ThreatExpert Report: W32/Generic.m, Worm.Win32.VB, Virus.Win32.Virut.ce, Mal/HckPk-A..

Visit ThreatExpert web site

Close Report

Submission Summary:

Submission details:

Submission received: 18 October 2011, 07:36:47
Processing time: 10 min 52 sec
Submitted sample:

File MD5: 0x5B80F39957E35043E539AFDFD2AE1287
File SHA-1: 0xE946229307FFF0AF234978B71F09812770CA6B26
Filesize: 610,304 bytes
Alias:

W32/Generic.m [McAfee]
Worm.Win32.VB [Ikarus]

Summary of the findings:

What's been found	Severity Level
Capability to block security-related software by modifying firewall settings and by disabling security services, such as Windows Update, Norton Autoprotect, Kaspersky Anti-Virus, etc.
Hosts file modification that may block access to the security web sites.
Downloads/requests other files from Internet.
Creates a startup registry entry.
There were some system executable files modified, which might indicate the presence of a PE-file infector.
Contains characteristics of an identified security risk.

Technical Details:

Possible Security Risk

Attention! Characteristics of the following security risks were identified in the system:

Security Risk	Description
Worm.IM.Sohanad	Worm.IM.Sohanad spreads via Yahoo Messenger and infects Windows. It sends a message to all Yahoo Messenger contacts of an infected user. The message contains a link enticing users to download the worm. The worm also disable certain Windows functionalities abd hijacks Internet Explorer homepage. It also downloads other maware and it will also attempt to propagate via the means of creating copies of itself onto removable devices such as USB flash and hard drives.
Adware.Component.Unrelated	These common components have files and keys that are in different threats but the threats are not related to one another in that the author of the signature is not the same. It is recommended that all these entries be removed.
Trojan-Downloader.Injecter.LR	Trojan-Downloader.Injecter.LR contacts a remote server in order to log an infection and attempts to download code and may install other malware.
Backdoor.Rbot.ADF	Backdoor.Rbot.ADF is a trojan which opens network ports and allows attackers to gain unauthorized access to the system. It also spreads to network shares by exploiting weak passwords.
Trojan-PWS.QQPass.AM	Trojan.PSW.QQPass.AM steals login information such as usernames and passwords and sends them via e-mail to a remote location.

Attention! The following threat categories were identified:

Threat Category	Description
	A virus capable to modify other files by infecting, prepending, or overwriting them them with its own body
	A keylogger program that can capture all user keystrokes (including confidential details such username, password, credit card number, etc.)

File System Modifications

The following files were created in the system:

#	Filename(s)	File Size	File Hash	Alias
1	%CommonPrograms%\Startup\explorer.exe	659,456 bytes	MD5: 0x5DF790AE38206FFF4F885A6D265E9182 SHA-1: 0x13FAB8AEB1A68CEBAFACB03C9E3434B2EA947BB2	Virus.Win32.Virut.ce [Kaspersky Lab] W32/Generic.m [McAfee] Worm.Win32.VB [Ikarus]
2	%AppData%\1787a.log	3,906 bytes	MD5: 0x032A8A9693DEF7081D37FBE0E9BEE1D2 SHA-1: 0x775D8902AA4AD1F390CB4597FD7D6A7E8FEF56BD	(not available)
3	%AppData%\3kvq.exe	84,480 bytes	MD5: 0x6EAC6C737563EC1E0DF5E0A39740A49A SHA-1: 0x3DB75F13BE0C18429247612BB202672DC16F012F	Virus.Win32.Virut.ce [Kaspersky Lab] Mal/HckPk-A [Sophos] Trojan-Spy.Win32.VB [Ikarus]
4	%AppData%\LocalAccountAuthority.bat	108 bytes	MD5: 0x2C9B188DB3E8711956C33D9A699B0D7A SHA-1: 0x306B8FB221FB3FC452C4C74388A51B6EC268FFFA	(not available)
5	%AppData%\lssas.exe	101,376 bytes	MD5: 0x72296C7C0965A8341447BE32641F1859 SHA-1: 0x263BD34AB462334C51FFF7B651E6A4733A76BD55	Virus.Win32.Virut.ce [Kaspersky Lab]
6	%AppData%\MouseDriver.bat	107 bytes	MD5: 0xACE80C78E3C3C47D6AA7BE4F89EFE692 SHA-1: 0x6F4ED2A55D025DEFEBE43A8AA63EF4D2ACCC36CF	(not available)
7	%AppData%\xyw0glqb.exe	69,632 bytes	MD5: 0xB1E27247CBEFFB639266CB30DDD866CF SHA-1: 0xACBF67539D1F64C79B3AB1E0342DF519674E34BE	(not available)
8	%Programs%\Startup\explorer.exe	659,456 bytes	MD5: 0x74F290CCDB6F7AD332338EA2A074BFD6 SHA-1: 0x68CA4E8E9B5BD578DD0860FD0E296DB8F3ADA963	Virus.Win32.Virut.ce [Kaspersky Lab] W32/Generic.m [McAfee] Worm.Win32.VB [Ikarus]
9	c:\New Folder.exe %Windir%\svchost.exe %System%\ShellExt.exe %System%\wbem.exe %System%\wins.exe %System%\xircom.exe	659,456 bytes	MD5: 0x6E2DD7A378DA04EEBBFC45A5BC3A17A7 SHA-1: 0x37A112FCFEFB5B4EDFAE789509AEE3DCAFA4BE56	Virus.Win32.Virut.ce [Kaspersky Lab] W32/Generic.m [McAfee] Worm.Win32.VB [Ikarus]
10	%System%\1025.exe	659,456 bytes	MD5: 0xC26D9FA6E299EEF175758C5173E6EB1A SHA-1: 0x8072AF35A2514666B507F1BFFCD28E239527A448	Virus.Win32.Virut.ce [Kaspersky Lab] W32/Generic.m [McAfee] Worm.Win32.VB [Ikarus]
11	%System%\1028.exe	659,456 bytes	MD5: 0x22D31B4736FDF498A7B1BCE20DEF615D SHA-1: 0x8ADD97493545035E9070F074F565C41DFBF6B35E	Virus.Win32.Virut.ce [Kaspersky Lab] W32/Generic.m [McAfee] Worm.Win32.VB [Ikarus]
12	%System%\1031.exe	659,456 bytes	MD5: 0xA14F844951D448BE017EF9A92A9A053C SHA-1: 0xF47DF2B0A8396E9914455EC58B396556B19E26F8	Virus.Win32.Virut.ce [Kaspersky Lab] W32/Generic.m [McAfee] Worm.Win32.VB [Ikarus]
13	%System%\1033.exe	659,456 bytes	MD5: 0x9283D58C267A35043CBDE4DCD5853403 SHA-1: 0x5FD3C232BEB50D0A24209A06E92EC060060C288E	Virus.Win32.Virut.ce [Kaspersky Lab] W32/Generic.m [McAfee] Worm.Win32.VB [Ikarus]
14	%System%\1037.exe	659,456 bytes	MD5: 0x5177C9C647E4AED28697FC4D726F221C SHA-1: 0x08A53DB8457BC0D16967DBA8232F21E123035F10	Virus.Win32.Virut.ce [Kaspersky Lab] W32/Generic.m [McAfee] Worm.Win32.VB [Ikarus]
15	%System%\1041.exe	659,456 bytes	MD5: 0xB1F1E46DCE9E63158A1312C8D618DDDE SHA-1: 0xA0CFE3A40337EF05F3F30B90CCDE737096E5B287	Virus.Win32.Virut.ce [Kaspersky Lab] W32/Generic.m [McAfee] Worm.Win32.VB [Ikarus]
16	%System%\1042.exe	659,456 bytes	MD5: 0x8DEF89CE392EB4EF0C36D0251AEF8B0D SHA-1: 0x209D53AAD5954676D12E086EF88952107CAA2B81	Virus.Win32.Virut.ce [Kaspersky Lab] W32/Generic.m [McAfee] Worm.Win32.VB [Ikarus]
17	%System%\1054.exe	659,456 bytes	MD5: 0x5441F6921EDA886E77FD96256A6EC522 SHA-1: 0x652847F7914A84F8E3E50509FC1D9AEFCBF4818A	Virus.Win32.Virut.ce [Kaspersky Lab] W32/Generic.m [McAfee] Worm.Win32.VB [Ikarus]
18	%System%\2052.exe	659,456 bytes	MD5: 0x754C2C159F33A91152BF2BA2BD0379F1 SHA-1: 0x0E7800FE95C159E22982233152B8FD6AF045FD3E	Virus.Win32.Virut.ce [Kaspersky Lab] W32/Generic.m [McAfee] Worm.Win32.VB [Ikarus]
19	%System%\3076.exe	659,456 bytes	MD5: 0x52DE0DDBF2BB978A8F4539374B0B269E SHA-1: 0x473EFE19B81C8EC3732D480C362795DDF97BD306	Virus.Win32.Virut.ce [Kaspersky Lab] W32/Generic.m [McAfee] Worm.Win32.VB [Ikarus]
20	%System%\3com_dmi.exe	659,456 bytes	MD5: 0x57FCD457BBF7F1B362FEB81EE9BDF55F SHA-1: 0x7CC58454F7647BC073A9B45384FD1D0D3C6D86D4	Virus.Win32.Virut.ce [Kaspersky Lab] W32/Generic.m [McAfee] Worm.Win32.VB [Ikarus]
21	%System%\CatRoot.exe	659,456 bytes	MD5: 0x4BFB4B49DCE58017E7920A8FDAEA3815 SHA-1: 0xE16BBF2B2404E5F34A892BFEBD240CE3B62B166E	Virus.Win32.Virut.ce [Kaspersky Lab] W32/Generic.m [McAfee] Worm.Win32.VB [Ikarus]
22	%System%\CatRoot2.exe	659,456 bytes	MD5: 0xEE303DA73241F0DB9406DE580C7C6F1A SHA-1: 0xE4B3F27B8227BB4560DB8EEC369E84F1BFE57791	Virus.Win32.Virut.ce [Kaspersky Lab] W32/Generic.m [McAfee] Worm.Win32.VB [Ikarus]
23	%System%\Com.exe	659,456 bytes	MD5: 0x14A6904D122548B94B51B3FCEE878AA3 SHA-1: 0xC8D60AB217B0BE4855C147A873764552B4404A19	Virus.Win32.Virut.ce [Kaspersky Lab] W32/Generic.m [McAfee] Worm.Win32.VB [Ikarus]
24	%System%\config.exe	659,456 bytes	MD5: 0x22713D8D1E57C764117FC8F6121AEC50 SHA-1: 0xF2F58FACB3E5E3B23859D36317582F60501961C3	Virus.Win32.Virut.ce [Kaspersky Lab] W32/Generic.m [McAfee] Worm.Win32.VB [Ikarus]
25	%System%\dhcp.exe	659,456 bytes	MD5: 0xC64588264BEF8C247B7ABB0E3A44AE35 SHA-1: 0x7A9642C1601FA592C1EA0A4DFB949DAEFE0B89FA	Virus.Win32.Virut.ce [Kaspersky Lab] W32/Generic.m [McAfee] Worm.Win32.VB [Ikarus]
26	%System%\DirectX.exe	659,456 bytes	MD5: 0xF060DC28C6156A3780F227245EB0A530 SHA-1: 0xB9B72E5CA427E6BA428DD11F058440FC25E24B2E	Virus.Win32.Virut.ce [Kaspersky Lab] W32/Generic.m [McAfee] Worm.Win32.VB [Ikarus]
27	%System%\drivers.exe	659,456 bytes	MD5: 0x4ADD7CB791FA8D759E5B967F442BE20B SHA-1: 0xF60B28304F9479DDEE8132657A90739D496A8076	Virus.Win32.Virut.ce [Kaspersky Lab] W32/Generic.m [McAfee] Worm.Win32.VB [Ikarus]
28	%System%\export.exe	659,456 bytes	MD5: 0x437B4C069C6FAFC27DF6A5F44330984D SHA-1: 0x1810FDE6290958CADD6832851C6E54C52895CE1E	Virus.Win32.Virut.ce [Kaspersky Lab] W32/Generic.m [McAfee] Worm.Win32.VB [Ikarus]
29	%System%\ias.exe	659,456 bytes	MD5: 0xCBF79F57E84CD3B44414AA4D85BF307A SHA-1: 0xE4D1B117E4952BB99E22426E47E4AD519D85400A	Virus.Win32.Virut.ce [Kaspersky Lab] W32/Generic.m [McAfee] Worm.Win32.VB [Ikarus]
30	%System%\icsxml.exe	659,456 bytes	MD5: 0x4436A147F476CBC1057F8CE35D02D68D SHA-1: 0x9585BC5B46AF53B242F804469E2003087692FFB1	Virus.Win32.Virut.ce [Kaspersky Lab] W32/Generic.m [McAfee] Worm.Win32.VB [Ikarus]
31	%System%\IME.exe	659,456 bytes	MD5: 0x2A301454CF6888E2C706EB743CC67EFF SHA-1: 0x8BB02F899B441269B91D3C6CD7DD1258D95D750C	Virus.Win32.Virut.ce [Kaspersky Lab] W32/Generic.m [McAfee] Worm.Win32.VB [Ikarus]
32	%System%\inetsrv.exe	659,456 bytes	MD5: 0xB74A58F3E9FE60CB1B9F3F6448DDFB47 SHA-1: 0x7E2002FE0D9B92E9094713CFA343E73AFB71E9C9	Virus.Win32.Virut.ce [Kaspersky Lab] W32/Generic.m [McAfee] Worm.Win32.VB [Ikarus]
33	%System%\Macromed.exe	659,456 bytes	MD5: 0xBAC749F29BCACA69BC805294B69911D1 SHA-1: 0x2894C7DEC9B3B66DB50EDBD512540EB6AEB60CE3	Virus.Win32.Virut.ce [Kaspersky Lab] W32/Generic.m [McAfee] Worm.Win32.VB [Ikarus]
34	%System%\mbkfvo8.exe	34,816 bytes	MD5: 0x74378C6F87718717986194E21FA62368 SHA-1: 0xA797BE901250610528B0B427D8FA3F1B6882C613	Trojan-Spy.Win32.VB.coq [Kaspersky Lab] Trojan-Spy.Win32.VB [Ikarus] packed with UPX [Kaspersky Lab]
35	%System%\Microsoft.exe	659,456 bytes	MD5: 0x68E2934FD1FC5BF3069EC6B58E860ED7 SHA-1: 0x9B331995908E18EB165AEE2496AC21339AF80934	Virus.Win32.Virut.ce [Kaspersky Lab] W32/Generic.m [McAfee] Worm.Win32.VB [Ikarus]
36	%System%\mlog	17,538 bytes	MD5: 0x5E16C488E66D6759470DD411E4E4823A SHA-1: 0x660A0005E2A807F59A1698ABA760A60781C1EA6B	(not available)
37	%System%\MsDtc.exe	659,456 bytes	MD5: 0xE2A03B33F58595E76C4F2DE4E4D5B7E7 SHA-1: 0x41FD87C6F34DF16435E1CFABCAD1F3BC506677F0	Virus.Win32.Virut.ce [Kaspersky Lab] W32/Generic.m [McAfee] Worm.Win32.VB [Ikarus]
38	%System%\mui.exe	659,456 bytes	MD5: 0x1C6BA7F5BE14980A5BB38C04F1952E74 SHA-1: 0x36D0B603EF8FED1C909C75ACBD26507D1A7CACCE	Virus.Win32.Virut.ce [Kaspersky Lab] W32/Generic.m [McAfee] Worm.Win32.VB [Ikarus]
39	%System%\npp.exe	659,456 bytes	MD5: 0xF7C7E855D951239502EEAA7BC528AF28 SHA-1: 0xDAF6AB28F95FC25F4B16577A5E8FF07439D73CBF	Virus.Win32.Virut.ce [Kaspersky Lab] W32/Generic.m [McAfee] Worm.Win32.VB [Ikarus]
40	%System%\NtmsData.exe	659,456 bytes	MD5: 0x6F26CC95A1CEAA7F25C156E74F9CAB2B SHA-1: 0xF5DA756146EDEDDC4082315CA54216E59FA73823	Virus.Win32.Virut.ce [Kaspersky Lab] W32/Generic.m [McAfee] Worm.Win32.VB [Ikarus]
41	%System%\nwcwks.dll	8,192 bytes	MD5: 0x560F8147E9BB5A728D8715120D2F7E7F SHA-1: 0xBBE08F172EAE8F6E49A6E1B8BB121816C326F8E3	Troj/Inject-OJ [Sophos]
42	%System%\oobe.exe	659,456 bytes	MD5: 0xF8BA785F5F636DA1CEC73591E6822A48 SHA-1: 0xC6DA30A573B89894AF7DB121C144EB4E45B361C7	Virus.Win32.Virut.ce [Kaspersky Lab] W32/Generic.m [McAfee] Worm.Win32.VB [Ikarus]
43	%System%\ras.exe	659,456 bytes	MD5: 0xA80BCCE6963CC38430CA96167AB85493 SHA-1: 0xE1C3A29B9A57DEB0611887FDD5EA13F3C12EAF09	Virus.Win32.Virut.ce [Kaspersky Lab] W32/Generic.m [McAfee] Worm.Win32.VB [Ikarus]
44	%System%\ReinstallBackups.exe	659,456 bytes	MD5: 0x146241EBD6F7AD39BC11A5CA64BA1CAE SHA-1: 0x70C6580C370E754A6FD4A903D7A6B76F27BB9E53	Virus.Win32.Virut.ce [Kaspersky Lab] W32/Generic.m [McAfee] Worm.Win32.VB [Ikarus]
45	%System%\Restore.exe	659,456 bytes	MD5: 0xD6D5031F7CD22020C497EB615B08B9FE SHA-1: 0xF079A259357F7B12EBB49F668081D25D8FC53657	Virus.Win32.Virut.ce [Kaspersky Lab] W32/Generic.m [McAfee] Worm.Win32.VB [Ikarus]
46	[file and pathname of the sample #1]	659,456 bytes	MD5: 0x8B85F81065A46024A784C72350BD8B88 SHA-1: 0xA343C024E0904DAFD7AC5C338E62D36808561B92	Virus.Win32.Virut.ce [Kaspersky Lab] W32/Generic.m [McAfee] Worm.Win32.VB [Ikarus]
47	%System%\Setup.exe	659,456 bytes	MD5: 0x703540D7029BE821D69C47B645EA32EF SHA-1: 0x834EDC07349D23B60546BCA9C521DA66F6044B61	Virus.Win32.Virut.ce [Kaspersky Lab] W32/Generic.m [McAfee] Worm.Win32.VB [Ikarus]
48	%System%\spool.exe	659,456 bytes	MD5: 0x48D79F18FFF109CC8685325F95F699CE SHA-1: 0x1C5148FB1B1EE6795203A7F4011F89D9F921E8BB	Virus.Win32.Virut.ce [Kaspersky Lab] W32/Generic.m [McAfee] Worm.Win32.VB [Ikarus]
49	%System%\usmt.exe	659,456 bytes	MD5: 0x86013C9843F793698CD748F4EC12330E SHA-1: 0x116AF3864E18C08D3DCBE3EF604C50E34F622582	Virus.Win32.Virut.ce [Kaspersky Lab] W32/Generic.m [McAfee] Worm.Win32.VB [Ikarus]

Notes:

%CommonPrograms% is a variable that refers to the file system directory that contains the directories for the common program groups that appear on the Start menu for all users. A typical path is C:\Documents and Settings\All Users\Start Menu\Programs (Windows NT/2000/XP).
%AppData% is a variable that refers to the file system directory that serves as a common repository for application-specific data. A typical path is C:\Documents and Settings\[UserName]\Application Data.
%Programs% is a variable that refers to the file system directory that contains the user's program groups. A typical path is C:\Documents and Settings\[UserName]\Start Menu\Programs.
%Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows or C:\Winnt.
%System% is a variable that refers to the System folder. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

The following files were modified:

[pathname with a string SHARE]\msinfo32.exe
[pathname with a string SHARE]\sapisvr.exe
%ProgramFiles%\Internet Explorer\Connection Wizard\icwconn1.exe
%ProgramFiles%\Internet Explorer\Connection Wizard\icwconn2.exe
%ProgramFiles%\Internet Explorer\Connection Wizard\icwrmind.exe
%ProgramFiles%\Internet Explorer\Connection Wizard\icwtutor.exe
%ProgramFiles%\Internet Explorer\Connection Wizard\inetwiz.exe
%ProgramFiles%\Internet Explorer\Connection Wizard\isignup.exe
%ProgramFiles%\Internet Explorer\iedw.exe
%ProgramFiles%\MSN\MSNIA\msniasvc.exe
%ProgramFiles%\MSN\MSNIA\prestp.exe
%ProgramFiles%\MSN\MsnInstaller\msninst.exe
%ProgramFiles%\NetMeeting\cb32.exe
%ProgramFiles%\NetMeeting\conf.exe
%ProgramFiles%\NetMeeting\wb32.exe
%ProgramFiles%\Outlook Express\msimn.exe
%ProgramFiles%\Outlook Express\oemig50.exe
%ProgramFiles%\Outlook Express\setup50.exe
%ProgramFiles%\Outlook Express\wab.exe
%ProgramFiles%\Outlook Express\wabmig.exe
%ProgramFiles%\Web Publish\WPWIZ.EXE
%ProgramFiles%\Windows Media Player\migrate.exe
%ProgramFiles%\Windows Media Player\mplayer2.exe
%ProgramFiles%\Windows Media Player\setup_wm.exe
%ProgramFiles%\Windows Media Player\wmplayer.exe
%ProgramFiles%\Windows NT\Accessories\wordpad.exe
%ProgramFiles%\Windows NT\dialer.exe
%ProgramFiles%\Windows NT\hypertrm.exe
%ProgramFiles%\Windows NT\Pinball\PINBALL.EXE
%Windir%\Cache\Adobe Reader 6.0.1\ENUBIG\setup.exe
%Windir%\hh.exe
%Windir%\inf\unregmp2.exe
%Windir%\Installer\{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}\places.exe
%Windir%\Microsoft.NET\Framework\NETFXSBS10.exe
%Windir%\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe
%Windir%\Microsoft.NET\Framework\v2.0.50727\aspnet_regbrowsers.exe
%Windir%\Microsoft.NET\Framework\v2.0.50727\aspnet_regsql.exe
%Windir%\Microsoft.NET\Framework\v2.0.50727\CasPol.exe
%Windir%\Microsoft.NET\Framework\v2.0.50727\dfsvc.exe
%Windir%\Microsoft.NET\Framework\v2.0.50727\IEExec.exe
%Windir%\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
%Windir%\Microsoft.NET\Framework\v2.0.50727\jsc.exe
%Windir%\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
%Windir%\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
%Windir%\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
%Windir%\msagent\agentsvr.exe
%Windir%\mui\muisetup.exe
%Windir%\NOTEPAD.EXE
%Windir%\pchealth\helpctr\binaries\HelpCtr.exe
%Windir%\pchealth\helpctr\binaries\HelpHost.exe
%Windir%\pchealth\helpctr\binaries\HelpSvc.exe
%Windir%\pchealth\helpctr\binaries\HscUpd.exe
%Windir%\pchealth\helpctr\binaries\msconfig.exe
%Windir%\pchealth\helpctr\binaries\notiflag.exe
%Windir%\pchealth\UploadLB\Binaries\UploadM.exe
%Windir%\regedit.exe
%System%\accwiz.exe
%System%\actmovie.exe
%System%\ahui.exe
%System%\alg.exe
%System%\arp.exe
%System%\asr_fmt.exe
%System%\asr_ldm.exe
%System%\asr_pfu.exe
%System%\at.exe
%System%\atmadm.exe
%System%\attrib.exe
%System%\auditusr.exe
%System%\blastcln.exe
%System%\bootcfg.exe
%System%\bootok.exe
%System%\bootvrfy.exe
%System%\cacls.exe
%System%\calc.exe
%System%\charmap.exe
%System%\chkdsk.exe
%System%\chkntfs.exe
%System%\cidaemon.exe
%System%\cipher.exe
%System%\cisvc.exe
%System%\ckcnv.exe
%System%\cleanmgr.exe
%System%\clean_all.exe
%System%\cliconfg.exe
%System%\clipbrd.exe
%System%\clipsrv.exe
%System%\cmd.exe
%System%\cmdl32.exe
%System%\cmmon32.exe
%System%\cmstp.exe
%System%\comp.exe
%System%\compact.exe
%System%\conime.exe
%System%\control.exe
%System%\convert.exe
%System%\cscript.exe
%System%\ctfmon.exe
%System%\dcomcnfg.exe
%System%\ddeshare.exe
%System%\defrag.exe

Notes:

%ProgramFiles% is a variable that refers to the Program Files folder. A typical path is C:\Program Files.

The following directories were created:

c:\System Volume Information\.
c:\System Volume Information\..
c:\New Folder

Memory Modifications

There were new processes created in the system:

Process Name	Process Filename	Main Module Size
svchost.exe	%Windir%\svchost.exe	659,456 bytes
3kvq.exe	%AppData%\3kvq.exe	225,280 bytes
explorer.exe	%CommonPrograms%\startup\explorer.exe	659,456 bytes
explorer.exe	%Programs%\startup\explorer.exe	659,456 bytes
mbkfvo8.exe	%System%\mbkfvo8.exe	147,456 bytes
[filename of the sample #1]	[file and pathname of the sample #1]	630,784 bytes

There were new services created in the system:

Service Name	Display Name	Status	Service Filename
MouseDriver	MouseDriver	"Stopped"	%AppData%\MouseDriver.bat
NWCWorkstation	Client Service for NetWare	"Running"	%System%\svchost.exe -k netsvcs

The following system services were modified:

Service Name	Display Name	New Status	Service Filename
ALG	Application Layer Gateway Service	"Stopped"	%System%\alg.exe
SharedAccess	Windows Firewall/Internet Connection Sharing (ICS)	"Stopped"	%System%\svchost.exe -k netsvcs
wscsvc	Security Center	"Stopped"	%System%\svchost.exe -k netsvcs

Registry Modifications

The following Registry Keys were created:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ESENT\Process\3kvq
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ESENT\Process\3kvq\DEBUG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ESENT\Process\VRT2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ESENT\Process\VRT2\DEBUG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\NOHIDORSYS
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tbsolute
HKEY_LOCAL_MACHINE\SOFTWARE\tgs90gv74r
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_NWCWORKSTATION
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_NWCWORKSTATION\0000
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_NWCWORKSTATION\0000\Control
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\MouseDriver
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\MouseDriver\Security
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\NWCWorkstation
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\NWCWorkstation\Parameters
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\NWCWorkstation\Security
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\NWCWorkstation\Enum
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NWCWORKSTATION
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NWCWORKSTATION\0000
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NWCWORKSTATION\0000\Control
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MouseDriver
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MouseDriver\Security
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NWCWorkstation
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NWCWorkstation\Parameters
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NWCWorkstation\Security
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NWCWorkstation\Enum
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\P3P
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Local Account Authority Service
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Local Account Authority Service\Security

The newly created Registry Values are:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ESENT\Process\3kvq\DEBUG]

Trace Level = ""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ESENT\Process\VRT2\DEBUG]

Trace Level = ""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main]

Use FormSuggest = "yes"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\NOHIDORSYS]

CheckedValue = 0x00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run]

apps = "%System%\mbkfvo8.exe"

so that mbkfvo8.exe runs every time Windows starts

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

v0lut47 = "%AppData%\3kvq.exe"

so that 3kvq.exe runs every time Windows starts

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tbsolute]

values = 2A 3D F7 67 64 67 67 67 63 67 67 67 98 98 67 67 DF 67 67 67 67 67 67 67 27 67 67 67 67 67 67 67 67 67 67 67 67 67 67 67 67 67 67 67 67 67 67 67 67 67 67 67 67 67 67 67 67 67 67 67 67 66 67 67 69 78 DD 69 67 D3 6E AA 46 DF 66 2B AA 46 33 0F 0E 14 47 1

[HKEY_LOCAL_MACHINE\SOFTWARE\tgs90gv74r]

tgs90gv74rexepath = "%AppData%\3kvq.exe"
tgs90gv74rpath = "%AppData%\"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_NWCWORKSTATION\0000\Control]

*NewlyCreated* = 0x00000000
ActiveService = "NWCWorkstation"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_NWCWORKSTATION\0000]

Service = "NWCWorkstation"
Legacy = 0x00000001
ConfigFlags = 0x00000000
Class = "LegacyDriver"
ClassGUID = "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
DeviceDesc = "Client Service for NetWare"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_NWCWORKSTATION]

NextInstance = 0x00000001

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\MouseDriver\Security]

Security = 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 0

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\MouseDriver]

Type = 0x00000110
Start = 0x00000002
ErrorControl = 0x00000000
ImagePath = "%AppData%\MouseDriver.bat"
DisplayName = "MouseDriver"
ObjectName = "LocalSystem"
Description = "Enables a computer to use mouse from USB port. Stopping or disabling this service will result in system instability."

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\NWCWorkstation\Enum]

0 = "Root\LEGACY_NWCWORKSTATION\0000"
Count = 0x00000001
NextInstance = 0x00000001

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\NWCWorkstation\Security]

Security = 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 0

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\NWCWorkstation\Parameters]

ServiceDll = "%System%\nwcwks.dll"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\NWCWorkstation]

Type = 0x00000020
Start = 0x00000002
ErrorControl = 0x00000001
ImagePath = "%System%\svchost.exe -k netsvcs"
DisplayName = "Client Service for NetWare"
ObjectName = "LocalSystem"
Description = "Provides access to file and print resources on NetWare networks."

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NWCWORKSTATION\0000\Control]

*NewlyCreated* = 0x00000000
ActiveService = "NWCWorkstation"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NWCWORKSTATION\0000]

Service = "NWCWorkstation"
Legacy = 0x00000001
ConfigFlags = 0x00000000
Class = "LegacyDriver"
ClassGUID = "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
DeviceDesc = "Client Service for NetWare"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NWCWORKSTATION]

NextInstance = 0x00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MouseDriver\Security]

Security = 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MouseDriver]

Type = 0x00000110
Start = 0x00000002
ErrorControl = 0x00000000
ImagePath = "%AppData%\MouseDriver.bat"
DisplayName = "MouseDriver"
ObjectName = "LocalSystem"
Description = "Enables a computer to use mouse from USB port. Stopping or disabling this service will result in system instability."

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NWCWorkstation\Enum]

0 = "Root\LEGACY_NWCWORKSTATION\0000"
Count = 0x00000001
NextInstance = 0x00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NWCWorkstation\Security]

Security = 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NWCWorkstation\Parameters]

ServiceDll = "%System%\nwcwks.dll"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NWCWorkstation]

Type = 0x00000020
Start = 0x00000002
ErrorControl = 0x00000001
ImagePath = "%System%\svchost.exe -k netsvcs"
DisplayName = "Client Service for NetWare"
ObjectName = "LocalSystem"
Description = "Provides access to file and print resources on NetWare networks."

[HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main]

Use FormSuggest = "yes"
DisableScriptDebuggerIE = "yes"
Error Dlg Displayed On Every Error = "no"

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer]

UpdateHost = 00 50 53 85 77 C5

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]

ProxyEnable = 0x00000000

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\Windows]

win = "%System%\mbkfvo8.exe"
init = "%System%\mbkfvo8.exe"

so that mbkfvo8.exe runs every time Windows starts

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]

Use FormSuggest = "yes"
DisableScriptDebuggerIE = "yes"
Error Dlg Displayed On Every Error = "no"

[HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows]

win = "%System%\mbkfvo8.exe"
init = "%System%\mbkfvo8.exe"

so that mbkfvo8.exe runs every time Windows starts

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Local Account Authority Service\Security]

Security = 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 0

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Local Account Authority Service]

Type = 0x00000110
Start = 0x00000002
ErrorControl = 0x00000000
ImagePath = "%AppData%\LocalAccountAuthority.bat"
DisplayName = "Local Account Authority Service"
ObjectName = "LocalSystem"
Description = "Stores security information for local user accounts. Stopping or disabling this service will result in windows login failure."

The following Registry Value was deleted:

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32]

InprocServer32 = "IW[F9`$@Q?NcrI3z%N[,>`NTP6lYuf(laaqF-Q9q."

The following Registry Values were modified:

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}]

(Default) =

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32]

(Default) =

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ToolboxBitmap32]

(Default) =

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32]

(Default) =

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MSWinsock.Winsock]

(Default) =

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MSWinsock.Winsock.1]

(Default) =

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0]

(Default) =

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\0\win32]

(Default) =

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\HELPDIR]

(Default) =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL]

CheckedValue =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AeDebug]

Auto =

[HKEY_USERS\.DEFAULT\AppEvents\Schemes\Apps\Explorer\Navigating\.Current]

(Default) =

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]

AppData =
Cookies =
Local AppData =
Cache =
History =

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3]

1601 =

[HKEY_CURRENT_USER\AppEvents\Schemes\Apps\Explorer\Navigating\.Current]

(Default) =

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3]

1601 =

Other details

Analysis of the file resources indicate the following possible country of origin:

China

The following ports were open in the system:

Port	Protocol	Process
1080	UDP	mbkfvo8.exe (%System%\mbkfvo8.exe)
1089	TCP	mbkfvo8.exe (%System%\mbkfvo8.exe)
1093	TCP	mbkfvo8.exe (%System%\mbkfvo8.exe)
1094	TCP	mbkfvo8.exe (%System%\mbkfvo8.exe)
1095	TCP	mbkfvo8.exe (%System%\mbkfvo8.exe)
1098	TCP	mbkfvo8.exe (%System%\mbkfvo8.exe)
1100	TCP	mbkfvo8.exe (%System%\mbkfvo8.exe)
1102	TCP	mbkfvo8.exe (%System%\mbkfvo8.exe)
1119	TCP	3kvq.exe (%AppData%\3kvq.exe)

The HOSTS file was updated with the following URL-to-IP mappings:

There were registered attempts to establish connection with the remote hosts. The connection details are:

Remote Host	Port Number
122.224.6.164	82
60.190.223.60	2012
60.190.223.60	888

The data identified by the following URLs was then requested from the remote web server:

http://zeus.sunke.info:82/hn.gif?t=0.5552332
http://zeus.sunke.info:82/hn.gif?t=0.19302
http://sb.letmedo.net:2012/p/out/kp.exe
http://w.nucleardiscover.com:888/list.php?c=B4AC885F94224AE64DAAC6EE0346C213D049B58E0B3B69C1DCEDCA835FF3F6D1DFE10E13F3845D3386FFC45E0D4897B5778D4CBB9FE6A5FF432C&v=2&t=0.8511316
http://w.nucleardiscover.com:888/list.php?c=B4AC885F94224AE64DAAC6EE0346C213D049B58E0B3B69C1DCEDCA835FF3F6D1DFE10E13F3845D3386FFC45E0D4897B5778D4CBB9FE6A5FF432C&v=2&t=0.4871332
http://w.nucleardiscover.com:888/list.php?c=B4AC885F94224AE64DAAC6EE0346C213D049B58E0B3B69C1DCEDCA835FF3F6D1DFE10E13F3845D3386FFC45E0D4897B5778D4CBB9FE6A5FF432C&v=2&t=0.4937555

All content ("Information") contained in this report is the copyrighted work of Threat Expert Ltd and its associated companies ("ThreatExpert") and may not be copied without the express permission of ThreatExpert.

The Information is provided on an "as is" basis. ThreatExpert disclaims all warranties, whether express or implied, to the maximum extent permitted by law, including the implied warranties that the Information is merchantable, of satisfactory quality, accurate, fit for a particular purpose or need, or non-infringing, unless such implied warranties are legally incapable of exclusion. Further, ThreatExpert does not warrant or make any representations regarding the use or the results of the use of the Information in terms of their correctness, accuracy, reliability, or otherwise.