common\Uninstall\uninstall.xml	7,636 bytes	MD5: 0x7EB734CF2D68E8483BEFFD3B73C7AA6E SHA-1: 0x7FE95FBB68BA5D3F877960F4ABBD760BD191A932	(not available)
8	[file and pathname of the sample #1]	867,000 bytes	MD5: 0x57FF7A501351797C8C3EE5EF705A1F60 SHA-1: 0xB95FF44C2CDDA8793273C0797BDC1895F25F7A83	(not available)
9	%System%\VB6KO.DLL	102,160 bytes	MD5: 0x84742B5754690ED667372BE561CF518D SHA-1: 0xEF97AA43F804F447498568FC33704800B91A7381	(not available)

Notes:

%AppData% is a variable that refers to the file system directory that serves as a common repository for application-specific data. A typical path is C:\Documents and Settings\[UserName]\Application Data.
%Temp% is a variable that refers to the temporary folder in the short path form. By default, this is C:\Documents and Settings\[UserName]\Local Settings\Temp\ (Windows NT/2000/XP).
%System% is a variable that refers to the System folder. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

The following directories were created:

%AppData%\GuardSupport
%AppData%\MicroLab
%AppData%\MicroLab\MyEngin
%AppData%\MicroLab\MyEngin\Common
%AppData%\MicroLab\MyEngin\Common\Uninstall
%Temp%\_ir_sf_temp_0

Memory Modifications

There were new processes created in the system:

Process Name	Process Filename	Main Module Size
[filename of the sample #1]	[file and pathname of the sample #1]	86,016 bytes
irsetup.exe	%Temp%\_ir_sf_temp_0\irsetup.exe	1,576,960 bytes
microprocon.exe	%AppData%\microlab\myengin\common\microprocon.exe	98,304 bytes
guardconvert.exe	%AppData%\guardsupport\guardconvert.exe	163,840 bytes

Registry Modifications

The following Registry Keys were created:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MicroNames Multi Language Convert Service3.0
HKEY_CURRENT_USER\Software\MicroLab

The newly created Registry Values are:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

MicroLabProc = "%AppData%\MicroLab\MyEngin\Common\MicroProProc.exe -checkvalue"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MicroNames Multi Language Convert Service3.0]

DisplayName = "MicroNames Multi Language Convert Service"
NoModify = 0x00000001
NoRepair = 0x00000001
UninstallString = ""%AppData%\MicroLab\MyEngin\Common\Uninstall\Uninstall.exe" "/U:%AppData%\MicroLab\MyEngin\Common\Uninstall\uninstall.xml""
Publisher = "MicroNames"
URLInfoAbout = "http://www.hebogo.com"
HelpLink = "http://www.hebogo.com"
Contact = "MicroNames Support Department"
DisplayVersion = "3.0"
InstallLocation = "%AppData%\MicroLab\SearchEngin\LanguageConvert"
DisplayIcon = ""%AppData%\MicroLab\MyEngin\Common\Uninstall\Uninstall.exe""

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]

MicroLabCon = "%AppData%\MicroLab\MyEngin\Common\MicroProCon.exe -checkvalue"

so that MicroProCon.exe runs every time Windows starts

[HKEY_CURRENT_USER\Software\MicroLab]

Owner = "admin"
USER_NO = "2980"
S_NO = "2980"
Version = "0000"
Ver = "sup"
Upmom = "Y"
SUBNAME = "MAIN"
CURDIR = ""
Commit = "Y"
PDR = "asdfaeiqwerh"
FirstTime = "0"

Other details

Analysis of the file resources indicate the following possible country of origin:

Republic of Korea

The following Host Name was requested from a host database:

192.5.5.241

There was registered attempt to establish connection with the remote host. The connection details are:

Remote Host	Port Number
192.5.5.241	1034

The following HTTP URLs were started reading:

http://220.73.162.2,
http://220.73.162.7,
http://220.73.162.8,
http://220.73.162.11,
http://220.73.162.12,
http://220.73.162.13,
http://220.73.162.15,
http://220.73.162.16,
http://220.73.162.17,
http://220.73.162.19,
http://220.73.162.22,
http://220.73.162.23,
http://220.73.162.24,
http://220.73.162.25,
http://220.73.162.26,
http://220.73.162.27,
http://220.73.162.28,
http://220.73.162.29,
http://220.73.162.30,
http://220.73.162.31,

The data identified by the following URLs was then requested from the remote web server:

http://korserver.com/Config/ServerList.asp?uno=2980&gubun=2
http://itemprice.kr/Config/ServerList.asp?uno=2980&gubun=2
http://duzip.com/Config/ServerList.asp?uno=2980&gubun=2
http://hostserver.kr/Config/ServerList.asp?uno=2980&gubun=2
http://koreaserver.kr/Config/ServerList.asp?uno=2980&gubun=2
http://maketop.kr/Config/ServerList.asp?uno=2980&gubun=2
http://makevalue.com/Config/ServerList.asp?uno=2980&gubun=2
http://mainserver.kr/Config/ServerList.asp?uno=2980&gubun=2

All content ("Information") contained in this report is the copyrighted work of Threat Expert Ltd and its associated companies ("ThreatExpert") and may not be copied without the express permission of ThreatExpert.

The Information is provided on an "as is" basis. ThreatExpert disclaims all warranties, whether express or implied, to the maximum extent permitted by law, including the implied warranties that the Information is merchantable, of satisfactory quality, accurate, fit for a particular purpose or need, or non-infringing, unless such implied warranties are legally incapable of exclusion. Further, ThreatExpert does not warrant or make any representations regarding the use or the results of the use of the Information in terms of their correctness, accuracy, reliability, or otherwise.