Submission Summary:

What's been foundSeverity Level
Sets the drive to autoplay by creating autorun.inf file in its root directory. If the drive is shared across the network then other remote computers can be infected any time they try to access this share.
Downloads/requests other files from Internet.
Creates a startup registry entry.
Contains characteristics of an identified security risk.

 

Technical Details:

 

Possible Security Risk

Security RiskDescription
Worm.AutoRun.GEN Worm.AutoRun.GEN is a threat that spreads through available drives and is able to automatically execute itself. It also attempts to disable security-related applications based on their filenames

Threat CategoryDescription
A malicious trojan horse or bot that may represent security risk for the compromised system and/or its network environment

 

File System Modifications

#Filename(s)File SizeFile HashAlias
1 c:\AutoRun.inf 182 bytes MD5: 0xF01FA973832C51B9CA5A672F8D1E56B3
SHA-1: 0xC8E62EE77CE4D9037B19C17F48FA6AD567FF4B50
INF.Autorun.Gen [PCTools]
Generic!atr [McAfee]
W32/Autorun-RN [Sophos]
2 c:\%ComputerName%.exe
%System%\%ComputerName%.exe
[file and pathname of the sample #1]
907,679 bytes MD5: 0x689C17C8CACE04D42887E77A3E13BD3C
SHA-1: 0x4ACBF5B6430F91C80F314886688926473E2ADEF0
Worm.AutoRun [PCTools]
Trojan Horse [Symantec]
BackDoor-DRV.gen.c [McAfee]
Trojan:Win32/Malagent [Microsoft]
Worm.Win32.AutoRun [Ikarus]
Dropper/Malware.907679.B [AhnLab]
3 %CommonDesktopDir%\Internet Explorer.lnk 292 bytes MD5: 0x1AD167DBE70EFB20A821E4179938DD13
SHA-1: 0x0634CB02D512FAD0CE664976B785913D36EBC34B
(not available)
4 %Favorites%\�� �ٶ���ҳ ��.lnk 200 bytes MD5: 0x831A36E6AF3E33B952B144F4B10C67DE
SHA-1: 0xC204FAE6CA10E480F4F9C72CABCDAF2A42C9B92B
(not available)
5 %Temp%\zhichiku\eAPI.fne 319,488 bytes MD5: 0x936745BAC5C873AB1A91478D27894626
SHA-1: 0x9ED92393F95692339CE03A8F1498F80C727E0555
Generic.dx!di [McAfee]
Trojan-PWS.YKX [Ikarus]
6 %Temp%\zhichiku\ERawSock.fne 61,440 bytes MD5: 0x5E9DF9B0BE83C6543C45D15617D1DBC9
SHA-1: 0x371C7ABDE7418340DC29371F1109515B61A569B1
(not available)
7 %Temp%\zhichiku\HtmlView.fne 217,088 bytes MD5: 0x4C9E8F81BF741A61915D0D4FC49D595E
SHA-1: 0xD033008B3A0E5D3FC8876E0423EE5509ECB3897C
(not available)
8 %Temp%\zhichiku\krnln.fnr 1,101,824 bytes MD5: 0xCF46BB62A1BA559CEB0FAD7A5D642F28
SHA-1: 0x80B63DD193E84BFACBE535587DD38471B8EA2C24
(not available)
9 %Temp%\zhichiku\shell.fne 40,960 bytes MD5: 0xD54753E7FC3EA03AEC0181447969C0E8
SHA-1: 0x824E7007B6569AE36F174C146AE1B7242F98F734
Worm.AutoRun.GEN [PCTools]
W32/Emerleox.worm [McAfee]
W32/AutoRun-MO [Sophos]
Trojan.Win32.AutoRun [Ikarus]
10 %Windir%\baidu.ico 2,462 bytes MD5: 0xEF015E1F87C8D196C454475C100617E7
SHA-1: 0x3E3652A1E3201F6CC28C2F0B3BFA838803CDD9DF
(not available)
11 %System%\baidu.htm 853 bytes MD5: 0xE76B0AA91C0A80EA2F1C641D67468000
SHA-1: 0xA005627D5A633E6B3902456631A1352B9AC648DF
(not available)

 

Memory Modifications

Process NameProcess FilenameMain Module Size
[filename of the sample #1][file and pathname of the sample #1]102,400 bytes
%ComputerName%.exe%System%\%ComputerName%.exe102,400 bytes
%ComputerName%.exec:\%ComputerName%.exe102,400 bytes

 

Registry Modifications

 

Other details

China

PortProtocolProcess
1035UDP[file and pathname of the sample #1]
1039UDP%ComputerName%.exe (%System%\%ComputerName%.exe)
1042UDP%ComputerName%.exe (%System%\%ComputerName%.exe)

Remote HostPort Number
www.qq.com1036
www.qq.com1033
www.qq.com1040

Server NameServer PortConnect as UserConnection Password
blog.sdchild.com80(null)(null)

 

 

All content ("Information") contained in this report is the copyrighted work of Threat Expert Ltd and its associated companies ("ThreatExpert") and may not be copied without the express permission of ThreatExpert.

The Information is provided on an "as is" basis. ThreatExpert disclaims all warranties, whether express or implied, to the maximum extent permitted by law, including the implied warranties that the Information is merchantable, of satisfactory quality, accurate, fit for a particular purpose or need, or non-infringing, unless such implied warranties are legally incapable of exclusion. Further, ThreatExpert does not warrant or make any representations regarding the use or the results of the use of the Information in terms of their correctness, accuracy, reliability, or otherwise.

Copyright © 2014 ThreatExpert. All rights reserved.