ThreatExpert Report: Spyware.Keylogger, Trojan.Win32.VB.yoi, Generic VB.am, Mal/Generic-A..

Visit ThreatExpert web site

Close Report

Submission Summary:

Submission details:

Submission received: 29 November 2009, 02:19:55
Processing time: 6 min 23 sec
Submitted sample:

File MD5: 0x6A9D209CE2B9AA39AC1C5BDA8E516840
File SHA-1: 0x93C08F3CCC1F6DBA9187CD4634FB53A495469320
Filesize: 167,936 bytes
Alias:

Spyware.Keylogger [PCTools]
Spyware.Keylogger [Symantec]
Trojan.Win32.VB.yoi [Kaspersky Lab]
Generic VB.am [McAfee]
Mal/Generic-A [Sophos]
VirTool:Win32/VBInject.BQ [Microsoft]

Summary of the findings:

What's been found	Severity Level
Communication with a remote IRC server.
A network-aware worm that uses known exploit(s) in order to replicate across vulnerable networks.
MS04-012: DCOM RPC Overflow exploit - replication across TCP 135/139/445/593 (common for Blaster, Welchia, Spybot, Randex, other IRC Bots).
MS04-011: LSASS Overflow exploit - replication across TCP 445 (common for Sasser, Bobax, Kibuv, Korgo, Gaobot, Spybot, Randex, other IRC Bots).
Produces outbound traffic.
Downloads/requests other files from Internet.
Creates a startup registry entry.
Contains characteristics of an identified security risk.

Technical Details:

Possible Security Risk

Attention! Characteristics of the following security risk was identified in the system:

Security Risk	Description
Trojan-Clicker.Small.KJ	Trojan.Clicker.Small.KJ contacts a remote server in order to download additional malware onto a users computer without their knowledge.

Attention! The following threat categories were identified:

Threat Category	Description
	A network-aware worm that attempts to replicate across the existing network(s)
	A malicious trojan horse or bot that may represent security risk for the compromised system and/or its network environment
	A spyware program that represents security risk for a local system

File System Modifications

The following files were created in the system:

#	Filename(s)	File Size	File Hash	Alias
1	c:\bo4tlar.exe %System%\bssqnqen.exe	253,952 bytes	MD5: 0x582ED541D2D177C14A8CD0497F674C04 SHA-1: 0xE9AA724526ECF1A362FD6B68855CA853FB8592AD	Spyware.Keylogger [PCTools] Spyware.Keylogger [Symantec] Trojan.Win32.VB.yoi [Kaspersky Lab] Generic VB.am [McAfee] Mal/Generic-A [Sophos] VirTool:Win32/VBInject.BQ [Microsoft]
2	%Windir%\csrs.exe [file and pathname of the sample #1]	167,936 bytes	MD5: 0x6A9D209CE2B9AA39AC1C5BDA8E516840 SHA-1: 0x93C08F3CCC1F6DBA9187CD4634FB53A495469320	Spyware.Keylogger [PCTools] Spyware.Keylogger [Symantec] Trojan.Win32.VB.yoi [Kaspersky Lab] Generic VB.am [McAfee] Mal/Generic-A [Sophos] VirTool:Win32/VBInject.BQ [Microsoft]

Notes:

%System% is a variable that refers to the System folder. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
%Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows or C:\Winnt.

Memory Modifications

There were new processes created in the system:

Process Name	Process Filename	Main Module Size
csrs.exe	%Windir%\csrs.exe	331,776 bytes
bssqnqen.exe	%System%\bssqnqen.exe	778,240 bytes
bo4tlar.exe	c:\bo4tlar.exe	778,240 bytes

Registry Modifications

The following Registry Key was created:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices

The newly created Registry Values are:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

Windows Services = "csrs.exe"
Windows Service Agent = "bssqnqen.exe"

so that csrs.exe runs every time Windows starts

so that bssqnqen.exe runs every time Windows starts

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

Windows Service Agent = "bssqnqen.exe"

so that bssqnqen.exe runs every time Windows starts

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Run]

Windows Services = "csrs.exe"

so that csrs.exe runs every time Windows starts

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]

Windows Service Agent = "bssqnqen.exe"

so that bssqnqen.exe runs every time Windows starts

Other details

The following ports were open in the system:

Port	Protocol	Process
69	UDP	bssqnqen.exe (%System%\bssqnqen.exe)
1053	TCP	csrs.exe (%Windir%\csrs.exe)
1055	TCP	bssqnqen.exe (%System%\bssqnqen.exe)
3596	TCP	bssqnqen.exe (%System%\bssqnqen.exe)
3597	TCP	bssqnqen.exe (%System%\bssqnqen.exe)
3598	TCP	bssqnqen.exe (%System%\bssqnqen.exe)
3599	TCP	bssqnqen.exe (%System%\bssqnqen.exe)
3600	TCP	bssqnqen.exe (%System%\bssqnqen.exe)
3601	TCP	bssqnqen.exe (%System%\bssqnqen.exe)
3602	TCP	bssqnqen.exe (%System%\bssqnqen.exe)
3603	TCP	bssqnqen.exe (%System%\bssqnqen.exe)
3604	TCP	bssqnqen.exe (%System%\bssqnqen.exe)
3605	TCP	bssqnqen.exe (%System%\bssqnqen.exe)
3606	TCP	bssqnqen.exe (%System%\bssqnqen.exe)
3607	TCP	bssqnqen.exe (%System%\bssqnqen.exe)
3608	TCP	bssqnqen.exe (%System%\bssqnqen.exe)
3609	TCP	bssqnqen.exe (%System%\bssqnqen.exe)
3610	TCP	bssqnqen.exe (%System%\bssqnqen.exe)
3611	TCP	bssqnqen.exe (%System%\bssqnqen.exe)
3612	TCP	bssqnqen.exe (%System%\bssqnqen.exe)
3613	TCP	bssqnqen.exe (%System%\bssqnqen.exe)
3614	TCP	bssqnqen.exe (%System%\bssqnqen.exe)
3615	TCP	bssqnqen.exe (%System%\bssqnqen.exe)
3616	TCP	bssqnqen.exe (%System%\bssqnqen.exe)
3617	TCP	bssqnqen.exe (%System%\bssqnqen.exe)
3618	TCP	bssqnqen.exe (%System%\bssqnqen.exe)
3619	TCP	bssqnqen.exe (%System%\bssqnqen.exe)
3620	TCP	bssqnqen.exe (%System%\bssqnqen.exe)
3621	TCP	bssqnqen.exe (%System%\bssqnqen.exe)
3622	TCP	bssqnqen.exe (%System%\bssqnqen.exe)
3623	TCP	bssqnqen.exe (%System%\bssqnqen.exe)
3624	TCP	bssqnqen.exe (%System%\bssqnqen.exe)
3625	TCP	bssqnqen.exe (%System%\bssqnqen.exe)
3626	TCP	bssqnqen.exe (%System%\bssqnqen.exe)
3627	TCP	bssqnqen.exe (%System%\bssqnqen.exe)
3628	TCP	bssqnqen.exe (%System%\bssqnqen.exe)
3629	TCP	bssqnqen.exe (%System%\bssqnqen.exe)
3630	TCP	bssqnqen.exe (%System%\bssqnqen.exe)
3631	TCP	bssqnqen.exe (%System%\bssqnqen.exe)
3632	TCP	bssqnqen.exe (%System%\bssqnqen.exe)
3633	TCP	bssqnqen.exe (%System%\bssqnqen.exe)
3634	TCP	bssqnqen.exe (%System%\bssqnqen.exe)
3635	TCP	bssqnqen.exe (%System%\bssqnqen.exe)
3636	TCP	bssqnqen.exe (%System%\bssqnqen.exe)
3637	TCP	bssqnqen.exe (%System%\bssqnqen.exe)
3638	TCP	bssqnqen.exe (%System%\bssqnqen.exe)
3639	TCP	bssqnqen.exe (%System%\bssqnqen.exe)
3640	TCP	bssqnqen.exe (%System%\bssqnqen.exe)
3641	TCP	bssqnqen.exe (%System%\bssqnqen.exe)
3642	TCP	bssqnqen.exe (%System%\bssqnqen.exe)
3643	TCP	bssqnqen.exe (%System%\bssqnqen.exe)
3644	TCP	bssqnqen.exe (%System%\bssqnqen.exe)
3645	TCP	bssqnqen.exe (%System%\bssqnqen.exe)
3646	TCP	bssqnqen.exe (%System%\bssqnqen.exe)
3647	TCP	bssqnqen.exe (%System%\bssqnqen.exe)
3648	TCP	bssqnqen.exe (%System%\bssqnqen.exe)
3649	TCP	bssqnqen.exe (%System%\bssqnqen.exe)
3650	TCP	bssqnqen.exe (%System%\bssqnqen.exe)
3651	TCP	bssqnqen.exe (%System%\bssqnqen.exe)
3652	TCP	bssqnqen.exe (%System%\bssqnqen.exe)
3653	TCP	bssqnqen.exe (%System%\bssqnqen.exe)
3654	TCP	bssqnqen.exe (%System%\bssqnqen.exe)
3655	TCP	bssqnqen.exe (%System%\bssqnqen.exe)
57733	TCP	bssqnqen.exe (%System%\bssqnqen.exe)

There were registered attempts to establish connection with the remote hosts. The connection details are:

Remote Host	Port Number
174.132.181.27	6667
72.20.26.183	80

The data identified by the following URL was then requested from the remote web server:

http://www.delicesevdam.net/botistan.exe

Outbound traffic (potentially malicious)

Attention! There was a new connection established with a remote IRC Server. The generated outbound IRC traffic is provided below:

There was an outbound traffic produced on port 6667:

All content ("Information") contained in this report is the copyrighted work of Threat Expert Ltd and its associated companies ("ThreatExpert") and may not be copied without the express permission of ThreatExpert.

The Information is provided on an "as is" basis. ThreatExpert disclaims all warranties, whether express or implied, to the maximum extent permitted by law, including the implied warranties that the Information is merchantable, of satisfactory quality, accurate, fit for a particular purpose or need, or non-infringing, unless such implied warranties are legally incapable of exclusion. Further, ThreatExpert does not warrant or make any representations regarding the use or the results of the use of the Information in terms of their correctness, accuracy, reliability, or otherwise.