Submission Summary:

• Submission details:
• Submission received: 24 September 2012, 12:33:54
• Processing time: 9 min 32 sec
• Submitted sample:
• File MD5: 0x6EC9A45790674117D2495D79522F117D
• File SHA-1: 0xEF64C26EADB083D2FF35089AA8256452E910A92A
• Filesize: 463,872 bytes
• Alias:
• W32.Sality.AE [Symantec]
• Virus.Win32.Sality.bh [Kaspersky Lab]
• W32/Sality.gen.z [McAfee]
• Mal/Sality-D [Sophos]
• Virus:Win32/Sality.AT [Microsoft]
• Trojan.Win32.CDur [Ikarus]
• Win32/Kashu.E [AhnLab]

• Summary of the findings:

What's been found	Severity Level
Hosts file modification that may block access to the security web sites.
Produces outbound traffic.
Creates a startup registry entry.
Contains characteristics of an identified security risk.

Technical Details:

Possible Security Risk

• Attention! The following threat category was identified:

Threat Category	Description
	A virus capable to modify other files by infecting, prepending, or overwriting them them with its own body

File System Modifications

• The following file was created in the system:

#	Filename(s)	File Size	File Hash	Alias
1	%MyDocuments%\MSDCSC\msdcsc.exe [file and pathname of the sample #1]	463,872 bytes	MD5: 0x6EC9A45790674117D2495D79522F117D SHA-1: 0xEF64C26EADB083D2FF35089AA8256452E910A92A	W32.Sality.AE [Symantec] Virus.Win32.Sality.bh [Kaspersky Lab] W32/Sality.gen.z [McAfee] Mal/Sality-D [Sophos] Virus:Win32/Sality.AT [Microsoft] Trojan.Win32.CDur [Ikarus] Win32/Kashu.E [AhnLab]

• Note:
• %MyDocuments% is a variable that refers to the file system directory used to physically store a user's common repository of documents. A typical path is C:\Documents and Settings\[UserName]\My Documents.

• The following file was modified:
• %System%\drivers\etc\hosts

• Notes:
• %System% is a variable that refers to the System folder. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

• The following directories were created:
• %AppData%\dclogs
• %MyDocuments%\MSDCSC

• Notes:
• %AppData% is a variable that refers to the file system directory that serves as a common repository for application-specific data. A typical path is C:\Documents and Settings\[UserName]\Application Data.

Memory Modifications

• There were new processes created in the system:

Registry Modifications

• The following Registry Key was created:
• HKEY_CURRENT_USER\Software\DC3_FEXEC

• The newly created Registry Value is:
• [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
• MicroUpdate = "%MyDocuments%\MSDCSC\msdcsc.exe"

so that msdcsc.exe runs every time Windows starts

• The following Registry Value was modified:
• [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
• Userinit =

Other details

• Analysis of the file resources indicate the following possible country of origin:

	France

• To mark the presence in the system, the following Mutex objects were created:
• uxJLpe1m
• LEAX
• DC_MUTEX-F54S21D

• The HOSTS file was updated with the following URL-to-IP mapping:

• The following Host Name was requested from a host database:
• killersmille.no-ip.org

• There was registered attempt to establish connection with the remote host. The connection details are:

• There was application-defined hook procedure installed into the hook chain (e.g. to monitor keystrokes). The installed hook is handled by the following module:
• %MyDocuments%\MSDCSC\msdcsc.exe

Outbound traffic (potentially malicious)

• There was an outbound traffic produced on port 1604: