ThreatExpert Report: not-a-virus:NetTool.Win32.UltraSurf.tk

Submission Summary:

Submission details:

Submission received: 4 October 2012, 15:18:32
Processing time: 9 min 34 sec
Submitted sample:

File MD5: 0x5B6B267D63E6E6DB1D353BA00272D2DF
File SHA-1: 0x5C7DD5753C37AC6DF902AF0A5815E51E4CC13EAC
Filesize: 1,644,136 bytes
Alias: not-a-virus:NetTool.Win32.UltraSurf.tk [Kaspersky Lab]

Summary of the findings:

What's been found	Severity Level
Is protected with Themida in order to prevent the sample from being reverse-engineered. Themida protection can potentially be used by a threat to complicate the manual threat analysis (e.g. the sample would not run under the Virtual Machine).

Technical Details:

File System Modifications

The following files were created in the system:

#	Filename(s)	File Size	File Hash	Alias
1	%UserProfile%\PUTTY.RND	600 bytes	MD5: 0x2A92D5BFE5311CE97803F1D5C5C0B457 SHA-1: 0x8290DA9D963CA1AC74D6A8F32910F9CD34414994	(not available)
2	[file and pathname of the sample #1]	1,644,136 bytes	MD5: 0x5B6B267D63E6E6DB1D353BA00272D2DF SHA-1: 0x5C7DD5753C37AC6DF902AF0A5815E51E4CC13EAC	not-a-virus:NetTool.Win32.UltraSurf.tk [Kaspersky Lab]
3	%System%\utmp\Dpkhbktttwtg7i3a	28 bytes	MD5: 0x70358CA30EADCE0D64CEE9920D76707D SHA-1: 0xAF213CF449D8938AFC36313C0C9BE49C5D6C57B9	(not available)
4	%System%\utmp\Hmiakebjspjl7f3w	40 bytes	MD5: 0x1BED3D9FD820FAD35526C386657E19EA SHA-1: 0x3A0BF16C4DBA6A6E76CFC44C7F0F78A5EB57AA1D	(not available)
5	%System%\utmp\Phbgibexopxi7m5d	16 bytes	MD5: 0xDD08F698779019651DF7D13E5C820437 SHA-1: 0x1E8F2A65ECCD39853AED601C4A158C7408409314	(not available)
6	%System%\utmp\Rocleyvimjil6c9b	30 bytes	MD5: 0xF556D76EB5F60F9F7D6CCBDC80C194BC SHA-1: 0x7CC9F8584E3E9F66CC9E3DE667802ED565296EB3	(not available)
7	%System%\utmp\Zjgrcclwijwi6b1j	72 bytes	MD5: 0xA3BE986744B66B0C258741999B879C1A SHA-1: 0xFE2C6433E96E8C0DDC6AF74B85FE4C04A370F968	(not available)

Notes:

%UserProfile% is a variable that specifies the current user's profile folder. By default, this is C:\Documents and Settings\[UserName] (Windows NT/2000/XP).
%System% is a variable that refers to the System folder. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

The following directory was created:

%System%\utmp

Memory Modifications

There was a new process created in the system:

Process Name	Process Filename	Main Module Size
[filename of the sample #1]	[file and pathname of the sample #1]	7,684,096 bytes

Registry Modifications

The following Registry Keys were created:

HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Preferences\ProxySettings
HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Preferences\ProxySettings\HTTP

The newly created Registry Values are:

[HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Preferences]

UseHTTP = 0x00000001
UseTCP = 0x00000000
UseUDP = 0x00000000
UseMulticast = 0x00000000

[HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Preferences\ProxySettings\HTTP]

ProxyBypass = 0x00000000
ProxyStyle = 0x00000001

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3]

CurrentLevel = 00 00 00 00
1C00 = 00 00 00 00

The following Registry Value was deleted:

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3]

CurrentLevel = 0x00000000
1C00 = 0x00010000

Other details

Analysis of the file resources indicate the following possible countries of origin:

	Taiwan
	China

The following ports were open in the system:

Port	Protocol	Process
1033	UDP	[file and pathname of the sample #1]
1040	UDP	[file and pathname of the sample #1]
1060	UDP	[file and pathname of the sample #1]
9666	TCP	[file and pathname of the sample #1]
9999	TCP	[file and pathname of the sample #1]

All content ("Information") contained in this report is the copyrighted work of Threat Expert Ltd and its associated companies ("ThreatExpert") and may not be copied without the express permission of ThreatExpert.

The Information is provided on an "as is" basis. ThreatExpert disclaims all warranties, whether express or implied, to the maximum extent permitted by law, including the implied warranties that the Information is merchantable, of satisfactory quality, accurate, fit for a particular purpose or need, or non-infringing, unless such implied warranties are legally incapable of exclusion. Further, ThreatExpert does not warrant or make any representations regarding the use or the results of the use of the Information in terms of their correctness, accuracy, reliability, or otherwise.