ThreatExpert Report: Trojan.Win32.Swisyn, Trojan.Gen, Trojan-Downloader.Win32.Qvod.fu, Generic..

Visit ThreatExpert web site

Close Report

Submission Summary:

Submission details:

Submission received: 29 September 2012, 22:08:09
Processing time: 10 min 4 sec
Submitted sample:

File MD5: 0x6DF8EACF71CB8ADEC719BC494A25E715
File SHA-1: 0x46649830097C99A57F5B738825EA1BE21903840E
Filesize: 300,544 bytes
Alias & packer info:

Trojan.Win32.Swisyn [Ikarus]
packed with: PE_Patch.PECompact [Kaspersky Lab]

Technical Details:

The new window was created, as shown below:

NOTICE: The content shown in the above window is captured automatically and is not controlled or endorsed by ThreatExpert.
Please contact us on this link should any material be offensive or inappropriate and we will ensure any such content is blocked from future viewers of the report.

Possible Security Risk

Attention! The following threat categories were identified:

Threat Category	Description
	A program that downloads files to the local computer that may represent security risk
	A malicious trojan horse or bot that may represent security risk for the compromised system and/or its network environment
	A malicious backdoor trojan that runs in the background and allows remote access to the compromised system

File System Modifications

The following files were created in the system:

#	Filename(s)	File Size	File Hash	Alias
1	%Profiles%\LocalService\Favorites\Desktop.ini	122 bytes	MD5: 0xFC2BF37169C033A08C1FD7680193CCE2 SHA-1: 0xB1A6760EEF6E3D7173DDE13AD1C857A5D6BB8DEA	(not available)
2	%Temp%\new_84aaa.exe_C53458B13F644A16A92364FF28674E810693B94F.exe	258,048 bytes	MD5: 0x98A47A067A396D52C8F33CD82D1DF5E4 SHA-1: 0x2C8E3743283615F6F54AFD60806F5476D3E52F06	Trojan.Gen [Symantec] Trojan-Downloader.Win32.Qvod.fu [Kaspersky Lab] Generic Downloader.x!gfx [McAfee] Mal/Generic-L [Sophos] Trojan:Win32/Rimod [Microsoft] Trojan-Downloader.Small [Ikarus]
3	%ProgramFiles%\Common Files\rpqrpyrydesk.ini %ProgramFiles%\Common Files\Services\csboytj.au	0 bytes	MD5: 0xD41D8CD98F00B204E9800998ECF8427E SHA-1: 0xDA39A3EE5E6B4B0D3255BFEF95601890AFD80709	(not available)
4	%ProgramFiles%\Common Files\Services\csboybind.au	82,432 bytes	MD5: 0x8605916D2758E0F9AE996EB57486A8BA SHA-1: 0x2A0737ADA239D0BC8A9FE7A8645A61A2C78F05BD	(not available)
5	%ProgramFiles%\Common Files\Services\csboyDVD.dll	420,832 bytes	MD5: 0x92DCCBBDF5C5B18E61E89DC320A63144 SHA-1: 0x97EAB16F4FC87D977CF24FEF413E1CD4AE3858F1	Backdoor.Graybird [Symantec] Trojan-Downloader.Win32.Qvod.fu [Kaspersky Lab] Trojan-PWS.Banker6 [Ikarus] packed with PE_Patch.PECompact [Kaspersky Lab]
6	%ProgramFiles%\Common Files\Services\csboyTT.dll	5,061,440 bytes	MD5: 0x66C8797C83FF02AA3A2BC0C9005D27EB SHA-1: 0x2C993380320C6DB197D39E9FB144510B5C001E06	Trojan-Dropper.Agent [Ikarus]
7	%ProgramFiles%\Common Files\Tencent\AMGR8888.dll	5,021,504 bytes	MD5: 0x8237F1F4515FB4668933DF3E8975F8BA SHA-1: 0x763240CC6DDA9C03635CE2D7FB579C487A7F6C16	Win32.SuspectCrc [Ikarus] packed with UPX [Kaspersky Lab]
8	%ProgramFiles%\Common Files\Tencent\svchest.exe	5,082,432 bytes	MD5: 0x370D2BC7598971D7F2B6999BAB4F08AF SHA-1: 0x1B8FEC36D1B206A5AB29461B6C7378B94847BA91	(not available)
9	[file and pathname of the sample #1]	300,544 bytes	MD5: 0x6DF8EACF71CB8ADEC719BC494A25E715 SHA-1: 0x46649830097C99A57F5B738825EA1BE21903840E	Trojan.Win32.Swisyn [Ikarus] packed with PE_Patch.PECompact [Kaspersky Lab]

Notes:

%Profiles% is a variable that refers to the file system directory containing user profile folders. A typical path is C:\Documents and Settings.
%Temp% is a variable that refers to the temporary folder in the short path form. By default, this is C:\Documents and Settings\[UserName]\Local Settings\Temp\ (Windows NT/2000/XP).
%ProgramFiles% is a variable that refers to the Program Files folder. A typical path is C:\Program Files.

The following directories were created:

%Profiles%\LocalService\Favorites
%Profiles%\LocalService\Favorites\Links
%ProgramFiles%\Common Files\Tencent

Memory Modifications

There were new processes created in the system:

Process Name	Process Filename	Main Module Size
csboyDVD.dll	%ProgramFiles%\common files\services\csboydvd.dll	319,488 bytes
new_84aaa.exe_C53458B13F644A16A92364FF28674E810693B94F.exe	%Temp%\new_84aaa.exe_c53458b13f644a16a92364ff28674e810693b94f.exe	266,240 bytes
IEXPLORE.EXE	%ProgramFiles%\Internet Explorer\IEXPLORE.EXE	102,400 bytes
AMGR8888.dll	%ProgramFiles%\Common Files\Tencent\AMGR8888.dll	73,728 bytes
[filename of the sample #1]	[file and pathname of the sample #1]	397,312 bytes
csboyTT.dll	%ProgramFiles%\Common Files\Services\csboyTT.dll	98,304 bytes

There was a new service created in the system:

Service Name	Display Name	Status	Service Filename
diskmanage	windows Disk Manager	"Stopped"	%ProgramFiles%\Common Files\Tencent\AMGR8888.dll

Registry Modifications

The following Registry Keys were created:

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_DISKMANAGE
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_DISKMANAGE\0000
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_DISKMANAGE\0000\Control
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\diskmanage
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\diskmanage\Security
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\diskmanage\Enum
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_DISKMANAGE
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_DISKMANAGE\0000
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_DISKMANAGE\0000\Control
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\diskmanage
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\diskmanage\Security
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\diskmanage\Enum
HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Toolbar
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\CabinetState
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats
HKEY_USERS\.DEFAULT\Software\Microsoft\IEAK
HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Connection Wizard

The newly created Registry Values are:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

ttplay = "%ProgramFiles%\Common Files\Tencent\svchest.exe"
UserFaultCheck = "%System%\dumprep 0 -u"

so that svchest.exe runs every time Windows starts

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_DISKMANAGE\0000\Control]

*NewlyCreated* = 0x00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_DISKMANAGE\0000]

Service = "diskmanage"
Legacy = 0x00000001
ConfigFlags = 0x00000000
Class = "LegacyDriver"
ClassGUID = "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
DeviceDesc = "windows Disk Manager"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_DISKMANAGE]

NextInstance = 0x00000001

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\diskmanage\Enum]

0 = "Root\LEGACY_DISKMANAGE\0000"
Count = 0x00000001
NextInstance = 0x00000001

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\diskmanage\Security]

Security = 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 0

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\diskmanage]

Type = 0x00000010
Start = 0x00000002
ErrorControl = 0x00000000
ImagePath = "%ProgramFiles%\Common Files\Tencent\AMGR8888.dll"
DisplayName = "windows Disk Manager"
ObjectName = "LocalSystem"
Description = "????????????????????????????????Ã¡?????????????????????????????????????????????????Ã£???????????????????????"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_DISKMANAGE\0000\Control]

*NewlyCreated* = 0x00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_DISKMANAGE\0000]

Service = "diskmanage"
Legacy = 0x00000001
ConfigFlags = 0x00000000
Class = "LegacyDriver"
ClassGUID = "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
DeviceDesc = "windows Disk Manager"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_DISKMANAGE]

NextInstance = 0x00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\diskmanage\Enum]

0 = "Root\LEGACY_DISKMANAGE\0000"
Count = 0x00000001
NextInstance = 0x00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\diskmanage\Security]

Security = 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\diskmanage]

Type = 0x00000010
Start = 0x00000002
ErrorControl = 0x00000000
ImagePath = "%ProgramFiles%\Common Files\Tencent\AMGR8888.dll"
DisplayName = "windows Disk Manager"
ObjectName = "LocalSystem"
Description = "????????????????????????????????Ã¡?????????????????????????????????????????????????Ã£???????????????????????"

[HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Toolbar]

Locked = 0x00000001

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\CabinetState]

Settings = 0C 00 02 00 0A 01 F8 75 60 00 00 00
FullPath = 0x00000000

[HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Connection Wizard]

ShellNext = "http://zong.qqtongji.us:8888/list.htm?list"

The following Registry Values were modified:

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\ServiceCurrent]

(Default) =

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ServiceCurrent]

(Default) =

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]

Cookies =
Favorites =
History =

Other details

Analysis of the file resources indicate the following possible country of origin:

China

To mark the presence in the system, the following Mutex objects were created:

_SHuassist.mtx
????x??x??t^TSBJx?????BUt^TSBJ
???????????????????????????
Iexplore.XPExceptionFilter
A_u_Tj_No123321Exe
qvodplay000000000

The following ports were open in the system:

Port	Protocol	Process
1059	TCP	new_84aaa.exe_c53458b13f644a16a92364ff28674e810693b94f.exe (%Temp%\new_84aaa.exe_c53458b13f644a16a92364ff28674e810693b94f.exe)
8090	TCP	new_84aaa.exe_c53458b13f644a16a92364ff28674e810693b94f.exe (%Temp%\new_84aaa.exe_c53458b13f644a16a92364ff28674e810693b94f.exe)
8090	UDP	new_84aaa.exe_c53458b13f644a16a92364ff28674e810693b94f.exe (%Temp%\new_84aaa.exe_c53458b13f644a16a92364ff28674e810693b94f.exe)
24779	UDP	new_84aaa.exe_c53458b13f644a16a92364ff28674e810693b94f.exe (%Temp%\new_84aaa.exe_c53458b13f644a16a92364ff28674e810693b94f.exe)
24780	UDP	new_84aaa.exe_c53458b13f644a16a92364ff28674e810693b94f.exe (%Temp%\new_84aaa.exe_c53458b13f644a16a92364ff28674e810693b94f.exe)
29096	UDP	new_84aaa.exe_c53458b13f644a16a92364ff28674e810693b94f.exe (%Temp%\new_84aaa.exe_c53458b13f644a16a92364ff28674e810693b94f.exe)
29097	UDP	new_84aaa.exe_c53458b13f644a16a92364ff28674e810693b94f.exe (%Temp%\new_84aaa.exe_c53458b13f644a16a92364ff28674e810693b94f.exe)

The following Host Names were requested from a host database:

192.5.5.241
track.qvod.com
stun.qvod.com
stun01.sipphone.com
agent.qvod.com

There were registered attempts to establish connection with the remote hosts. The connection details are:

Remote Host	Port Number
192.5.5.241	1054
agent.qvod.com	1035

The following Internet Connections were established:

Server Name	Server Port	Connect as User	Connection Password
zong.qqtongji.us	8888	(null)	(null)
vjb.qqtongji.us	8888	(null)	(null)

The data identified by the following URLs was then requested from the remote web server:

http://www.baidu.com/
http://www.sina.com.cn/
http://txi.dx673tg.info:583/bakgdgame/
http://jjbb.jbshahu.com:8800/jb/jbr8.txt

Outbound traffic (potentially malicious)

There was an outbound traffic produced on port 8888:

00000000 | 4745 5420 2F6A 622E 6874 6D3F 382E 3235 | GET /jb.htm?8.25
00000010 | 3F63 653D 434F 4D50 5554 4552 4E41 4D45 | ?ce=COMPUTERNAME
00000020 | 2663 643D 3133 3434 3136 3030 2663 323D | &cd=13441600&c2=
00000030 | 3126 6334 3D35 3836 2663 373D 3126 6264 | 1&c4=586&c7=1&bd
00000040 | 3D33 3031 3034 2048 5454 502F 312E 310D | =30104 HTTP/1.1.
00000050 | 0A41 6363 6570 743A 202A 2F2A 0D0A 4163 | .Accept: */*..Ac
00000060 | 6365 7074 2D4C 616E 6775 6167 653A 2065 | cept-Language: e
00000070 | 6E2D 7573 0D0A 4163 6365 7074 2D45 6E63 | n-us..Accept-Enc
00000080 | 6F64 696E 673A 2067 7A69 702C 2064 6566 | oding: gzip, def
00000090 | 6C61 7465 0D0A 5573 6572 2D41 6765 6E74 | late..User-Agent
000000A0 | 3A20 4D6F 7A69 6C6C 612F 342E 3020 2863 | : Mozilla/4.0 (c
000000B0 | 6F6D 7061 7469 626C 653B 204D 5349 4520 | ompatible; MSIE
000000C0 | 362E 303B 2057 696E 646F 7773 204E 5420 | 6.0; Windows NT
000000D0 | 352E 313B 2053 5631 3B20 2E4E 4554 2043 | 5.1; SV1; .NET C
000000E0 | 4C52 2032 2E30 2E35 3037 3237 290D 0A48 | LR 2.0.50727)..H
000000F0 | 6F73 743A 206C 6F63 616C 686F 7374 3A38 | ost: localhost:8
00000100 | 3838 380D 0A43 6F6E 6E65 6374 696F 6E3A | 888..Connection:
00000110 | 204B 6565 702D 416C 6976 650D 0A0D 0A   |  Keep-Alive....

All content ("Information") contained in this report is the copyrighted work of Threat Expert Ltd and its associated companies ("ThreatExpert") and may not be copied without the express permission of ThreatExpert.

The Information is provided on an "as is" basis. ThreatExpert disclaims all warranties, whether express or implied, to the maximum extent permitted by law, including the implied warranties that the Information is merchantable, of satisfactory quality, accurate, fit for a particular purpose or need, or non-infringing, unless such implied warranties are legally incapable of exclusion. Further, ThreatExpert does not warrant or make any representations regarding the use or the results of the use of the Information in terms of their correctness, accuracy, reliability, or otherwise.