Submission Summary:

• Submission details:
• Submission received: 30 August 2012, 06:37:54
• Processing time: 8 min 30 sec
• Submitted sample:
• File MD5: 0x6B70AC3E6DCEADCE55F63924C834E2EA
• File SHA-1: 0xDF6A742ABF9427F80E2CE287A4DC8B20F657280A
• Filesize: 868,536 bytes

Technical Details:

File System Modifications

• The following files were created in the system:

#	Filename(s)	File Size	File Hash	Alias
1	%AppData%\GuardSupport\GuardConvert.exe	179,232 bytes	MD5: 0x666AFC1F08313201F213130425EBF867 SHA-1: 0x059CF2322F61007F7BC24ECF13EE48694B92F811	PWS-Zbot.gen.aju [McAfee] AdWare.Win32.Hebogo [Ikarus]
2	%AppData%\MicroLab\MyEngin\Common\MicroProCon.exe	105,504 bytes	MD5: 0xA341729E7FB6D5A3B115331B99E70292 SHA-1: 0x75883478FC60DBCE34034C5F9E37AB56968DAD49	AdWare.Win32.Hebogo [Ikarus]
3	%AppData%\MicroLab\MyEngin\Common\Uninstall\IRIMG1.JPG	2,362 bytes	MD5: 0xAF18F3F894BE69733E04750B236E219A SHA-1: 0x8E552822666E75F5B6054787E827FF51D3425A2E	(not available)
4	%AppData%\MicroLab\MyEngin\Common\Uninstall\IRIMG2.JPG	29,054 bytes	MD5: 0xAC40DED6736E08664F2D86A65C47EF60 SHA-1: 0xC352715BBF5AE6C93EEB30DF2C01B6F44FAEDAAA	(not available)
5	%AppData%\MicroLab\MyEngin\Common\Uninstall\uninstall.dat	127,656 bytes	MD5: 0xC05CD9714FB343D7BA213E92F36667B9 SHA-1: 0x00AD0CA5A544593E6C697C5222FB41FAC9CBD168	(not available)
6	%AppData%\MicroLab\MyEngin\Common\Uninstall\Uninstall.exe %Temp%\_ir_sf_temp_0\irsetup.exe	580,096 bytes	MD5: 0x3FE7C92DBA5C9240B4AB0D6A87E6166A SHA-1: 0x7980D7DFFC073515B621834246DDA33AB00C308D	packed with UPX [Kaspersky Lab]
7	%AppData%\MicroLab\MyEngin\Common\Uninstall\uninstall.xml	7,371 bytes	MD5: 0xB85F0EC6DACB9F63821A8C4A998803F2 SHA-1: 0x6FE2DA7BBE5829542A3CFE454F773C1AB489C20B	(not available)
8	[file and pathname of the sample #1]	868,536 bytes	MD5: 0x6B70AC3E6DCEADCE55F63924C834E2EA SHA-1: 0xDF6A742ABF9427F80E2CE287A4DC8B20F657280A	(not available)
9	%System%\VB6KO.DLL	102,160 bytes	MD5: 0x84742B5754690ED667372BE561CF518D SHA-1: 0xEF97AA43F804F447498568FC33704800B91A7381	(not available)

• Notes:
• %AppData% is a variable that refers to the file system directory that serves as a common repository for application-specific data. A typical path is C:\Documents and Settings\[UserName]\Application Data.
• %Temp% is a variable that refers to the temporary folder in the short path form. By default, this is C:\Documents and Settings\[UserName]\Local Settings\Temp\ (Windows NT/2000/XP).
• %System% is a variable that refers to the System folder. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

• The following directories were created:
• %AppData%\GuardSupport
• %AppData%\MicroLab
• %AppData%\MicroLab\MyEngin
• %AppData%\MicroLab\MyEngin\Common
• %AppData%\MicroLab\MyEngin\Common\Uninstall
• %Temp%\_ir_sf_temp_0

Memory Modifications

• There were new processes created in the system:

Process Name	Process Filename	Main Module Size
[filename of the sample #1]	[file and pathname of the sample #1]	86,016 bytes
irsetup.exe	%Temp%\_ir_sf_temp_0\irsetup.exe	1,576,960 bytes
MicroProCon.exe	%AppData%\MicroLab\MyEngin\Common\MicroProCon.exe	98,304 bytes
guardconvert.exe	%AppData%\guardsupport\guardconvert.exe	172,032 bytes

Registry Modifications

• The following Registry Keys were created:
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MicroNames Multi Language Convert Service3.0
• HKEY_CURRENT_USER\Software\MicroLab

• The newly created Registry Values are:
• [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
• MicroLabProc = "%AppData%\MicroLab\MyEngin\Common\MicroProProc.exe -WrsCMHk"
• [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MicroNames Multi Language Convert Service3.0]
• DisplayName = "MicroNames Multi Language Convert Service"
• NoModify = 0x00000001
• NoRepair = 0x00000001
• UninstallString = ""%AppData%\MicroLab\MyEngin\Common\Uninstall\Uninstall.exe" "/U:%AppData%\MicroLab\MyEngin\Common\Uninstall\uninstall.xml""
• Publisher = "MicroNames"
• URLInfoAbout = "http://www.hebogo.com"
• HelpLink = "http://www.hebogo.com"
• Contact = "MicroNames Support Department"
• DisplayVersion = "3.0"
• InstallLocation = "%AppData%\MicroLab\SearchEngin\LanguageConvert"
• DisplayIcon = ""%AppData%\MicroLab\MyEngin\Common\Uninstall\Uninstall.exe""
• [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
• MicroLabCon = "%AppData%\MicroLab\MyEngin\Common\MicroProCon.exe -WrsCMHk"

so that MicroProCon.exe runs every time Windows starts

• [HKEY_CURRENT_USER\Software\MicroLab]
• Owner = "admin"
• USER_NO = "2949"
• S_NO = "2949"
• Version = "0000"
• Ver = "sup"
• Upmom = "Y"
• SUBNAME = "MAIN"
• CURDIR = ""
• Commit = "Y"
• PDR = "asdfaeiqwerh"
• FirstTime = "0"

Other details

• Analysis of the file resources indicate the following possible country of origin:

	Republic of Korea

• The following HTTP URLs were started reading:
• http://220.73.162.2,
• http://220.73.162.7,
• http://220.73.162.8,
• http://220.73.162.11,
• http://220.73.162.12,
• http://220.73.162.13,
• http://220.73.162.15,
• http://220.73.162.16,
• http://220.73.162.17,
• http://220.73.162.19,
• http://220.73.162.22,
• http://220.73.162.23,
• http://220.73.162.24,
• http://220.73.162.25,
• http://220.73.162.26,
• http://220.73.162.27,
• http://220.73.162.28,
• http://220.73.162.29,
• http://220.73.162.30,
• http://220.73.162.31,

• The data identified by the following URLs was then requested from the remote web server:
• http://domainserver.co.kr/Config/ServerList.asp?uno=2949&gubun=2
• http://makevalue.com/Config/ServerList.asp?uno=2949&gubun=2
• http://korserver.com/Config/ServerList.asp?uno=2949&gubun=2
• http://duzip.com/Config/ServerList.asp?uno=2949&gubun=2
• http://koreaserver.kr/Config/ServerList.asp?uno=2949&gubun=2
• http://hostserver.kr/Config/ServerList.asp?uno=2949&gubun=2
• http://itemprice.kr/Config/ServerList.asp?uno=2949&gubun=2
• http://mainserver.kr/Config/ServerList.asp?uno=2949&gubun=2