Visit ThreatExpert web site |Close Report

Submission Summary:

What's been foundSeverity Level
Attempts to use BITS (Background Intelligent Transfer Service). Some threats are known to use BITS to evade firewall filtering and download files without firewall inspection.
Downloads/requests other files from Internet.
Modifies some system settings that may have negative impact on overall system security state.
Registers a 32-bit in-process server DLL.
Registers a Browser Helper Object (Microsoft's Internet Explorer plugin module).
Contains characteristics of an identified security risk.

 

Technical Details:

NOTICE: The content shown in the above window is captured automatically and is not controlled or endorsed by ThreatExpert.
Please contact us on this link should any material be offensive or inappropriate and we will ensure any such content is blocked from future viewers of the report.

 

Possible Security Risk

Security RiskDescription
RogueAntiSpyware.PCDefender RogueAntispyware.PCDefender is fake antispyware that tries to get attention from users by prompting them to register and buy their products.
Adware.Component.Generic Common Components that may be used by AdMedia, Adware.Allsum, Adware.Agent.BN, Trojan.Downloader.VideoCach and other adwares.

Threat CategoryDescription
A malicious trojan horse or bot that may represent security risk for the compromised system and/or its network environment
A program that downloads files to the local computer that may represent security risk

 

File System Modifications

#Filename(s)File SizeFile HashAlias
1 %CommonAppData%\Microsoft\Network\Downloader\qmgr0.dat 5,242 bytes MD5: 0x1259F7DC6D9412E812BCF81847DD18EE
SHA-1: 0x38BA42B9794184C65A6E59A0F9131B04F093BE79		 (not available)
2 %CommonAppData%\Microsoft\Network\Downloader\qmgr1.dat 4,232 bytes MD5: 0xA1E4448BAC117DB80A515A41B9584FEA
SHA-1: 0x910B4A725C79472733F6B38874B42D40E3732459		 (not available)
3 %AppData%\bh1.bat 173 bytes MD5: 0x322E7ACB7A804290A5DA665EFE30C12A
SHA-1: 0xCE0DFCD3CAE9DCD70846266C841B1B0A803A9B0A		 (not available)
4 %Windir%\kernel32lib.dll 29,184 bytes MD5: 0x8080C00839C9EE53BCEB1FAEB2349F24
SHA-1: 0xE76AE8242FF9BB6E840445433F95DD0F53E4B09A		 Trojan.Fakeavalert [Symantec]
Mal/Generic-A [Sophos]
Trojan:Win32/Tibs.gen!lds [Microsoft]
5 [file and pathname of the sample #1] 74,755 bytes MD5: 0x687B3419EC8092620EDF5F55096A897D
SHA-1: 0xD04D58B07F04BC047AED739E07253CDD5D0393E9		 Trojan.Fakeavalert [Symantec]
Trojan-Downloader.Win32.Agent.cgxu [Kaspersky Lab]
FakeAlert-CM [McAfee]
Mal/EncPk-IV [Sophos]
TrojanDownloader:Win32/FakeRean [Microsoft]
Trojan-Dropper.Agent [Ikarus]
Win-Trojan/Agent.74755 [AhnLab]

 

Memory Modifications

Process NameProcess FilenameMain Module Size
[generic host process][generic host process filename]20,480 bytes
[filename of the sample #1][file and pathname of the sample #1]151,552 bytes

Service NameDisplay NameNew StatusService Filename
BITSBackground Intelligent Transfer Service"Running"%System%\svchost.exe -k netsvcs
wscsvcSecurity Center"Stopped"%System%\svchost.exe -k netsvcs

 

Registry Modifications

 

Other details

Ukraine

Server NameServer PortConnect as UserConnection Password
911pornox.com80(null)(null)

 

Heuristics Analysis

 

 

All content ("Information") contained in this report is the copyrighted work of Threat Expert Ltd and its associated companies ("ThreatExpert") and may not be copied without the express permission of ThreatExpert.

The Information is provided on an "as is" basis. ThreatExpert disclaims all warranties, whether express or implied, to the maximum extent permitted by law, including the implied warranties that the Information is merchantable, of satisfactory quality, accurate, fit for a particular purpose or need, or non-infringing, unless such implied warranties are legally incapable of exclusion. Further, ThreatExpert does not warrant or make any representations regarding the use or the results of the use of the Information in terms of their correctness, accuracy, reliability, or otherwise.

Copyright © 2010 ThreatExpert. All rights reserved.