ThreatExpert Report: Trojan-Downloader.Win32.Agent.afxd, Downloader-AZN.ini..

Submission Summary:

Submission details:

Submission received: 14 September 2008, 23:07:21
Processing time: 8 min 21 sec
Submitted sample:

File MD5: 0x71EB4DB6DA3338655C1EC3CB48489D03
File SHA-1: 0x4453C1F9A1282F9E10805EB2317B27B035E85FA4
Filesize: 1,018,505 bytes
Alias: Trojan-Downloader.Win32.Agent.afxd [Kaspersky Lab]

Summary of the findings:

What's been found	Severity Level
Downloads/requests other files from Internet.
Modifies some system settings that may have negative impact on overall system security state.
Creates a startup registry entry.
Registers a 32-bit in-process server DLL.
Registers a Browser Helper Object (Microsoft's Internet Explorer plugin module).
Contains characteristics of an identified security risk.

Technical Details:

Possible Security Risk

Attention! Characteristics of the following security risk was identified in the system:

Security Risk	Description
Adware.Sogou	Adware.Sogou comes bundled with various trojans and is secretly installed onto the unsuspecting users computer. It produces pop-up and pop-under advertisements.

Attention! The following threat categories were identified:

Threat Category	Description
	A potentially unwanted adware program designed to deliver various advertisements to the users' systems
	A malicious trojan horse or bot that may represent security risk for the compromised system and/or its network environment
	A program that downloads files to the local computer that may represent security risk
	A keylogger program that can capture all user keystrokes (including confidential details such username, password, credit card number, etc.)

File System Modifications

The following files were created in the system:

#	Filename(s)	File Size	File Hash	Alias
1	%AllUsersProfile%\lljydf16.ini	179 bytes	MD5: 0x56D7EF01B4F6F3D5446CA231806E1027 SHA-1: 0xD4208C05DDE478B8CF03294718787B0F638558ED	Downloader-AZN.ini [McAfee]
2	%Temp%\ad7291.exe	137,415 bytes	MD5: 0xFFA6C61EC81B49900913FC1F901CC586 SHA-1: 0x3ECD7E3D34B18FE7730492E801B65E3BB5951F72	not-a-virus:AdWare.Win32.BHO.cst [Kaspersky Lab] Generic PUP.x [McAfee]
3	%Temp%\be2.exe	42,543 bytes	MD5: 0xBB8EB16DD638A3635FA2FCB729EE6C4C SHA-1: 0x6B7F3852BC4871176E1FE96BA98612084B809C06	(not available)
4	%Temp%\msn036.exe	274,161 bytes	MD5: 0x42A551E9E9C3C3F1D1824438702B8145 SHA-1: 0xA8562968D3E76C952AE72B0696ED062B410186B5	not-a-virus:AdWare.Win32.Cinmus.snf [Kaspersky Lab]
5	%Temp%\msn061.exe	142,997 bytes	MD5: 0x53906A710E88FFF678D9C0078CD3543D SHA-1: 0x84CA8F290FD979CCBAE82A7844B5B15C12CCA5FF	Trojan.Cinmeng [Symantec] not-a-virus:AdWare.Win32.Cinmus.snf [Kaspersky Lab] Adware-Cinmus [McAfee]
6	%Temp%\Oct2008.exe	49,152 bytes	MD5: 0x4E00A61D8A672245B97631370483D95C SHA-1: 0x8CAC9183BC5A318F676BC634D926F304C7C84DC0	Downloader [Symantec] TROJ_DLOADR.DJ [Trend Micro]
7	%Temp%\Oct2008.txt	31 bytes	MD5: 0x1A00CB49C8EC0FC7DDAB77227610222F SHA-1: 0x00F820D4BE194EA943361FA30E7544AFE3C8282F	(not available)
8	%ProgramFiles%\Common Files\PushWare\cpush.dll	192,512 bytes	MD5: 0x4CD57C3156308360F7BA7CFDB9AACE01 SHA-1: 0x2D0B97097E12E7AD5F12294184F6F2E98CDECC4E	Adware.Sogou [PCTools] Adware.CPush [Symantec] not-a-virus:AdWare.Win32.BHO.cst [Kaspersky Lab] AdClicker-BJ [McAfee] TROJ_ADCLICK.CI [Trend Micro] Troj/AdClick-ER [Sophos]
9	%ProgramFiles%\Common Files\PushWare\Uninst.exe	33,058 bytes	MD5: 0xD10F0D03BD7E1C981874FE932E23E55B SHA-1: 0x9B08F8A87ED06F1749BF8C343DEC8EC0389DFC4C	(not available)
10	%Windir%\system\llzjy080913.exe %System%\0914\1.exe	33,284 bytes	MD5: 0xF39412D71BCC46E35D315C1B5479DA88 SHA-1: 0xFD513D5F8528AB9AD7A854C6E7098BD31583CE0D	W32.SillyDC [Symantec] New Malware.aj [McAfee]
11	%Windir%\system\mzjj32dla.dll	51,200 bytes	MD5: 0x130DF8B80ABB4176130BAF65DC5B203A SHA-1: 0xEAF3E9B291EC51BB6523B685DEE48F955F019F22	Downloader-AZN [McAfee] Mal/Delf-M [Sophos]
12	%System%\0914\007.exe	32,192 bytes	MD5: 0xAABAEB5464C35201FDD27AE1E6A7DC69 SHA-1: 0xA5D10B9D946E62EA472FE39DCBFBC81367E42A6D	W32.SillyDC [Symantec] Trojan-Spy.Win32.Pophot.cjd [Kaspersky Lab] New Malware.aj [McAfee]
13	%System%\0914\1346.exe	306,498 bytes	MD5: 0x0E80BA736838890AC0D92872281CF172 SHA-1: 0x39144869048A3A7E4C895170042CA9C1CB6EFD79	not-a-virus:AdWare.Win32.BHO.cst, not-a-virus:AdWare.Win32.Cinmus.snf [Kaspersky Lab] Generic PUP.x [McAfee]
14	%System%\0914\456456.exe	31,852 bytes	MD5: 0x0148FDF4519C8C7EF5A5F611DCED96B4 SHA-1: 0xC446F5CBB6987034D232D1D100EAF90C62A994E6	W32.SillyDC [Symantec] New Malware.aj [McAfee]
15	%System%\0914\css.bat	520 bytes	MD5: 0x710C0A4508FA8598644B70243FE5D1B8 SHA-1: 0xDA8CF42BB67789271BD4CB1179BAA6FD2D2ED56F	(not available)
16	%System%\0914\file.exe	8,192 bytes	MD5: 0x600F43263193878EFC6665323C95DBBB SHA-1: 0x7005CD126618F0501EE07F31B358CA86BBBAA246	Trojan-Downloader.Win32.Agent.afxd [Kaspersky Lab]
17	%System%\0914\GFRE876.exe	176,354 bytes	MD5: 0x4F292A454A454CA738499714309DA442 SHA-1: 0x5D4F783D9B4C2CB32A4F987E8F4F244AF3DD779A	(not available)
18	%System%\0914\mm.exe	14,662 bytes	MD5: 0x0234FABF404A9D740D8DE5E431C62674 SHA-1: 0x943D41DD48FB0BCA38733204728A103822A216DF	Packed.Generic.181 [Symantec] New Malware.dw [McAfee] Mal/Behav-160, Mal/Emogen-E, Mal/Behav-009, Mal/Basine-C [Sophos]
19	%System%\0914\msn080.exe	143,114 bytes	MD5: 0x350A1FC746F7EE5C83F807533131ED8A SHA-1: 0x86A0CA0EA16FFFFCA8A9C8F102A91B4D9C9B42D5	not-a-virus:AdWare.Win32.Cinmus.snf [Kaspersky Lab]
20	%System%\0914\sachwqqp.exe	31,860 bytes	MD5: 0xFF82F052AE7378E74A39E3C4A9DE2578 SHA-1: 0x9574B8C3A9AE0FCBAD10B97518EF2C32824A35CE	W32.SillyDC [Symantec] New Malware.aj [McAfee]
21	%System%\0914\Setup707.exe	77,312 bytes	MD5: 0x98201F8B069FBC025B11808692F4704B SHA-1: 0xCF32C255258684377EF9B8AC6D7A41207727F2C9	Downloader [Symantec] Mal/Basine-C [Sophos]
22	%System%\0914\svchwst.exe	48,317 bytes	MD5: 0xB081C1F55E10AB7F349C16DB2718619C SHA-1: 0xF329673783FAA308844E53763DB69A2A4D1255C9	Mal/Emogen-N, Mal/Heuri-E, Mal/Emogen-F [Sophos]
23	%System%\0914\wd.exe	364,544 bytes	MD5: 0xB5166E8606066B0481C86244AB3E2424 SHA-1: 0xE3D6E314AE1A09C48FB06887449EADD5C7FD17C4	Trojan Horse [Symantec]
24	[file and pathname of the sample #1]	1,018,505 bytes	MD5: 0x71EB4DB6DA3338655C1EC3CB48489D03 SHA-1: 0x4453C1F9A1282F9E10805EB2317B27B035E85FA4	not-a-virus:AdWare.Win32.Cinmus.snf, Trojan-Spy.Win32.Pophot.cjd, Trojan-Downloader.Win32.Agent.afxd [Kaspersky Lab]

Notes:

%AllUsersProfile% is a variable that specifies the all users' profile folder. By default, this is C:\Documents and Settings\All Users (Windows NT/2000/XP).
%Temp% is a variable that refers to the temporary folder in the short path form. By default, this is C:\Documents and Settings\[UserName]\Local Settings\Temp\ (Windows NT/2000/XP).
%ProgramFiles% is a variable that refers to the Program Files folder. A typical path is C:\Program Files.
%Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows or C:\Winnt.
%System% is a variable that refers to the System folder. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

The following directories were created:

%ProgramFiles%\Common Files\PushWare
%System%\0914

Memory Modifications

There were new processes created in the system:

Process Name	Process Filename	Main Module Size
008.exe	%System%\0914\008.exe	180,224 bytes
1.exe	%System%\0914\1.exe	188,416 bytes
be2.exe	%Temp%\be2.exe	188,416 bytes
msn036.exe	%Temp%\msn036.exe	188,416 bytes
Oct2008.exe	%Temp%\Oct2008.exe	49,152 bytes
msn061.exe	%Temp%\msn061.exe	200,704 bytes
007.exe	%System%\0914\007.exe	180,224 bytes
002.exe	%System%\0914\002.exe	180,224 bytes
1346.exe	%System%\0914\1346.exe	188,416 bytes
[filename of the sample #1]	[file and pathname of the sample #1]	135,168 bytes
ad7291.exe	%Temp%\ad7291.exe	3,854,336 bytes

The following modules were loaded into the address space of other process(es):

Module Name	Module Filename	Address Space Details
cpush.dll	%ProgramFiles%\Common Files\PushWare\cpush.dll	Process name: IEXPLORE.EXE Process filename: %ProgramFiles%\internet explorer\iexplore.exe Address space: 0xF80000 - 0xFB0000
mzjj32dla.dll	%Windir%\system\mzjj32dla.dll	Process name: IEXPLORE.EXE Process filename: %ProgramFiles%\internet explorer\iexplore.exe Address space: 0x1FA0000 - 0x1FB1000

Registry Modifications

The following Registry Keys were created:

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{11F09AFD-75AD-4E51-AB43-E09E9351CE16}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{11F09AFD-75AD-4E51-AB43-E09E9351CE16}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{11F09AFD-75AD-4E51-AB43-E09E9351CE16}\ProgID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{11F09AFD-75AD-4E51-AB43-E09E9351CE16}\Programmable
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{11F09AFD-75AD-4E51-AB43-E09E9351CE16}\TypeLib
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{11F09AFD-75AD-4E51-AB43-E09E9351CE16}\VersionIndependentProgID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{34A12A06-48C0-420D-8F11-73552EE9631A}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{34A12A06-48C0-420D-8F11-73552EE9631A}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{34A12A06-48C0-420D-8F11-73552EE9631A}\ProgID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{34A12A06-48C0-420D-8F11-73552EE9631A}\Programmable
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{34A12A06-48C0-420D-8F11-73552EE9631A}\TypeLib
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{34A12A06-48C0-420D-8F11-73552EE9631A}\VersionIndependentProgID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CDE9EB54-A08E-4570-B748-13F5DDB5781C}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CDE9EB54-A08E-4570-B748-13F5DDB5781C}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CDE9EB54-A08E-4570-B748-13F5DDB5781C}\ProgID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CDE9EB54-A08E-4570-B748-13F5DDB5781C}\Programmable
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CDE9EB54-A08E-4570-B748-13F5DDB5781C}\TypeLib
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CDE9EB54-A08E-4570-B748-13F5DDB5781C}\VersionIndependentProgID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{0AD3AB16-6D0E-4F04-8660-FB1F36BC2DC0}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{0AD3AB16-6D0E-4F04-8660-FB1F36BC2DC0}\ProxyStubClsid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{0AD3AB16-6D0E-4F04-8660-FB1F36BC2DC0}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{0AD3AB16-6D0E-4F04-8660-FB1F36BC2DC0}\TypeLib
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{2F685B36-C53A-4653-9231-1DAE5736DE45}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{2F685B36-C53A-4653-9231-1DAE5736DE45}\ProxyStubClsid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{2F685B36-C53A-4653-9231-1DAE5736DE45}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{2F685B36-C53A-4653-9231-1DAE5736DE45}\TypeLib
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{50C4CDD9-22D7-49FF-AC6D-7D4D528A3AB2}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{50C4CDD9-22D7-49FF-AC6D-7D4D528A3AB2}\ProxyStubClsid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{50C4CDD9-22D7-49FF-AC6D-7D4D528A3AB2}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{50C4CDD9-22D7-49FF-AC6D-7D4D528A3AB2}\TypeLib
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{DE2267BD-B163-407F-9E8D-6ADEC771E7AB}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{DE2267BD-B163-407F-9E8D-6ADEC771E7AB}\1.0
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{DE2267BD-B163-407F-9E8D-6ADEC771E7AB}\1.0\0
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{DE2267BD-B163-407F-9E8D-6ADEC771E7AB}\1.0\0\win32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{DE2267BD-B163-407F-9E8D-6ADEC771E7AB}\1.0\FLAGS
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{DE2267BD-B163-407F-9E8D-6ADEC771E7AB}\1.0\HELPDIR
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\NewAdPopup.ToolbarDetector
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\NewAdPopup.ToolbarDetector\CLSID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\NewAdPopup.ToolbarDetector\CurVer
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\NewAdPopup.ToolbarDetector.1
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\NewAdPopup.ToolbarDetector.1\CLSID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\NewvCocoMediazPop.PopCoco
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\NewvCocoMediazPop.PopCoco\CLSID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\NewvCocoMediazPop.PopCoco\CurVer
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\NewvCocoMediazPop.PopCoco.1
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\NewvCocoMediazPop.PopCoco.1\CLSID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\NewzPushsPuopAd.BCLogc
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\NewzPushsPuopAd.BCLogc\CLSID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\NewzPushsPuopAd.BCLogc\CurVer
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\NewzPushsPuopAd.BCLogc.1
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\NewzPushsPuopAd.BCLogc.1\CLSID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{11F09AFD-75AD-4E51-AB43-E09E9351CE16}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ContentMatch
HKEY_LOCAL_MACHINE\SOFTWARE\cpush
HKEY_LOCAL_MACHINE\SOFTWARE\cpush\update
HKEY_LOCAL_MACHINE\SOFTWARE\MicroPlugins
HKEY_LOCAL_MACHINE\SOFTWARE\MicroPlugins\Common

The newly created Registry Values are:

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{11F09AFD-75AD-4E51-AB43-E09E9351CE16}\VersionIndependentProgID]

(Default) = "NewzPushsPuopAd.BCLogc"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{11F09AFD-75AD-4E51-AB43-E09E9351CE16}\TypeLib]

(Default) = "{DE2267BD-B163-407F-9E8D-6ADEC771E7AB}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{11F09AFD-75AD-4E51-AB43-E09E9351CE16}\ProgID]

(Default) = "NewzPushsPuopAd.BCLogc.1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{11F09AFD-75AD-4E51-AB43-E09E9351CE16}\InprocServer32]

(Default) = "%ProgramFiles%\Common Files\PushWare\cpush.dll"
ThreadingModel = "apartment"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{11F09AFD-75AD-4E51-AB43-E09E9351CE16}]

(Default) = "CAdLogic Object"
AppID = ""

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{34A12A06-48C0-420D-8F11-73552EE9631A}\VersionIndependentProgID]

(Default) = "NewAdPopup.ToolbarDetector"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{34A12A06-48C0-420D-8F11-73552EE9631A}\TypeLib]

(Default) = "{DE2267BD-B163-407F-9E8D-6ADEC771E7AB}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{34A12A06-48C0-420D-8F11-73552EE9631A}\ProgID]

(Default) = "NewAdPopup.ToolbarDetector.1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{34A12A06-48C0-420D-8F11-73552EE9631A}\InprocServer32]

(Default) = "%ProgramFiles%\Common Files\PushWare\cpush.dll"
ThreadingModel = "apartment"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{34A12A06-48C0-420D-8F11-73552EE9631A}]

(Default) = "CToolbarDetector Object"
AppID = ""

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CDE9EB54-A08E-4570-B748-13F5DDB5781C}\VersionIndependentProgID]

(Default) = "NewvCocoMediazPop.PopCoco"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CDE9EB54-A08E-4570-B748-13F5DDB5781C}\TypeLib]

(Default) = "{DE2267BD-B163-407F-9E8D-6ADEC771E7AB}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CDE9EB54-A08E-4570-B748-13F5DDB5781C}\ProgID]

(Default) = "NewvCocoMediazPop.PopCoco.1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CDE9EB54-A08E-4570-B748-13F5DDB5781C}\InprocServer32]

(Default) = "%ProgramFiles%\Common Files\PushWare\cpush.dll"
ThreadingModel = "apartment"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CDE9EB54-A08E-4570-B748-13F5DDB5781C}]

(Default) = "CPopupBlock Object"
AppID = ""

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{0AD3AB16-6D0E-4F04-8660-FB1F36BC2DC0}\TypeLib]

(Default) = "{DE2267BD-B163-407F-9E8D-6ADEC771E7AB}"
Version = "1.0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{0AD3AB16-6D0E-4F04-8660-FB1F36BC2DC0}\ProxyStubClsid32]

(Default) = "{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{0AD3AB16-6D0E-4F04-8660-FB1F36BC2DC0}\ProxyStubClsid]

(Default) = "{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{0AD3AB16-6D0E-4F04-8660-FB1F36BC2DC0}]

(Default) = "IAdLogic"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{2F685B36-C53A-4653-9231-1DAE5736DE45}\TypeLib]

(Default) = "{DE2267BD-B163-407F-9E8D-6ADEC771E7AB}"
Version = "1.0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{2F685B36-C53A-4653-9231-1DAE5736DE45}\ProxyStubClsid32]

(Default) = "{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{2F685B36-C53A-4653-9231-1DAE5736DE45}\ProxyStubClsid]

(Default) = "{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{2F685B36-C53A-4653-9231-1DAE5736DE45}]

(Default) = "IToolbarDetector"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{50C4CDD9-22D7-49FF-AC6D-7D4D528A3AB2}\TypeLib]

(Default) = "{DE2267BD-B163-407F-9E8D-6ADEC771E7AB}"
Version = "1.0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{50C4CDD9-22D7-49FF-AC6D-7D4D528A3AB2}\ProxyStubClsid32]

(Default) = "{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{50C4CDD9-22D7-49FF-AC6D-7D4D528A3AB2}\ProxyStubClsid]

(Default) = "{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{50C4CDD9-22D7-49FF-AC6D-7D4D528A3AB2}]

(Default) = "IPopupBlock"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{DE2267BD-B163-407F-9E8D-6ADEC771E7AB}\1.0\0\win32]

(Default) = "%ProgramFiles%\Common Files\PushWare\cpush.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{DE2267BD-B163-407F-9E8D-6ADEC771E7AB}\1.0\HELPDIR]

(Default) = "%ProgramFiles%\Common Files\PushWare\"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{DE2267BD-B163-407F-9E8D-6ADEC771E7AB}\1.0\FLAGS]

(Default) = "0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{DE2267BD-B163-407F-9E8D-6ADEC771E7AB}\1.0]

(Default) = "NewAdPopup 1.0 Type Library"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\NewAdPopup.ToolbarDetector\CurVer]

(Default) = "NewAdPopup.ToolbarDetector.1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\NewAdPopup.ToolbarDetector\CLSID]

(Default) = "{34A12A06-48C0-420D-8F11-73552EE9631A}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\NewAdPopup.ToolbarDetector]

(Default) = "CToolbarDetector Object"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\NewAdPopup.ToolbarDetector.1\CLSID]

(Default) = "{34A12A06-48C0-420D-8F11-73552EE9631A}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\NewAdPopup.ToolbarDetector.1]

(Default) = "CToolbarDetector Object"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\NewvCocoMediazPop.PopCoco\CurVer]

(Default) = "NewvCocoMediazPop.PopCoco.1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\NewvCocoMediazPop.PopCoco\CLSID]

(Default) = "{CDE9EB54-A08E-4570-B748-13F5DDB5781C}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\NewvCocoMediazPop.PopCoco]

(Default) = "CPopupBlock Object"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\NewvCocoMediazPop.PopCoco.1\CLSID]

(Default) = "{CDE9EB54-A08E-4570-B748-13F5DDB5781C}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\NewvCocoMediazPop.PopCoco.1]

(Default) = "CPopupBlock Object"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\NewzPushsPuopAd.BCLogc\CurVer]

(Default) = "NewzPushsPuopAd.BCLogc.1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\NewzPushsPuopAd.BCLogc\CLSID]

(Default) = "{11F09AFD-75AD-4E51-AB43-E09E9351CE16}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\NewzPushsPuopAd.BCLogc]

(Default) = "CAdLogic Object"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\NewzPushsPuopAd.BCLogc.1\CLSID]

(Default) = "{11F09AFD-75AD-4E51-AB43-E09E9351CE16}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\NewzPushsPuopAd.BCLogc.1]

(Default) = "CAdLogic Object"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{11F09AFD-75AD-4E51-AB43-E09E9351CE16}]

(Default) = "AdPopup"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\run]

dlnjjdfa = "%Windir%\system\llzjy080913.exe"

so that llzjy080913.exe runs every time Windows starts

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ContentMatch]

DisplayName = "PopUp Ads"
UninstallString = "%ProgramFiles%\Common Files\PushWare\Uninst.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\cpush\update]

Ad_Version = "1,1,0,3"

[HKEY_LOCAL_MACHINE\SOFTWARE\cpush]

UserID = "{E88AF99D-4C58-45F1-8731-9736938CFB55}"

[HKEY_LOCAL_MACHINE\SOFTWARE\MicroPlugins\Common]

param = "sid=ad"
size = 0x010F5EBB

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]

Check_Associations = "no"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings]

EnableAutodial = 0x00000000

The following Registry Value was modified:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL]

CheckedValue = 0x00000000

so that hidden files and folders are not displayed in explorer when browsing the file system

Other details

Analysis of the file resources indicate the following possible country of origin:

China

To mark the presence in the system, the following Mutex object was created:

52D77ECE7B32424dB93B9A6EFBDDB0DF

The following Host Names were requested from a host database:

192.168.1.164
push.cpushpop.com

The data identified by the following URLs was then requested from the remote web server:

http://china.ic-soft.cn/be2.exe
http://update.cpushpop.com/cpush/version.txt
http://www.xxifw.cn/8888/mydown.asp?ver=080913&tgid=1&address=00-00-00-00-00-00

Downloaded File Summary:

Download details:

Download retrieved: 14 September 2008 23:16:58
Processing time: 6 min 40 sec
Downloaded sample:

File MD5: 0x6FE8BE0E022FFE9A4830E0CD32B14DDB
File SHA-1: 0x870043015194AF1BD903AE72E905D325736AA599
Filesize: 59,051 bytes
Alias:

Trojan-Downloader.Win32.Tibs.kmq [Kaspersky Lab]
TrojanDownloader:Win32/Pakernat.A [Microsoft]

Summary of the findings:

What's been found	Severity Level
Downloads/requests other files from Internet.
Modifies some system settings that may have negative impact on overall system security state.
Creates a startup registry entry.
Contains characteristics of an identified security risk.

Technical Details:

Possible Security Risk

Attention! Characteristics of the following security risk was identified in the system:

Security Risk	Description
Backdoor.Rbot	Backdoor.Rbot will open ports on an infected computer and connect to a remote server which will subsequently steal user information including but not limited to application and CD registration keys.

Attention! The following threat category was identified:

Threat Category	Description
	A program that downloads files to the local computer that may represent security risk

File System Modifications

The following files were created in the system:

#	Filename(s)	File Size	File Hash	Alias
1	%Temp%\adv439.exe	7,011 bytes	MD5: 0xE00A44163A27F76907E45BE400CDBBED SHA-1: 0xE89BEBA39E9C0A889D0005B66FCFEA8AC264836E	Trojan:Win32/Anomaly.gen!G [Microsoft]
2	%Temp%\load.exe	10,240 bytes	MD5: 0x785D00517E94BB814F3DC9EDEB8E593C SHA-1: 0x3DC0D361E7AAB190CCFD24AF0C2FF1CBE8C76040	Mal/TibsPak [Sophos] TrojanDownloader:Win32/Pakernat.A [Microsoft]
3	%Temp%\newwin32.exe %System%\update32.exe	15,872 bytes	MD5: 0xDE395C6704FDC5C93731087F6735E0D5 SHA-1: 0x46C696F16B3AF7C3C9D4021C55886DADDC2B2AB0	Trojan-Downloader.Win32.Tibs.kmq [Kaspersky Lab] Mal/TibsPak, Mal/Dorf-E [Sophos] Trojan:Win32/Tibs.LD [Microsoft]
4	%System%\dlds8.exe	0 bytes	MD5: 0xD41D8CD98F00B204E9800998ECF8427E SHA-1: 0xDA39A3EE5E6B4B0D3255BFEF95601890AFD80709	(not available)
5	[file and pathname of the sample #1]	59,051 bytes	MD5: 0x6FE8BE0E022FFE9A4830E0CD32B14DDB SHA-1: 0x870043015194AF1BD903AE72E905D325736AA599	Trojan-Downloader.Win32.Tibs.kmq [Kaspersky Lab] TrojanDownloader:Win32/Pakernat.A [Microsoft]

Notes:

%Temp% is a variable that refers to the temporary folder in the short path form. By default, this is C:\Documents and Settings\[UserName]\Local Settings\Temp\ (Windows NT/2000/XP).
%System% is a variable that refers to the System folder. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

Memory Modifications

There were new processes created in the system:

Process Name	Process Filename	Main Module Size
adv439.exe	%Temp%\adv439.exe	20,480 bytes
newwin32.exe	%Temp%\newwin32.exe	24,576 bytes
load.exe	%Temp%\load.exe	45,056 bytes
update32.exe	%System%\update32.exe	24,576 bytes
[filename of the sample #1]	[file and pathname of the sample #1]	188,416 bytes

Registry Modifications

The following Registry Key was created:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System

The newly created Registry Values are:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

System32 = "%System%\update32.exe"

so that update32.exe runs every time Windows starts

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]

DisableTaskMgr = 0x00000001

to prevent users from starting Task Manager (Taskmgr.exe)

Other details

To mark the presence in the system, the following Mutex objects were created:

DDrawWindowListMutex
DDrawDriverObjectListMutex
__DDrawExclMode__

The data identified by the following URLs was then requested from the remote web server:

http://zief.pl/rc/ld.php?i=4
http://aaqarkznvb.com/progs/xzsgthu/rnxxyyz.php?adv=adv439
http://aaqarkznvb.com/progs/xzsgthu/xgdrnrfsp.php
http://bajfotqwuh.net/progs/xzsgthu/xgdrnrfsp.php
http://aaqarkznvb.com/progs/xzsgthu/jgqqdreiw
http://bajfotqwuh.net/progs/xzsgthu/jgqqdreiw
http://v2count.net/cc/ccdo.php?affid=9
http://v2count.net/cc/srtytrewqertytrew.php?affid=9&code1=HNLJ&code2=1173
http://v2count.net/out/search.jpg
http://v2count.net/out/winlogon.jpg
http://v2count.net/out/tibs.jpg
http://v2count.net/out/tool.jpg
http://v2count.net/out/proxy.jpg

Downloaded File Summary (Generation #2):

Download details:

Download retrieved: 14 September 2008 23:45:13
Processing time: 6 min 21 sec
Downloaded sample #1:

File MD5: 0x102FF59F4530E084005A2E04B768E9C1
File SHA-1: 0xCE177C806F37945EA7786116479D5B4D3FF2F07C
Filesize: 705 bytes
Alias:

Downloaded sample #2:

File MD5: 0x9F6F4547E0B73AFA6B8F9E5AD597F4DE
File SHA-1: 0x3FA4913AEA851057F44D1450B8AB65657B603A6A
Filesize: 7,325 bytes
Alias:

Mal/TibsPak [Sophos]
Trojan:Win32/Anomaly.gen!G [Microsoft]

Summary of the findings:

What's been found	Severity Level
Contains characteristics of an identified security risk.

Technical Details:

Possible Security Risk

Attention! Characteristics of the following security risk was identified in the system:

Security Risk	Description
Trojan-Downloader.NUS	Trojan-Downloader.NUS tries to contact a remote server in order to download additional malware onto a users computer without their knowledge.

Attention! The following threat category was identified:

Threat Category	Description
	A program that downloads files to the local computer that may represent security risk

File System Modifications

The following files were created in the system:

#	Filename(s)	File Size	File Hash	Alias
1	[file and pathname of the sample #1]	705 bytes	MD5: 0x102FF59F4530E084005A2E04B768E9C1 SHA-1: 0xCE177C806F37945EA7786116479D5B4D3FF2F07C	Trojan-Downloader.NUS [PCTools] Generic Packed [McAfee] Troj/Agent-HAP [Sophos]
2	[file and pathname of the sample #2]	7,325 bytes	MD5: 0x9F6F4547E0B73AFA6B8F9E5AD597F4DE SHA-1: 0x3FA4913AEA851057F44D1450B8AB65657B603A6A	Mal/TibsPak [Sophos] Trojan:Win32/Anomaly.gen!G [Microsoft]

Memory Modifications

There were new processes created in the system:

Process Name	Process Filename	Main Module Size
[filename of the sample #2]	[file and pathname of the sample #2]	16,384 bytes
[filename of the sample #1]	[file and pathname of the sample #1]	20,480 bytes

Other details

To mark the presence in the system, the following Mutex objects were created:

DDrawWindowListMutex
DDrawDriverObjectListMutex
__DDrawExclMode__

All content ("Information") contained in this report is the copyrighted work of Threat Expert Ltd and its associated companies ("ThreatExpert") and may not be copied without the express permission of ThreatExpert.

The Information is provided on an "as is" basis. ThreatExpert disclaims all warranties, whether express or implied, to the maximum extent permitted by law, including the implied warranties that the Information is merchantable, of satisfactory quality, accurate, fit for a particular purpose or need, or non-infringing, unless such implied warranties are legally incapable of exclusion. Further, ThreatExpert does not warrant or make any representations regarding the use or the results of the use of the Information in terms of their correctness, accuracy, reliability, or otherwise.