ThreatExpert Report: Trojan.Win32.ServStart

Visit ThreatExpert web site

Close Report

Submission Summary:

Submission details:

Submission received: 17 August 2012, 00:13:29
Processing time: 7 min 41 sec
Submitted sample:

File MD5: 0x70B3D80534DCE41AADC0FA113FB6B7F6
File SHA-1: 0xB689DE742FCF24A00C008F23C2CBB6AE8743C23B
Filesize: 15,893 bytes
Alias & packer info:

Trojan.Win32.ServStart [Ikarus]
packed with: UPX [Kaspersky Lab]

Summary of the findings:

What's been found	Severity Level
Produces outbound traffic.

Technical Details:

File System Modifications

The following file was created in the system:

#	Filename(s)	File Size	File Hash	Alias
1	%Temp%\SOFTWARE.LOG %System%\vipxie.exe	15,893 bytes	MD5: 0x70B3D80534DCE41AADC0FA113FB6B7F6 SHA-1: 0xB689DE742FCF24A00C008F23C2CBB6AE8743C23B	Trojan.Win32.ServStart [Ikarus] packed with UPX [Kaspersky Lab]

Notes:

%Temp% is a variable that refers to the temporary folder in the short path form. By default, this is C:\Documents and Settings\[UserName]\Local Settings\Temp\ (Windows NT/2000/XP).
%System% is a variable that refers to the System folder. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

Memory Modifications

There were new processes created in the system:

Process Name	Process Filename	Main Module Size
vipxie.exe	%System%\vipxie.exe	81,920 bytes
[filename of the sample #1]	[file and pathname of the sample #1]	81,920 bytes

There was a new service created in the system:

Service Name	Display Name	Status	Service Filename
mtpjhaefqz	aauldrchjccdyrfvvriv	"Running"	%System%\vipxie.exe

Registry Modifications

The following Registry Keys were created:

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_MTPJHAEFQZ
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_MTPJHAEFQZ\0000
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_MTPJHAEFQZ\0000\Control
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\mtpjhaefqz
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\mtpjhaefqz\Security
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\mtpjhaefqz\Enum
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MTPJHAEFQZ
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MTPJHAEFQZ\0000
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MTPJHAEFQZ\0000\Control
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mtpjhaefqz
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mtpjhaefqz\Security
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mtpjhaefqz\Enum

The newly created Registry Values are:

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_MTPJHAEFQZ\0000\Control]

*NewlyCreated* = 0x00000000
ActiveService = "mtpjhaefqz"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_MTPJHAEFQZ\0000]

Service = "mtpjhaefqz"
Legacy = 0x00000001
ConfigFlags = 0x00000000
Class = "LegacyDriver"
ClassGUID = "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
DeviceDesc = "aauldrchjccdyrfvvriv"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_MTPJHAEFQZ]

NextInstance = 0x00000001

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\mtpjhaefqz\Enum]

0 = "Root\LEGACY_MTPJHAEFQZ\0000"
Count = 0x00000001
NextInstance = 0x00000001

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\mtpjhaefqz\Security]

Security = 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 0

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\mtpjhaefqz]

Type = 0x00000010
Start = 0x00000002
ErrorControl = 0x00000000
ImagePath = "%System%\vipxie.exe"
DisplayName = "aauldrchjccdyrfvvriv"
ObjectName = "LocalSystem"
Description = "uyeegfivdrcygurqdredakubnfgupr"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MTPJHAEFQZ\0000\Control]

*NewlyCreated* = 0x00000000
ActiveService = "mtpjhaefqz"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MTPJHAEFQZ\0000]

Service = "mtpjhaefqz"
Legacy = 0x00000001
ConfigFlags = 0x00000000
Class = "LegacyDriver"
ClassGUID = "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
DeviceDesc = "aauldrchjccdyrfvvriv"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MTPJHAEFQZ]

NextInstance = 0x00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mtpjhaefqz\Enum]

0 = "Root\LEGACY_MTPJHAEFQZ\0000"
Count = 0x00000001
NextInstance = 0x00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mtpjhaefqz\Security]

Security = 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mtpjhaefqz]

Type = 0x00000010
Start = 0x00000002
ErrorControl = 0x00000000
ImagePath = "%System%\vipxie.exe"
DisplayName = "aauldrchjccdyrfvvriv"
ObjectName = "LocalSystem"
Description = "uyeegfivdrcygurqdredakubnfgupr"

The following Registry Values were modified:

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\ServiceCurrent]

(Default) =

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ServiceCurrent]

(Default) =

Other details

Analysis of the file resources indicate the following possible country of origin:

China

To mark the presence in the system, the following Mutex object was created:

mtpjhaefqz

The following ports were open in the system:

Port	Protocol	Process
1033	TCP	vipxie.exe (%System%\vipxie.exe)
1034	TCP	vipxie.exe (%System%\vipxie.exe)

The following Host Names were requested from a host database:

192.5.5.241
www.sfbazhu.com
rat2.100geili.com

There were registered attempts to establish connection with the remote hosts. The connection details are:

Remote Host	Port Number
www.sfbazhu.com	718
rat2.100geili.com	8000

Outbound traffic (potentially malicious)

There was an outbound traffic produced on port 718:

00000000 | 6401 0000 7700 0000 4500 6E00 6700 6C00 | d...w...E.n.g.l.
00000010 | 6900 7300 6800 2000 2800 5500 6E00 6900 | i.s.h. .(.U.n.i.
00000020 | 7400 6500 6400 2000 5300 7400 6100 7400 | t.e.d. .S.t.a.t.
00000030 | 6500 7300 2900 0000 0000 0000 0000 0000 | e.s.)...........
00000040 | 0000 0000 0000 0000 434F 4D50 5554 4552 | ........COMPUTER
00000050 | 4E41 4D45 0000 0000 0000 0000 0000 0000 | NAME............
00000060 | 0000 0000 0000 0000 0000 0000 0000 0000 | ................
00000070 | 0000 0000 0000 0000 0000 0000 0000 0000 | ................
00000080 | 0000 0000 0000 0000 0000 0000 0000 0000 | ................
00000090 | 0000 0000 0000 0000 0000 0000 0000 0000 | ................
000000A0 | 0000 0000 0000 0000 0000 0000 0000 0000 | ................
000000B0 | 0000 0000 0000 0000 0000 0000 0000 0000 | ................
000000C0 | 0000 0000 0000 0000 5769 6E58 5000 0000 | ........WinXP...
000000D0 | 0000 0000 0000 0000 0000 0000 0000 0000 | ................
000000E0 | 0000 0000 0000 0000 0000 0000 0000 0000 | ................
000000F0 | 0000 0000 0000 0000 0000 0000 0000 0000 | ................
00000100 | 0000 0000 0000 0000 3235 3620 4D42 0000 | ........256 MB..
00000110 | 0000 0000 0000 0000 0000 0000 0000 0000 | ................
00000120 | 0000 0000 0000 0000 3239 3939 204D 487A | ........2999 MHz
00000130 | 0000 0000 0000 0000 0000 0000 0000 0000 | ................
00000140 | 0000 0000 0000 0000 38D4 C231 30C8 D500 | ........8..10...
00000150 | 0000 0000 0000 0000 0000 0000 0000 0000 | ................
00000160 | 0000 0000 0000 0000 847B 0100           | .........{..

There was an outbound traffic produced on port 8000:

All content ("Information") contained in this report is the copyrighted work of Threat Expert Ltd and its associated companies ("ThreatExpert") and may not be copied without the express permission of ThreatExpert.

The Information is provided on an "as is" basis. ThreatExpert disclaims all warranties, whether express or implied, to the maximum extent permitted by law, including the implied warranties that the Information is merchantable, of satisfactory quality, accurate, fit for a particular purpose or need, or non-infringing, unless such implied warranties are legally incapable of exclusion. Further, ThreatExpert does not warrant or make any representations regarding the use or the results of the use of the Information in terms of their correctness, accuracy, reliability, or otherwise.