Submission Summary:

• Submission details:
• Submission received: 7 August 2012, 05:19:18
• Processing time: 8 min 35 sec
• Submitted sample:
• File MD5: 0x5908D3FF3167ACBAB707A6C9F7EEAFD1
• File SHA-1: 0x154805B795A42AF77E637E0B074EE1D8B9DEC406
• Filesize: 226,304 bytes
• Alias:
• Mal/Behav-043 [Sophos]
• Backdoor:Win32/Bifrose.IQ [Microsoft]
• Win32.SuspectCrc [Ikarus]

Technical Details:

File System Modifications

• The following files were created in the system:

#	Filename(s)	File Size	File Hash	Alias
1	%CommonAppData%\CacheMgr.exe [file and pathname of the sample #1]	226,304 bytes	MD5: 0x5908D3FF3167ACBAB707A6C9F7EEAFD1 SHA-1: 0x154805B795A42AF77E637E0B074EE1D8B9DEC406	Mal/Behav-043 [Sophos] Backdoor:Win32/Bifrose.IQ [Microsoft] Win32.SuspectCrc [Ikarus]
2	%CommonAppData%\csetup.tmp	11 bytes	MD5: 0x933747F8D70686863C11E0C91D199684 SHA-1: 0x2BA64103E9FA58658C3CC5E4E3E9AE536F975E70	(not available)
3	%Temp%\cac10.tmp %Temp%\cac11.tmp %Temp%\cac12.tmp %Temp%\cac13.tmp %Temp%\cac14.tmp %Temp%\cac15.tmp %Temp%\cac16.tmp %Temp%\cac17.tmp %Temp%\cac18.tmp %Temp%\cac19.tmp %Temp%\cac1A.tmp %Temp%\cac1B.tmp %Temp%\cac1C.tmp %Temp%\cac1D.tmp %Temp%\cac1E.tmp %Temp%\cac1F.tmp %Temp%\cac20.tmp %Temp%\cac21.tmp %Temp%\cac22.tmp %Temp%\cac23.tmp %Temp%\cac24.tmp %Temp%\cac25.tmp %Temp%\cac26.tmp %Temp%\cac27.tmp %Temp%\cac28.tmp %Temp%\cac29.tmp %Temp%\cac2A.tmp %Temp%\cac2B.tmp %Temp%\cac2C.tmp %Temp%\cac2D.tmp %Temp%\cac2E.tmp %Temp%\cac2F.tmp %Temp%\cac3.tmp %Temp%\cac30.tmp %Temp%\cac31.tmp %Temp%\cac32.tmp %Temp%\cac33.tmp %Temp%\cac34.tmp %Temp%\cac35.tmp %Temp%\cac36.tmp %Temp%\cac37.tmp %Temp%\cac38.tmp %Temp%\cac39.tmp %Temp%\cac3A.tmp %Temp%\cac3B.tmp %Temp%\cac3C.tmp %Temp%\cac3D.tmp %Temp%\cac3E.tmp %Temp%\cac3F.tmp %Temp%\cac4.tmp %Temp%\cac40.tmp %Temp%\cac41.tmp %Temp%\cac42.tmp %Temp%\cac43.tmp %Temp%\cac44.tmp %Temp%\cac45.tmp %Temp%\cac46.tmp %Temp%\cac47.tmp %Temp%\cac48.tmp %Temp%\cac49.tmp %Temp%\cac4A.tmp %Temp%\cac4B.tmp %Temp%\cac4C.tmp %Temp%\cac4D.tmp %Temp%\cac4E.tmp %Temp%\cac4F.tmp %Temp%\cac5.tmp %Temp%\cac50.tmp %Temp%\cac51.tmp %Temp%\cac52.tmp %Temp%\cac53.tmp %Temp%\cac54.tmp %Temp%\cac55.tmp %Temp%\cac56.tmp %Temp%\cac57.tmp %Temp%\cac58.tmp %Temp%\cac59.tmp %Temp%\cac5A.tmp %Temp%\cac5B.tmp %Temp%\cac5C.tmp %Temp%\cac5D.tmp %Temp%\cac5E.tmp %Temp%\cac5F.tmp %Temp%\cac60.tmp %Temp%\cac61.tmp %Temp%\cac62.tmp %Temp%\cac63.tmp %Temp%\cac64.tmp %Temp%\cac66.tmp %Temp%\cac67.tmp %Temp%\cac68.tmp %Temp%\cac69.tmp %Temp%\cac6A.tmp %Temp%\cac6B.tmp %Temp%\cac6C.tmp %Temp%\cac6F.tmp %Temp%\cac7.tmp %Temp%\cac70.tmp %Temp%\cac71.tmp %Temp%\cac72.tmp	125 bytes	MD5: 0x7C5F5A68051F6B0C0E9A2AD33C40D415 SHA-1: 0x120865765927A61AF83F02B83DC297EEDE61EC41	(not available)

• Notes:
• %CommonAppData% is a variable that refers to the file system directory containing application data for all users. A typical path is C:\Documents and Settings\All Users\Application Data.
• %Temp% is a variable that refers to the temporary folder in the short path form. By default, this is C:\Documents and Settings\[UserName]\Local Settings\Temp\ (Windows NT/2000/XP).

Memory Modifications

• There were new processes created in the system:

Registry Modifications

• The following Registry Key was created:
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\2CBE016A-8F28-4E0C-83A6-6079161294D7

• The newly created Registry Value is:
• [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\2CBE016A-8F28-4E0C-83A6-6079161294D7]
• StubPath = ""%CommonAppData%\CacheMgr.exe" -ax"

so that CacheMgr.exe runs every time Windows starts

Other details

• To mark the presence in the system, the following Mutex objects were created:
• 2CBE016A-8F28-4E0C-83A6-6079161294D7
• Bif123

• The following Host Name was requested from a host database:
• 74.125.224.112

• The following Internet Connection was established:

• The following GET request was made:
• ABIUS/setup.exe