ThreatExpert Report: Packed.Generic.200, Packed.Win32.Tdss.f, Mal/EncPk-GR, Mal/EncPk-GR..

Visit ThreatExpert web site

Close Report

Submission Summary:

Submission details:

Submission received: 26 February 2009, 07:25:16
Processing time: 7 min 18 sec
Submitted sample:

File MD5: 0x6585660A3914079ECC7F964B87912747
File SHA-1: 0xEC6B9FAFBA1F934E2600C752511C67E381167534
Filesize: 180,736 bytes
Alias:

Packed.Generic.200 [Symantec]
Packed.Win32.Tdss.f [Kaspersky Lab]
Mal/EncPk-GR, Mal/EncPk-GR [Sophos]
Trojan.Win32.InternetAntivirus [Ikarus]

Summary of the findings:

What's been found	Severity Level
Downloads/requests other files from Internet.
Contains characteristics of an identified security risk.

Technical Details:

Possible Security Risk

Attention! Characteristics of the following security risk was identified in the system:

Security Risk	Description
Rootkit.TDSS	Rootkit.TDSS can hide the presence of any process on the infected machine in order to perform malicious actions without users knowledge

File System Modifications

The following files were created in the system:

#	Filename(s)	File Size	File Hash	Alias
1	%Temp%\nvrxohnsev.tmp	180,736 bytes	MD5: 0x6585660A3914079ECC7F964B87912747 SHA-1: 0xEC6B9FAFBA1F934E2600C752511C67E381167534	Packed.Generic.200 [Symantec] Packed.Win32.Tdss.f [Kaspersky Lab] Mal/EncPk-GR, Mal/EncPk-GR [Sophos] Trojan.Win32.InternetAntivirus [Ikarus]
2	%System%\drivers\senekatnymdbsc.sys	113,152 bytes	MD5: 0x3FD0C868E8FBCB6EDD849E6FE342624B SHA-1: 0x948E020A0FDB6931F3466C430944DA6375205A85	Trojan:WinNT/Alureon.C [Microsoft]
3	%System%\senekakorduymb.dll	29,798 bytes	MD5: 0x5AA85B76CA58B75B6594F8C5F8F66F19 SHA-1: 0x48B0A0FB3C71201BD21DB11B3D6555E460625A69	Packed.Generic.200 [Symantec] Packed.Win32.Tdss.f [Kaspersky Lab] Trojan-Downloader.Win32.Renos.AQ [Ikarus]
4	%System%\senekapxywyksp.dll	27,238 bytes	MD5: 0x0053FCCFF6B2EBC6885C4BBA551976A1 SHA-1: 0x1DACEB4081A3152076642AD0F6B78061C56CAC62	Packed.Generic.200 [Symantec] Packed.Win32.Tdss.f [Kaspersky Lab] Trojan:Win32/Vundo.JC.dll [Microsoft] Trojan.Win32.InternetAntivirus [Ikarus]
5	%System%\senekauetqxtiq.dll	87,142 bytes	MD5: 0xBE1515AF0F1D1CCA2B46CA3F0BEB28F6 SHA-1: 0x0224FCDAD33227B7BAF635A23DC826919018CC3B	Packed.Generic.200 [Symantec] Packed.Win32.Tdss.f [Kaspersky Lab] Trojan:Win32/Sudiet.B [Microsoft] Trojan-Downloader.Win32.Renos.AQ [Ikarus]
6	%System%\senekaynmkddec.dat	0 bytes	MD5: 0xD41D8CD98F00B204E9800998ECF8427E SHA-1: 0xDA39A3EE5E6B4B0D3255BFEF95601890AFD80709	(not available)

Notes:

%Temp% is a variable that refers to the temporary folder in the short path form. By default, this is C:\Documents and Settings\[UserName]\Local Settings\Temp\ (Windows NT/2000/XP).
%System% is a variable that refers to the System folder. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

Memory Modifications

There was a new process created in the system:

Process Name	Process Filename	Main Module Size
[filename of the sample #1]	[file and pathname of the sample #1]	356,352 bytes

There were new memory pages created in the address space of the system process(es):

Process Name	Process Filename	Allocated Size
svchost.exe	%System%\svchost.exe	32,768 bytes
svchost.exe	%System%\svchost.exe	28,672 bytes

There was a new kernel-mode driver installed in the system:

Driver Name	Driver Filename
senekatnymdbsc.sys	%System%\drivers\senekatnymdbsc.sys

Registry Modifications

The following Registry Keys were created:

HKEY_LOCAL_MACHINE\SOFTWARE\ThinPrint
HKEY_LOCAL_MACHINE\SOFTWARE\ThinPrint\TPAutoConnect
HKEY_LOCAL_MACHINE\SOFTWARE\ThinPrint\TPPrnUI
HKEY_LOCAL_MACHINE\SOFTWARE\ThinPrint\TPVMMon
HKEY_LOCAL_MACHINE\SOFTWARE\ThinPrint\TPVMW32
HKEY_LOCAL_MACHINE\SOFTWARE\seneka
HKEY_LOCAL_MACHINE\SOFTWARE\seneka\delete
HKEY_LOCAL_MACHINE\SOFTWARE\seneka\injector
HKEY_LOCAL_MACHINE\SOFTWARE\seneka\tasks
HKEY_LOCAL_MACHINE\SOFTWARE\seneka\versions
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\seneka
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\seneka\modules

The newly created Registry Values are:

[HKEY_LOCAL_MACHINE\SOFTWARE\ThinPrint\TPVMMon]

(Default) = ""

[HKEY_LOCAL_MACHINE\SOFTWARE\ThinPrint\TPAutoConnect]

NameTranslationEx = ",,,,,,,,,, *,*,*,*,*,true,false,false,false,VMwareVirtualPrinter, *,*,*,*,*,false,true,true,true,PCL, ,,,,,,,,,!P, ,,,,,,,,,!C,"
ForceListenToWTS = 0x00000001
AllowedProcesses = "Explorer.exe"
(Default) = ""
ListenToWTSCreatCmd = "TPAutoConnect.exe -q -i vmware -a COM1 -F 30"
TimeOutVirtualChannelRead = 0x00000064
ListenToWTS = 0x00000001
ListenToWTSOnDisconnect = 0x00000001
ListenToWTSTrys = 0x00000014
ListenToWTSTryDelay = 0x000007D0
PrinterProperties = 0x00000001
ConnectToClient = "AUTO"
Protocol = "AUTO"
RightsWin2000 = 0x00000003
RightsWinNT = 0x00000000
ListenToWTSDeleteCmd = "TPAutoConnect -q -d"

[HKEY_LOCAL_MACHINE\SOFTWARE\ThinPrint]

(Default) = ""

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]

ProxyEnable = 0x00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\seneka\injector]

iexplore.exe = "senekawi.dll"
explorer.exe = "senekaff.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\seneka\delete]

%Temp%\nvrxohnsev.tmp = (zero-length binary value)

[HKEY_LOCAL_MACHINE\SOFTWARE\seneka]

EPROCESS_LEOffset = 0x00000088
EPROCESS_NameOffset = 0x00000174
ver = "icv240209"
cid = "01"
bid = "13441600-606747145-764733703-839522115"
aid = "303420"
sid = "62"
feed = 22 64 78 36 3C 2E 3B 29 39 3B 3B 3A 04 4F 01 0C 09 65
inst = 0x00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\seneka\modules]

seneka.dll = "%System%\senekauetqxtiq.dll"
seneka.sys = "%System%\drivers\senekatnymdbsc.sys"
senekalog.dat = "%System%\senekaynmkddec.dat"
senekawi.dll = "%System%\senekakorduymb.dll"
senekaff.dll = "%System%\senekapxywyksp.dll"
seneka.dat = "%System%\senekaypgervpg.dat"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\seneka]

start = 0x00000001
type = 0x00000001
imagepath = "%System%\drivers\senekatnymdbsc.sys"
group = "file system"

The following Registry Values were modified:

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\ServiceCurrent]

(Default) = 0x0000000C

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ServiceCurrent]

(Default) = 0x0000000C

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]

Cookies = "%System%\config\systemprofile\Cookies"
Cache = "%System%\config\systemprofile\Local Settings\Temporary Internet Files"
History = "%System%\config\systemprofile\Local Settings\History"

Other details

The following Internet Connections were established:

Server Name	Server Port	Connect as User	Connection Password
78.26.144.210	80	(null)	(null)
directitfast.com	80	(null)	(null)
onseneka.net	80	(null)	(null)
onseneka.com	80	(null)	(null)

The following GET request was made:

seneka/engine/engine.php?bot_id=13441600-606747145-764733703-839522115&affid=303420&subid=62&build=icv24020901&os=5.1+2600+SP2.0&lang=en-us&browser=iexplore.exe&name=ComputerName

All content ("Information") contained in this report is the copyrighted work of Threat Expert Ltd and its associated companies ("ThreatExpert") and may not be copied without the express permission of ThreatExpert.

The Information is provided on an "as is" basis. ThreatExpert disclaims all warranties, whether express or implied, to the maximum extent permitted by law, including the implied warranties that the Information is merchantable, of satisfactory quality, accurate, fit for a particular purpose or need, or non-infringing, unless such implied warranties are legally incapable of exclusion. Further, ThreatExpert does not warrant or make any representations regarding the use or the results of the use of the Information in terms of their correctness, accuracy, reliability, or otherwise.