ThreatExpert Report: Worm.Win32.Nuj, W32.Pinfi, Virus.Win32.Parite.b, W32/Pate.b, PE

Visit ThreatExpert web site

Close Report

Submission Summary:

Submission details:

Submission received: 14 September 2012, 18:41:51
Processing time: 7 min 54 sec
Submitted sample:

File MD5: 0x614EF09D70286B9A1100BDA019FFE242
File SHA-1: 0xBE2CEC9E7668F5C5476A0F5BB33EE18C52A83B09
Filesize: 33,792 bytes
Alias & packer info:

Worm.Win32.Nuj [Ikarus]
packed with: UPX [Kaspersky Lab]

Technical Details:

File System Modifications

The following files were created in the system:

#	Filename(s)	File Size	File Hash	Alias
1	[file and pathname of the sample #1]	33,792 bytes	MD5: 0x614EF09D70286B9A1100BDA019FFE242 SHA-1: 0xBE2CEC9E7668F5C5476A0F5BB33EE18C52A83B09	Worm.Win32.Nuj [Ikarus] packed with UPX [Kaspersky Lab]
2	%System%\Sv-Ghost.Exe	125 bytes	MD5: 0x7C5F5A68051F6B0C0E9A2AD33C40D415 SHA-1: 0x120865765927A61AF83F02B83DC297EEDE61EC41	(not available)

Note:

%System% is a variable that refers to the System folder. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

Memory Modifications

There was a new process created in the system:

Process Name	Process Filename	Main Module Size
[filename of the sample #1]	[file and pathname of the sample #1]	98,304 bytes

There was a new memory page created in the address space of the system process(es):

Process Name	Process Filename	Allocated Size
ntvdm.exe	%System%\ntvdm.exe	987,136 bytes

Other details

Analysis of the file resources indicate the following possible country of origin:

China

The following Host Name was requested from a host database:

192.5.5.241

The following Internet Connection was established:

Server Name	Server Port	Connect as User	Connection Password
www.wenmeii.net	80	(null)	(null)

The following GET request was made:

ne19.exe

Downloaded File Summary:

Download details:

Download retrieved: 14 September 2012 18:49:46
Processing time: 8 min 5 sec
Downloaded sample:

File MD5: 0x52100432360659362578E07DC60FBE60
File SHA-1: 0x1C6961CB7D421960E2D602630EFBF9435248C1BC
Filesize: 226,260 bytes
Alias:

W32.Pinfi [Symantec]
Virus.Win32.Parite.b [Kaspersky Lab]
W32/Pate.b [McAfee]
PE_PARITE.A [Trend Micro]
W32/Parite-B [Sophos]
Virus:Win32/Parite.B [Microsoft]
Virus.Win32.Parite [Ikarus]
Win32/Parite [AhnLab]

Technical Details:

The new window was created, as shown below:

NOTICE: The content shown in the above window is captured automatically and is not controlled or endorsed by ThreatExpert.
Please contact us on this link should any material be offensive or inappropriate and we will ensure any such content is blocked from future viewers of the report.

Possible Security Risk

Attention! The following threat category was identified:

Threat Category	Description
	A virus capable to modify other files by infecting, prepending, or overwriting them them with its own body

File System Modifications

The following files were created in the system:

#	Filename(s)	File Size	File Hash	Alias
1	%Temp%\lma1.tmp	176,128 bytes	MD5: 0x685F1CBD4AF30A1D0C25F252D399A666 SHA-1: 0x6A1B978F5E6150B88C8634146F1406ED97D2F134	W32.Pinfi [Symantec] Virus.Win32.Parite.o [Kaspersky Lab] W32/Pate.b.dll [McAfee] PE_PARITE.A-O [Trend Micro] W32/Parite-B [Sophos] Virus:Win32/Parite.B.dll [Microsoft] Virus.Win32.Parite [Ikarus] Win32/Parite [AhnLab]
2	[file and pathname of the sample #1]	226,260 bytes	MD5: 0x52100432360659362578E07DC60FBE60 SHA-1: 0x1C6961CB7D421960E2D602630EFBF9435248C1BC	W32.Pinfi [Symantec] Virus.Win32.Parite.b [Kaspersky Lab] W32/Pate.b [McAfee] PE_PARITE.A [Trend Micro] W32/Parite-B [Sophos] Virus:Win32/Parite.B [Microsoft] Virus.Win32.Parite [Ikarus] Win32/Parite [AhnLab]
3	%System%\share.txt	28 bytes	MD5: 0xFAE7D1AF9F442B7E1465D376D814F073 SHA-1: 0x7716183EFD715AD5BD0B8CDC7E9CAE49DFCF23C5	(not available)

Notes:

%Temp% is a variable that refers to the temporary folder in the short path form. By default, this is C:\Documents and Settings\[UserName]\Local Settings\Temp\ (Windows NT/2000/XP).
%System% is a variable that refers to the System folder. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

The following files were modified:

[pathname with a string SHARE]\DW20.EXE
[pathname with a string SHARE]\DWTRIG20.EXE
[pathname with a string SHARE]\msinfo32.exe
[pathname with a string SHARE]\sapisvr.exe
%ProgramFiles%\Internet Explorer\Connection Wizard\icwconn1.exe
%ProgramFiles%\Internet Explorer\Connection Wizard\icwconn2.exe
%ProgramFiles%\Internet Explorer\Connection Wizard\icwrmind.exe
%ProgramFiles%\Internet Explorer\Connection Wizard\icwtutor.exe
%ProgramFiles%\Internet Explorer\Connection Wizard\inetwiz.exe
%ProgramFiles%\Internet Explorer\Connection Wizard\isignup.exe
%ProgramFiles%\Internet Explorer\iedw.exe
%ProgramFiles%\MSN\MSNCoreFiles\Install\MSN9Components\Digcore.exe
%ProgramFiles%\MSN\MSNCoreFiles\Install\MSN9Components\Msncli.exe
%ProgramFiles%\MSN\MSNCoreFiles\Install\msnsusii.exe
%ProgramFiles%\MSN\MSNIA\msniasvc.exe
%ProgramFiles%\MSN\MSNIA\prestp.exe
%ProgramFiles%\MSN\MsnInstaller\msninst.exe
%ProgramFiles%\NetMeeting\conf.exe
%ProgramFiles%\NetMeeting\wb32.exe
%ProgramFiles%\Outlook Express\msimn.exe
%ProgramFiles%\Outlook Express\oemig50.exe
%ProgramFiles%\Outlook Express\setup50.exe
%ProgramFiles%\Outlook Express\wab.exe
%ProgramFiles%\Outlook Express\wabmig.exe
%ProgramFiles%\Web Publish\WPWIZ.EXE
%ProgramFiles%\Windows Media Player\migrate.exe
%ProgramFiles%\Windows Media Player\setup_wm.exe
%ProgramFiles%\Windows Media Player\wmplayer.exe
%ProgramFiles%\Windows NT\Accessories\wordpad.exe
%ProgramFiles%\Windows NT\dialer.exe
%ProgramFiles%\Windows NT\hypertrm.exe
%ProgramFiles%\Windows NT\Pinball\PINBALL.EXE
%ProgramFiles%\WinPcap\rpcapd.exe

Notes:

%ProgramFiles% is a variable that refers to the Program Files folder. A typical path is C:\Program Files.

Memory Modifications

There was a new process created in the system:

Process Name	Process Filename	Main Module Size
[filename of the sample #1]	[file and pathname of the sample #1]	294,912 bytes

Registry Modifications

The newly created Registry Value is:

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]

NotifyDownloadComplete = "yes"

Other details

To mark the presence in the system, the following Mutex object was created:

CritOpMutex

The following port was open in the system:

Port	Protocol	Process
1039	UDP	[file and pathname of the sample #1]

The following Host Names were requested from a host database:

192.5.5.241
0.0.0.0

There was registered attempt to establish connection with the remote host. The connection details are:

Remote Host	Port Number
192.5.5.241	1033

The following Internet Connections were established:

Server Name	Server Port	Connect as User	Connection Password
www.wenmeii.net	80	(null)	(null)
www.baidu.com	80	(null)	(null)
.host	80	.host	.host

The following GET requests were made:

query.asp
index.html
index.jpg

There was application-defined hook procedure installed into the hook chain (e.g. to monitor keystrokes). The installed hook is handled by the following module:

%Temp%\lma1.tmp

the hook is handled by its export "AttachHook()"

All content ("Information") contained in this report is the copyrighted work of Threat Expert Ltd and its associated companies ("ThreatExpert") and may not be copied without the express permission of ThreatExpert.

The Information is provided on an "as is" basis. ThreatExpert disclaims all warranties, whether express or implied, to the maximum extent permitted by law, including the implied warranties that the Information is merchantable, of satisfactory quality, accurate, fit for a particular purpose or need, or non-infringing, unless such implied warranties are legally incapable of exclusion. Further, ThreatExpert does not warrant or make any representations regarding the use or the results of the use of the Information in terms of their correctness, accuracy, reliability, or otherwise.