ThreatExpert Report: TrojanDropper:Win32/Preald.A, Downloader.MisleadApp, Troj/FakeAV-VK..

Submission Summary:

Submission details:

Submission received: 8 July 2009, 15:38:40
Processing time: 8 min 36 sec
Submitted sample:

File MD5: 0x5EDD87D4D271E8E4B5244C6AEE787101
File SHA-1: 0x40C9DD5E71C90623FAD372CC9BC8E34C0FF1070E
Filesize: 353,280 bytes
Alias: TrojanDropper:Win32/Preald.A [Microsoft]

Summary of the findings:

What's been found	Severity Level
Hosts file modification that may block access to the security web sites.
Downloads/requests other files from Internet.
Creates a startup registry entry.
Contains characteristics of an identified security risk.

Technical Details:

Possible Security Risk

Attention! Characteristics of the following security risks were identified in the system:

Security Risk	Description
RogueAntiSpyware.Sysguard	RogueAntiSpyware.Sysguard generates malfunctionality on the system by disabling some Windows features. It displays fake alerts in malware payloads in order to persuade users into buying the rogue antispyware products.
Trojan-Downloader.Small.GEN	Trojan-Downloader.Small.GEN contacts remote servers in order to download additional malware onto a users computer without their knowledge.

Attention! The following threat categories were identified:

Threat Category	Description
	A program that downloads files to the local computer that may represent security risk
	A malicious trojan horse or bot that may represent security risk for the compromised system and/or its network environment

File System Modifications

The following files were created in the system:

#	Filename(s)	File Size	File Hash	Alias
1	%Temp%\[filename of the sample #1] %Windir%\sysguard.exe	275,712 bytes	MD5: 0x5AA8A8053B563DAEB244824722F74A3C SHA-1: 0xF12E655358F44A4E08AB03EB79C14BA9D8662EBC	Downloader.MisleadApp [Symantec] Troj/FakeAV-VK [Sophos] Trojan.Win32.FakeSpypro [Ikarus]
2	%Temp%\WERf781.dir00\appcompat.txt	16,296 bytes	MD5: 0xF560A82E9385739415E085B4553CBA8F SHA-1: 0x958B55E9517896C07D689F6BDDED4EF10D0718A9	(not available)
3	%Temp%\WERf781.dir00\explorer.exe.hdmp	0 bytes	MD5: 0xD41D8CD98F00B204E9800998ECF8427E SHA-1: 0xDA39A3EE5E6B4B0D3255BFEF95601890AFD80709	(not available)
4	%Temp%\WERf781.dir00\explorer.exe.mdmp	60,061 bytes	MD5: 0x2D44AE97CC0547D03BE4529B9A354A83 SHA-1: 0x2C78C4108033DF6FF25FAF5E1DD5E0CD738B547D	(not available)
5	%Temp%\WERf781.dir00\manifest.txt	1,980 bytes	MD5: 0x8F108CB7B987824EC86677FD0CE870D0 SHA-1: 0x7EB9D27166365D8766BF82F603DAB3D0C85E17AC	(not available)
6	%Windir%\ld12.exe	26,624 bytes	MD5: 0x86B8812C347F87DE92F2FA5CF1121323 SHA-1: 0xFD9EE4E9CEA8CD59FBFD6966BC5B91D61F262F79	W32.Koobface.A [Symantec]
7	[file and pathname of the sample #1]	353,280 bytes	MD5: 0x5EDD87D4D271E8E4B5244C6AEE787101 SHA-1: 0x40C9DD5E71C90623FAD372CC9BC8E34C0FF1070E	TrojanDropper:Win32/Preald.A [Microsoft]
8	%System%\wbem\proquota.exe	35,840 bytes	MD5: 0x96004C85D5B763AD102AD8FD7078D13C SHA-1: 0xF5BF2A8543FF78BE461211865E7C8D8F93AF5FDE	Trojan.Bredolab [Symantec]

Notes:

%Temp% is a variable that refers to the temporary folder in the short path form. By default, this is C:\Documents and Settings\[UserName]\Local Settings\Temp\ (Windows NT/2000/XP).
%Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows or C:\Winnt.
%System% is a variable that refers to the System folder. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

The following file was deleted:

%System%\proquota.exe

The following file was modified:

%System%\drivers\etc\hosts

The following directory was created:

%Temp%\WERf781.dir00

Memory Modifications

There were new processes created in the system:

Process Name	Process Filename	Main Module Size
sysguard.exe	%Windir%\sysguard.exe	499,712 bytes
ld12.exe	%Windir%\ld12.exe	57,344 bytes
2.tmp	%Temp%\2.tmp	61,440 bytes
1.tmp	%Temp%\1.tmp	57,344 bytes
[filename of the sample #1]	%Temp%\[filename of the sample #1]	499,712 bytes
proquota.exe	%System%\wbem\proquota.exe	61,440 bytes
[filename of the sample #1]	[file and pathname of the sample #1]	348,160 bytes

There were new memory pages created in the address space of the system process(es):

Process Name	Process Filename	Allocated Size
svchost.exe	%System%\svchost.exe	65,536 bytes
svchost.exe	%System%\svchost.exe	65,536 bytes

Registry Modifications

The following Registry Keys were created:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Associations
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System
HKEY_CURRENT_USER\Software\Microsoft\Windows Script
HKEY_CURRENT_USER\Software\Microsoft\Windows Script\Settings
HKEY_CURRENT_USER\Software\AvScan

The following Registry Keys were deleted:

HKEY_CURRENT_USER\AppEvents\Schemes\Apps\Explorer\Navigating
HKEY_CURRENT_USER\AppEvents\Schemes\Apps\Explorer\Navigating\.Current
HKEY_CURRENT_USER\AppEvents\Schemes\Apps\Explorer\Navigating\.Default

The newly created Registry Values are:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

sysldtray = "%Windir%\ld12.exe"

so that ld12.exe runs every time Windows starts

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download]

RunInvalidSignatures = 0x00000001

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Associations]

LowRiskFileTypes = ".exe"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments]

SaveZoneInformation = 0x00000001

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]

EnableProfileQuota = 0x00000001

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]

LowRiskFileTypes = "%Windir%\sysguard.exe"

so that sysguard.exe runs every time Windows starts

[HKEY_CURRENT_USER\Software\Microsoft\Windows Script\Settings]

JITDebug = 0x00000001

The following Registry Values were deleted:

[HKEY_CURRENT_USER\AppEvents\Schemes\Apps\Explorer\Navigating\.Default]

(Default) = "%SystemRoot%\media\Windows XP Start.wav"

[HKEY_CURRENT_USER\AppEvents\Schemes\Apps\Explorer\Navigating\.Current]

(Default) = "%SystemRoot%\media\Windows XP Start.wav"

[HKEY_CURRENT_USER\AppEvents\Schemes\Apps\Explorer\Navigating]

(Default) = ""

The following Registry Value was modified:

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download]

CheckExeSignatures = "no"

Other details

Analysis of the file resources indicate the following possible country of origin:

Russian Federation

To mark the presence in the system, the following Mutex object was created:

xx464dg433xx12

The HOSTS file was updated with the following URL-to-IP mappings:

The following Host Name was requested from a host database:

squatead.com

There were registered attempts to establish connection with the remote hosts. The connection details are:

Remote Host	Port Number
209.44.111.62	80
94.232.248.54	80

The following HTTP URLs were started reading:

http://209.44.111.62/check
http://94.232.248.54/check

All content ("Information") contained in this report is the copyrighted work of Threat Expert Ltd and its associated companies ("ThreatExpert") and may not be copied without the express permission of ThreatExpert.

The Information is provided on an "as is" basis. ThreatExpert disclaims all warranties, whether express or implied, to the maximum extent permitted by law, including the implied warranties that the Information is merchantable, of satisfactory quality, accurate, fit for a particular purpose or need, or non-infringing, unless such implied warranties are legally incapable of exclusion. Further, ThreatExpert does not warrant or make any representations regarding the use or the results of the use of the Information in terms of their correctness, accuracy, reliability, or otherwise.