ThreatExpert Report: Worm.AutoRun, Trojan Horse, BackDoor-DRV.gen.c, Trojan:Win32/Malagent..

Visit ThreatExpert web site

Close Report

Submission Summary:

Submission details:

Submission received: 6 November 2009, 15:31:09
Processing time: 9 min 38 sec
Submitted sample:

File MD5: 0x689C17C8CACE04D42887E77A3E13BD3C
File SHA-1: 0x4ACBF5B6430F91C80F314886688926473E2ADEF0
Filesize: 907,679 bytes
Alias:

Worm.AutoRun [PCTools]
Trojan Horse [Symantec]
BackDoor-DRV.gen.c [McAfee]
Trojan:Win32/Malagent [Microsoft]
Worm.Win32.AutoRun [Ikarus]
Dropper/Malware.907679.B [AhnLab]

Summary of the findings:

What's been found	Severity Level
Sets the drive to autoplay by creating autorun.inf file in its root directory. If the drive is shared across the network then other remote computers can be infected any time they try to access this share.
Downloads/requests other files from Internet.
Creates a startup registry entry.
Contains characteristics of an identified security risk.

Technical Details:

Possible Security Risk

Attention! Characteristics of the following security risk was identified in the system:

Security Risk	Description
Worm.AutoRun.GEN	Worm.AutoRun.GEN is a threat that spreads through available drives and is able to automatically execute itself. It also attempts to disable security-related applications based on their filenames

Attention! The following threat category was identified:

Threat Category	Description
	A malicious trojan horse or bot that may represent security risk for the compromised system and/or its network environment

File System Modifications

The following files were created in the system:

#	Filename(s)	File Size	File Hash	Alias
1	c:\AutoRun.inf	182 bytes	MD5: 0xF01FA973832C51B9CA5A672F8D1E56B3 SHA-1: 0xC8E62EE77CE4D9037B19C17F48FA6AD567FF4B50	INF.Autorun.Gen [PCTools] Generic!atr [McAfee] W32/Autorun-RN [Sophos]
2	c:\%ComputerName%.exe %System%\%ComputerName%.exe [file and pathname of the sample #1]	907,679 bytes	MD5: 0x689C17C8CACE04D42887E77A3E13BD3C SHA-1: 0x4ACBF5B6430F91C80F314886688926473E2ADEF0	Worm.AutoRun [PCTools] Trojan Horse [Symantec] BackDoor-DRV.gen.c [McAfee] Trojan:Win32/Malagent [Microsoft] Worm.Win32.AutoRun [Ikarus] Dropper/Malware.907679.B [AhnLab]
3	%CommonDesktopDir%\Internet Explorer.lnk	292 bytes	MD5: 0x1AD167DBE70EFB20A821E4179938DD13 SHA-1: 0x0634CB02D512FAD0CE664976B785913D36EBC34B	(not available)
4	%Favorites%\ï¿½ï¿½ ï¿½Ù¶ï¿½ï¿½ï¿½Ò³ ï¿½ï¿½.lnk	200 bytes	MD5: 0x831A36E6AF3E33B952B144F4B10C67DE SHA-1: 0xC204FAE6CA10E480F4F9C72CABCDAF2A42C9B92B	(not available)
5	%Temp%\zhichiku\eAPI.fne	319,488 bytes	MD5: 0x936745BAC5C873AB1A91478D27894626 SHA-1: 0x9ED92393F95692339CE03A8F1498F80C727E0555	Generic.dx!di [McAfee] Trojan-PWS.YKX [Ikarus]
6	%Temp%\zhichiku\ERawSock.fne	61,440 bytes	MD5: 0x5E9DF9B0BE83C6543C45D15617D1DBC9 SHA-1: 0x371C7ABDE7418340DC29371F1109515B61A569B1	(not available)
7	%Temp%\zhichiku\HtmlView.fne	217,088 bytes	MD5: 0x4C9E8F81BF741A61915D0D4FC49D595E SHA-1: 0xD033008B3A0E5D3FC8876E0423EE5509ECB3897C	(not available)
8	%Temp%\zhichiku\krnln.fnr	1,101,824 bytes	MD5: 0xCF46BB62A1BA559CEB0FAD7A5D642F28 SHA-1: 0x80B63DD193E84BFACBE535587DD38471B8EA2C24	(not available)
9	%Temp%\zhichiku\shell.fne	40,960 bytes	MD5: 0xD54753E7FC3EA03AEC0181447969C0E8 SHA-1: 0x824E7007B6569AE36F174C146AE1B7242F98F734	Worm.AutoRun.GEN [PCTools] W32/Emerleox.worm [McAfee] W32/AutoRun-MO [Sophos] Trojan.Win32.AutoRun [Ikarus]
10	%Windir%\baidu.ico	2,462 bytes	MD5: 0xEF015E1F87C8D196C454475C100617E7 SHA-1: 0x3E3652A1E3201F6CC28C2F0B3BFA838803CDD9DF	(not available)
11	%System%\baidu.htm	853 bytes	MD5: 0xE76B0AA91C0A80EA2F1C641D67468000 SHA-1: 0xA005627D5A633E6B3902456631A1352B9AC648DF	(not available)

Notes:

%ComputerName% is a variable that refers to the current computer name.
%CommonDesktopDir% is a variable that refers to the file system directory that contains files and folders that appear on the desktop for all users. A typical path is C:\Documents and Settings\All Users\Desktop (Windows NT/2000/XP).
%Favorites% is a variable that refers to the file system directory that serves as a common repository for the user's favorite items. A typical path is C:\Documents and Settings\[UserName]\Favorites.
%Temp% is a variable that refers to the temporary folder in the short path form. By default, this is C:\Documents and Settings\[UserName]\Local Settings\Temp\ (Windows NT/2000/XP).
%Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows or C:\Winnt.
%System% is a variable that refers to the System folder. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

The following directory was created:

%Temp%\zhichiku

Memory Modifications

There were new processes created in the system:

Process Name	Process Filename	Main Module Size
[filename of the sample #1]	[file and pathname of the sample #1]	102,400 bytes
%ComputerName%.exe	%System%\%ComputerName%.exe	102,400 bytes
%ComputerName%.exe	c:\%ComputerName%.exe	102,400 bytes

Registry Modifications

The following Registry Keys were created:

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions\{F2C63239-A5DB-487B-B283-4132351E7AB6}
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\ï¿½ï¿½ï¿½Ù¶ï¿½Ò»ï¿½ï¿½,ï¿½ï¿½ï¿½Öªï¿½ï¿½ï¿½ï¿½

The newly created Registry Values are:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

Windowsï¿½ï¿½ï¿½ï¿½Ç½ = "%System%\%ComputerName%.exe"

so that %ComputerName%.exe runs every time Windows starts

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions\CmdMapping]

{F2C63239-A5DB-487B-B283-4132351E7AB6} = 0x00002001

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions\{F2C63239-A5DB-487B-B283-4132351E7AB6}]

ButtonText = "ï¿½Ù¶ï¿½Ò»ï¿½ï¿½,ï¿½ï¿½ï¿½Öªï¿½ï¿½"
CLSID = "{1FBA04EE-3024-11d2-8F1F-0000F87ABD16}"
Default Visible = "yes"
Exec = "http://www.baidu.com/index.php?tn=mm667_pg"
HotIcon = "%Windir%\baidu.ico"
Icon = "%Windir%\baidu.ico"
IeakPolicy = ""

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\ï¿½ï¿½ï¿½Ù¶ï¿½Ò»ï¿½ï¿½,ï¿½ï¿½ï¿½Öªï¿½ï¿½ï¿½ï¿½]

Contexts = 0x00000030
(Default) = "%System%\baidu.htm"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]

NoInternetIcon = 0x00000001

The following Registry Values were modified:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Search]

SearchAssistant =
CustomizeSearch =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL]

CheckedValue =

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions\CmdMapping]

NextId =

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]

Start Page =

Other details

Analysis of the file resources indicate the following possible country of origin:

China

To mark the presence in the system, the following Mutex object was created:

ï¿½ï¿½ï¿½ï¿½ï¿½Ç·ï¿½

The following ports were open in the system:

Port	Protocol	Process
1035	UDP	[file and pathname of the sample #1]
1039	UDP	%ComputerName%.exe (%System%\%ComputerName%.exe)
1042	UDP	%ComputerName%.exe (%System%\%ComputerName%.exe)

The following Host Name was requested from a host database:

www.qq.com

There were registered attempts to establish connection with the remote hosts. The connection details are:

Remote Host	Port Number
www.qq.com	1036
www.qq.com	1033
www.qq.com	1040

The following Internet Connection was established:

Server Name	Server Port	Connect as User	Connection Password
blog.sdchild.com	80	(null)	(null)

The following GET requests were made:

UploadFiles/2008-11/5224603898.jpg?1109r?c:\windows\system32\sample_1.exe
UploadFiles/2008-11/index.jpg
UploadFiles/2008-11/5224603898.jpg?1109r?C:\WINDOWS\system32\ComputerName.exe

All content ("Information") contained in this report is the copyrighted work of Threat Expert Ltd and its associated companies ("ThreatExpert") and may not be copied without the express permission of ThreatExpert.

The Information is provided on an "as is" basis. ThreatExpert disclaims all warranties, whether express or implied, to the maximum extent permitted by law, including the implied warranties that the Information is merchantable, of satisfactory quality, accurate, fit for a particular purpose or need, or non-infringing, unless such implied warranties are legally incapable of exclusion. Further, ThreatExpert does not warrant or make any representations regarding the use or the results of the use of the Information in terms of their correctness, accuracy, reliability, or otherwise.