ThreatExpert Report: Trojan-Dropper.Win32.Mudrop.aui, Trojan.Dropper, StartPage-HR, Mal/Packer..

Visit ThreatExpert web site

Close Report

Submission Summary:

Submission details:

Submission received: 7 July 2009, 11:57:36
Processing time: 5 min 24 sec
Submitted sample:

File MD5: 0x6CF94B87CBEABFA0CEC421F3E4827823
File SHA-1: 0x64B0CB8EB9F86B5E8ECB4E2BDA3E2C2DA19CD9CA
Filesize: 31,839 bytes
Alias & packer info:

Trojan.Dropper [Symantec]
Trojan-Dropper.Win32.Mudrop.aui [Kaspersky Lab]
StartPage-HR [McAfee]
Mal/Packer [Sophos]
Trojan-Dropper.Agent [Ikarus]
Dropper/Mudrop.31839 [AhnLab]
packed with: NSPack [Kaspersky Lab]

Summary of the findings:

What's been found	Severity Level
Sets the drive to autoplay by creating autorun.inf file in its root directory. If the drive is shared across the network then other remote computers can be infected any time they try to access this share.
Hosts file modification that may block access to the security web sites.
Packed with a packer that is known to be used by malware (e.g. to complicate threat analysis or detection).
Contains characteristics of an identified security risk.

Technical Details:

The new window was created, as shown below:

NOTICE: The content shown in the above window is captured automatically and is not controlled or endorsed by ThreatExpert.
Please contact us on this link should any material be offensive or inappropriate and we will ensure any such content is blocked from future viewers of the report.

Possible Security Risk

Attention! Characteristics of the following security risk was identified in the system:

Security Risk	Description
Rootkit.Farfli.GEN	Rootkit.Farfli.GEN is a rootkit that hides presence in infected machine in order to perform malicious actions without the users knowledge.

Attention! The following threat categories were identified:

Threat Category	Description
	A malicious trojan horse or bot that may represent security risk for the compromised system and/or its network environment
	A program that downloads files to the local computer that may represent security risk
	A hacktool that could be used by attackers to break into a system

File System Modifications

The following files were created in the system:

#	Filename(s)	File Size	File Hash	Alias
1	c:\autorun.inf	21 bytes	MD5: 0xA149934BDA37C54345A10366AA47FD13 SHA-1: 0x4E45DB9BD2749148E68E55DC5A74E62BB76EDFA5	Generic!atr [McAfee] Win32.SuspectCrc [Ikarus]
2	%Windir%\phpi.dll	45,568 bytes	MD5: 0xDE44E853308496FC0598AC173E5EC275 SHA-1: 0xD4E8750FD3F915E56E9E6272D1EF8337A6D5456C	W32.SillyDC [Symantec] Trojan.Win32.Agent2.jep [Kaspersky Lab] Generic Dropper.gf [McAfee] Trojan:Win32/Dogrobot.F [Microsoft] Trojan.Win32.Agent2 [Ikarus] Win-Trojan/OnlineGameHack.45568.V [AhnLab]
3	%System%\drivers\pcidump.sys	11,904 bytes	MD5: 0x601B3F2466BFA6989B9C7586B5BA54AA SHA-1: 0x454949E35BB28B8C2BF6B05DC27E8B30795A3AD6	Rootkit.Farfli.GEN [PCTools] Hacktool.Rootkit [Symantec] Trojan-Downloader.Win32.Geral.ad [Kaspersky Lab] Generic.dx [McAfee] Troj/RKProc-Fam [Sophos] VirTool:WinNT/Rootkitdrv.DH [Microsoft] Rootkit.Win32.Agent [Ikarus] Win-Trojan/Agent.11904.C [AhnLab]
4	%System%\func.dll	37,888 bytes	MD5: 0xFAEF15E12BDC99FD2D50542B8FDD5C14 SHA-1: 0x67CF79B53E91F069BAA2A12433F5C5A519A74613	Trojan.KillAV [Symantec] Trojan-Downloader.Win32.Geral.ain [Kaspersky Lab] Generic.dx!so [McAfee] Mal/Generic-A [Sophos] TrojanDropper:Win32/Dogrobot.F!dll [Microsoft] Virus.Win32.Agent.BQC [Ikarus] Win-Trojan/Geral.37888.G [AhnLab]
5	[file and pathname of the sample #1]	31,839 bytes	MD5: 0x6CF94B87CBEABFA0CEC421F3E4827823 SHA-1: 0x64B0CB8EB9F86B5E8ECB4E2BDA3E2C2DA19CD9CA	Trojan.Dropper [Symantec] Trojan-Dropper.Win32.Mudrop.aui [Kaspersky Lab] StartPage-HR [McAfee] Mal/Packer [Sophos] Trojan-Dropper.Agent [Ikarus] Dropper/Mudrop.31839 [AhnLab] packed with NSPack [Kaspersky Lab]

Notes:

%Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows or C:\Winnt.
%System% is a variable that refers to the System folder. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

The following files were modified:

c:\contacts.html
%System%\drivers\acpiec.sys
%System%\drivers\etc\hosts

Memory Modifications

The following module was loaded into the address space of other process(es):

Module Name	Module Filename	Address Space Details
func.dll	%System%\func.dll	Process name: [generic host process] Process filename: [generic host process filename] Address space: 0x10000000 - 0x1000C000

Notes:

[generic host process filename] is a full path filename of [generic host process].

Registry Modifications

The following Registry Keys were created:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ESENT\Process\ipconfig
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ESENT\Process\ipconfig\DEBUG
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_PCIDUMP
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_PCIDUMP\0000
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_PCIDUMP\0000\Control
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_UPDATEDATA
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_UPDATEDATA\0000
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_UPDATEDATA\0000\Control
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\UPDATEDATA
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\UPDATEDATA\Security
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\UPDATEDATA\Enum
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_PCIDUMP
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_PCIDUMP\0000
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_PCIDUMP\0000\Control
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_UPDATEDATA
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_UPDATEDATA\0000
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_UPDATEDATA\0000\Control
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UPDATEDATA
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UPDATEDATA\Security
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UPDATEDATA\Enum

The newly created Registry Values are:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ESENT\Process\ipconfig\DEBUG]

Trace Level = ""

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_PCIDUMP\0000\Control]

*NewlyCreated* = 0x00000000
ActiveService = "pcidump"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_PCIDUMP\0000]

Service = "pcidump"
Legacy = 0x00000001
ConfigFlags = 0x00000000
Class = "LegacyDriver"
ClassGUID = "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
DeviceDesc = "pcidump"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_PCIDUMP]

NextInstance = 0x00000001

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_UPDATEDATA\0000\Control]

*NewlyCreated* = 0x00000000
ActiveService = "UPDATEDATA"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_UPDATEDATA\0000]

Service = "UPDATEDATA"
Legacy = 0x00000001
ConfigFlags = 0x00000000
Class = "LegacyDriver"
ClassGUID = "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
DeviceDesc = "UPDATEDATA"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_UPDATEDATA]

NextInstance = 0x00000001

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\UPDATEDATA\Enum]

0 = "Root\LEGACY_UPDATEDATA\0000"
Count = 0x00000001
NextInstance = 0x00000001

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\UPDATEDATA\Security]

Security = 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 0

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\UPDATEDATA]

Type = 0x00000001
Start = 0x00000003
ErrorControl = 0x00000000
ImagePath = "%System%\drivers\acpiec.sys"
DisplayName = "UPDATEDATA"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_PCIDUMP\0000\Control]

*NewlyCreated* = 0x00000000
ActiveService = "pcidump"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_PCIDUMP\0000]

Service = "pcidump"
Legacy = 0x00000001
ConfigFlags = 0x00000000
Class = "LegacyDriver"
ClassGUID = "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
DeviceDesc = "pcidump"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_PCIDUMP]

NextInstance = 0x00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_UPDATEDATA\0000\Control]

*NewlyCreated* = 0x00000000
ActiveService = "UPDATEDATA"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_UPDATEDATA\0000]

Service = "UPDATEDATA"
Legacy = 0x00000001
ConfigFlags = 0x00000000
Class = "LegacyDriver"
ClassGUID = "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
DeviceDesc = "UPDATEDATA"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_UPDATEDATA]

NextInstance = 0x00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UPDATEDATA\Enum]

0 = "Root\LEGACY_UPDATEDATA\0000"
Count = 0x00000001
NextInstance = 0x00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UPDATEDATA\Security]

Security = 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UPDATEDATA]

Type = 0x00000001
Start = 0x00000003
ErrorControl = 0x00000000
ImagePath = "%System%\drivers\acpiec.sys"
DisplayName = "UPDATEDATA"

Other details

Analysis of the file resources indicate the following possible country of origin:

China

The HOSTS file was updated with the following URL-to-IP mappings:

127.0.0.1       v.onondown.com.cn
127.0.0.2       ymsdasdw1.cn
127.0.0.3       h96b.info
127.0.0.0       fuck.zttwp.cn
127.0.0.0       www.hackerbf.cn
127.0.0.0       geekbyfeng.cn
127.0.0.0       121.14.101.68
127.0.0.0       ppp.etimes888.com
127.0.0.0       www.bypk.com
127.0.0.0       CSC3-2004-crl.verisign.com
127.0.0.1       va9sdhun23.cn
127.0.0.0       udp.hjob123.com
127.0.0.2       bnasnd83nd.cn
127.0.0.0       www.gamehacker.com.cn
127.0.0.0       gamehacker.com.cn
127.0.0.3       adlaji.cn
127.0.0.1       858656.com
127.1.1.1       bnasnd83nd.cn
127.0.0.1       my123.com
127.0.0.0       user1.12-27.net
127.0.0.1       8749.com
127.0.0.0       fengent.cn
127.0.0.1       4199.com
127.0.0.1       user1.16-22.net
127.0.0.1       7379.com
127.0.0.1       2be37c5f.3f6e2cc5f0b.com
127.0.0.1       7255.com
127.0.0.1       user1.23-12.net
127.0.0.1       3448.com
127.0.0.1       www.guccia.net
127.0.0.1       7939.com
127.0.0.1       a.o1o1o1.nEt
127.0.0.1       8009.com
127.0.0.1       user1.12-73.cn
127.0.0.1       piaoxue.com
127.0.0.1       3n8nlasd.cn
127.0.0.1       kzdh.com
127.0.0.0       www.sony888.cn
127.0.0.1       about.blank.la
127.0.0.0       user1.asp-33.cn
127.0.0.1       6781.com
127.0.0.0       www.netkwek.cn
127.0.0.1       7322.com
127.0.0.0       ymsdkad6.cn
127.0.0.1       localhost
127.0.0.0       www.lkwueir.cn
127.0.0.1       06.jacai.com
127.0.1.1       user1.23-17.net
127.0.0.1       1.jopenkk.com
127.0.0.0       upa.luzhiai.net
127.0.0.1       1.jopenqc.com
127.0.0.0       www.guccia.net
127.0.0.1       1.joppnqq.com
127.0.0.0       4m9mnlmi.cn
127.0.0.1       1.xqhgm.com
127.0.0.0       mm119mkssd.cn
127.0.0.1       100.332233.com
127.0.0.0       61.128.171.115:8080
127.0.0.1       121.11.90.79
127.0.0.0       www.1119111.com
127.0.0.1       121565.net
127.0.0.0       win.nihao69.cn
127.0.0.1       125.90.88.38
127.0.0.1       16888.6to23.com
127.0.0.1       2.joppnqq.com
127.0.0.0       puc.lianxiac.net
127.0.0.1       204.177.92.68
127.0.0.0       pud.lianxiac.net
127.0.0.1       210.74.145.236
127.0.0.0       210.76.0.133
127.0.0.1       219.129.239.220
127.0.0.0       61.166.32.2
127.0.0.1       219.153.40.221
127.0.0.0       218.92.186.27
127.0.0.1       219.153.46.27
127.0.0.0       www.fsfsfag.cn
127.0.0.1       219.153.52.123
127.0.0.0       ovo.ovovov.cn
127.0.0.1       221.195.42.71
127.0.0.0       dw.com.com
127.0.0.1       222.73.218.115
127.0.0.1       203.110.168.233:80
127.0.0.1       3.joppnqq.com
127.0.0.1       203.110.168.221:80
127.0.0.1       363xx.com
127.0.0.1       www1.ip10086.com.cm
127.0.0.1       4199.com
127.0.0.1       blog.ip10086.com.cn
127.0.0.1       43242.com
127.0.0.1       www.ccji68.cn
127.0.0.1       5.xqhgm.com
127.0.0.0       t.myblank.cn
127.0.0.1       520.mm5208.com
127.0.0.0       x.myblank.cn
127.0.0.1       59.34.131.54
127.0.0.1       210.51.45.5
127.0.0.1       59.34.198.228
127.0.0.1       www.ew1q.cn
127.0.0.1       59.34.198.88
127.0.0.1       59.34.198.97
127.0.0.1       60.190.114.101
127.0.0.1       60.190.218.34
127.0.0.0       qq-xing.com.cn
127.0.0.1       60.191.124.252
127.0.0.1       61.145.117.212
127.0.0.1       61.157.109.222
127.0.0.1       75.126.3.216
127.0.0.1       75.126.3.217
127.0.0.1       75.126.3.218
127.0.0.0       59.125.231.177:17777
127.0.0.1       75.126.3.220
127.0.0.1       75.126.3.221
127.0.0.1       75.126.3.222
127.0.0.1       772630.com
127.0.0.1       832823.cn
127.0.0.1       8749.com
127.0.0.1       888.jopenqc.com
127.0.0.1       89382.cn
127.0.0.1       8v8.biz
127.0.0.1       97725.com
127.0.0.1       9gg.biz
127.0.0.1       www.9000music.com
127.0.0.1       test.591jx.com
127.0.0.1       a.topxxxx.cn
127.0.0.1       picon.chinaren.com
127.0.0.1       www.5566.net
127.0.0.1       p.qqkx.com
127.0.0.1       news.netandtv.com
127.0.0.1       z.neter888.cn
127.0.0.1       b.myblank.cn
127.0.0.1       wvw.wokutu.com
127.0.0.1       unionch.qyule.com
127.0.0.1       www.qyule.com
127.0.0.1       it.itjc.cn
127.0.0.1       www.linkwww.com
127.0.0.1       vod.kaicn.com
127.0.0.1       www.tx8688.com
127.0.0.1       b.neter888.cn
127.0.0.1       promote.huanqiu.com
127.0.0.1       www.huanqiu.com
127.0.0.1       www.haokanla.com
127.0.0.1       play.unionsky.cn
127.0.0.1       www.52v.com
127.0.0.1       www.gghka.cn
127.0.0.1       icon.ajiang.net
127.0.0.1       new.ete.cn
127.0.0.1       www.stiae.cn
127.0.0.1       o.neter888.cn
127.0.0.1       comm.jinti.com
127.0.0.1       www.google-analytics.com
127.0.0.1       hz.mmstat.com
127.0.0.1       www.game175.cn
127.0.0.1       x.neter888.cn
127.0.0.1       z.neter888.cn
127.0.0.1       p.etimes888.com
127.0.0.1       hx.etimes888.com
127.0.0.1       abc.qqkx.com
127.0.0.1       dm.popdm.cn
127.0.0.1       www.yl9999.com
127.0.0.1       www.dajiadoushe.cn
127.0.0.1       v.onondown.com.cn
127.0.0.1       www.interoo.net
127.0.0.1       bally1.bally-bally.net
127.0.0.1       www.bao5605509.cn
127.0.0.1       www.rty456.cn
127.0.0.1       www.werqwer.cn
127.0.0.1       1.360-1.cn
127.0.0.1       user1.23-16.net
127.0.0.1       www.guccia.net
127.0.0.1       www.interoo.net
127.0.0.1       upa.netsool.net
127.0.0.1       js.users.51.la
127.0.0.1       vip2.51.la
127.0.0.1       web.51.la
127.0.0.1       qq.gong2008.com
127.0.0.1       2008tl.copyip.com
127.0.0.1       tla.laozihuolaile.cn
127.0.0.1       www.tx6868.cn
127.0.0.1       p001.tiloaiai.com
127.0.0.1       s1.tl8tl.com
127.0.0.1       s1.gong2008.com
127.0.0.1       4b3ce56f9g.3f6e2cc5f0b.com
127.0.0.1       2be37c5f.3f6e2cc5f0b.com

All content ("Information") contained in this report is the copyrighted work of Threat Expert Ltd and its associated companies ("ThreatExpert") and may not be copied without the express permission of ThreatExpert.

The Information is provided on an "as is" basis. ThreatExpert disclaims all warranties, whether express or implied, to the maximum extent permitted by law, including the implied warranties that the Information is merchantable, of satisfactory quality, accurate, fit for a particular purpose or need, or non-infringing, unless such implied warranties are legally incapable of exclusion. Further, ThreatExpert does not warrant or make any representations regarding the use or the results of the use of the Information in terms of their correctness, accuracy, reliability, or otherwise.