ThreatExpert Report: Trojan-Downloader.Win32.BHO.ckg, Trojan.Dropper, Virus.Trojan.Win32.BHO.egw..

Visit ThreatExpert web site

Close Report

Submission Summary:

Submission details:

Submission received: 23 January 2009, 05:49:41
Processing time: 7 min 37 sec
Submitted sample:

File MD5: 0x7344C2B0965AC4141867F0A4B935BF96
File SHA-1: 0x03BBDE18F46A5FB2CE7D781288B2914DBABCD027
Filesize: 259,946 bytes
Alias:

Trojan.Dropper [Symantec]
Trojan-Downloader.Win32.BHO.ckg [Kaspersky Lab]
Virus.Trojan.Win32.BHO.egw [Ikarus]

Summary of the findings:

What's been found	Severity Level
Attempts to use BITS (Background Intelligent Transfer Service). Some threats are known to use BITS to evade firewall filtering and download files without firewall inspection.
Downloads/requests other files from Internet.
Creates a startup registry entry.
Registers a 32-bit in-process server DLL.
Registers a Browser Helper Object (Microsoft's Internet Explorer plugin module).
Contains characteristics of an identified security risk.

Technical Details:

The new window was created, as shown below:

NOTICE: The content shown in the above window is captured automatically and is not controlled or endorsed by ThreatExpert.
Please contact us on this link should any material be offensive or inappropriate and we will ensure any such content is blocked from future viewers of the report.

Possible Security Risk

Attention! The following threat categories were identified:

Threat Category	Description
	A program that downloads files to the local computer that may represent security risk
	A malicious trojan horse or bot that may represent security risk for the compromised system and/or its network environment

File System Modifications

The following files were created in the system:

#	Filename(s)	File Size	File Hash	Alias
1	%CommonAppData%\Microsoft\bits.dll	48,640 bytes	MD5: 0x5E5E6D08D90365C287A33E39609F77EA SHA-1: 0x626C166A6307DA11E2AE7E0A3F6F6638B738481A	(not available)
2	%CommonAppData%\Microsoft\ipdll.dll	155,648 bytes	MD5: 0xFCAA14A0D2ACAF7A6C5EC151CA6A0287 SHA-1: 0x66922555A22F7F838049A4F5921679EFF76AB4D1	(not available)
3	%CommonAppData%\Microsoft\Network\Downloader\qmgr0.dat	4,232 bytes	MD5: 0xEBF86B61161ECE55EDA81370FBB6FA0F SHA-1: 0x2920EAFF4EDB1B70194AF5F264E8B2111D934F09	(not available)
4	%CommonAppData%\Microsoft\Network\Downloader\qmgr1.dat	5,532 bytes	MD5: 0x23CC92E3B4C550330E8736A5A151F81F SHA-1: 0xB772BFD8F898FCBB6C68815D566EF2443134F7CD	(not available)
5	%AppData%\Microsoft\profile.dat	0 bytes	MD5: 0xD41D8CD98F00B204E9800998ECF8427E SHA-1: 0xDA39A3EE5E6B4B0D3255BFEF95601890AFD80709	(not available)
6	%DesktopDir%\Cheap Pharmacy Online.lnk	1,088 bytes	MD5: 0x39C078CF0BC3E2C71F2BAD67657C7AD8 SHA-1: 0xA76EBF42AC6A52A67494B4395699B06155B200D1	(not available)
7	%DesktopDir%\Cheap Software.lnk	1,134 bytes	MD5: 0x6A56B0D26AF3B2292DDF0D96C0BBA3AA SHA-1: 0x15E195F6B77A405A6CAFC632EE8C31EDAB7AF659	(not available)
8	%DesktopDir%\MP3 Download.lnk	1,112 bytes	MD5: 0x23FD5BC9C39F156E4F2953C486F3B9DB SHA-1: 0x9C1169F0C6965ACC13D0EBBFA731ABB4F9566F87	(not available)
9	%DesktopDir%\SMS TRAP.lnk	1,092 bytes	MD5: 0x329CA823DD31C55D2B782B655498628F SHA-1: 0xF46BD63F8390A00BF14350A1226A6BCC1CA3FEF7	(not available)
10	%DesktopDir%\VIP Casino.lnk	1,152 bytes	MD5: 0x53C119C7AF1B2602C8B8BA5477F09C81 SHA-1: 0xC37923B0B180C87996042A71D91F6CBAFC46EB26	(not available)
11	%Temp%\nsb2.tmp\System.dll	10,240 bytes	MD5: 0xBF01B2D04E8FAD306BA2F364CFC4EDFA SHA-1: 0x58F42B45CA9FC1818C4498ECD8BAC088D20F2B18	(not available)
12	%ProgramFiles%\CMVideoPlugin\setup.exe	112,128 bytes	MD5: 0x7D2E46CD52F31785B85BD94C053A226C SHA-1: 0xAF266DB3C5EAC330F66CE1331AF5E454E77155E8	packed with PE_Patch.UPX [Kaspersky Lab]
13	%System%\c.ico	13,942 bytes	MD5: 0x18DF9FDAFC6812C34AFED02BBDEB7D25 SHA-1: 0x0A5707A1352C37B697765C2CF5BEDE6FABD3CF1E	(not available)
14	%System%\CMVideo.dll	151,552 bytes	MD5: 0x2B894B09059A7530F8218764E8A0EBB3 SHA-1: 0x696EE3781DE84BBEF5B2BC203A3D5EB618D3AFE8	Downloader [Symantec] Trojan-Downloader.Win32.BHO.ckg [Kaspersky Lab] Trojan.Win32.Zlob.AR [Ikarus]
15	%System%\m.ico	7,662 bytes	MD5: 0xDC71B2FF68AC3A9153E4586A34BD0C8E SHA-1: 0xB62AA3D77F42F420E7593723078319B1AC584103	(not available)
16	%System%\m3.ico	13,942 bytes	MD5: 0x746A3C7197DFD595DDBBF55E07586EE6 SHA-1: 0x6B5A2E852EF723FD316709E12FEE2B0E60A400F4	(not available)
17	%System%\p.ico	11,062 bytes	MD5: 0x446B154E1239F4FC7FC4DBF56B5AE4B8 SHA-1: 0xCC6C18515CE431F340F3350B7683BFA992D1AA5E	(not available)
18	[file and pathname of the sample #1]	259,946 bytes	MD5: 0x7344C2B0965AC4141867F0A4B935BF96 SHA-1: 0x03BBDE18F46A5FB2CE7D781288B2914DBABCD027	Trojan.Dropper [Symantec] Trojan-Downloader.Win32.BHO.ckg [Kaspersky Lab] Virus.Trojan.Win32.BHO.egw [Ikarus]
19	%System%\sf.ico	21,446 bytes	MD5: 0xE41398599267A1544989BEDA52E8046E SHA-1: 0xEAAA16D9A2A67BE11F7608365265B9A4F1935E1B	(not available)
20	%System%\svcnost.exe	57,344 bytes	MD5: 0x86C6BA456E76D3D4ECDE0345B6E2993F SHA-1: 0xA5170A85BC39A68BB36061F586E7DE03F2A1B517	Trojan:Win32/Zlob.GL [Microsoft]

Notes:

%CommonAppData% is a variable that refers to the file system directory containing application data for all users. A typical path is C:\Documents and Settings\All Users\Application Data.
%AppData% is a variable that refers to the file system directory that serves as a common repository for application-specific data. A typical path is C:\Documents and Settings\[UserName]\Application Data.
%DesktopDir% is a variable that refers to the file system directory used to physically store file objects on the desktop. A typical path is C:\Documents and Settings\[UserName]\Desktop.
%Temp% is a variable that refers to the temporary folder in the short path form. By default, this is C:\Documents and Settings\[UserName]\Local Settings\Temp\ (Windows NT/2000/XP).
%ProgramFiles% is a variable that refers to the Program Files folder. A typical path is C:\Program Files.
%System% is a variable that refers to the System folder. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

The following directories were created:

%CommonAppData%\Microsoft\Network\Downloader
%Temp%\nsb2.tmp
%ProgramFiles%\CMVideoPlugin

Memory Modifications

There were new processes created in the system:

Process Name	Process Filename	Main Module Size
svcnost.exe	%System%\svcnost.exe	65,536 bytes
[filename of the sample #1]	[file and pathname of the sample #1]	237,568 bytes
setup.exe	%ProgramFiles%\CMVideoPlugin\setup.exe	331,776 bytes

The following modules were loaded into the address space of other process(es):

Module Name	Module Filename	Address Space Details
CMVideo.dll	%System%\CMVideo.dll	Process name: IEXPLORE.EXE Process filename: %ProgramFiles%\internet explorer\iexplore.exe Address space: 0xF80000 - 0xFA6000
ipdll.dll	%CommonAppData%\Microsoft\ipdll.dll	Process name: IEXPLORE.EXE Process filename: %ProgramFiles%\internet explorer\iexplore.exe Address space: 0x2740000 - 0x276B000

The following system service was modified:

Service Name	Display Name	New Status	Service Filename
BITS	Background Intelligent Transfer Service	"Running"	%System%\svchost.exe -k netsvcs

Registry Modifications

The following Registry Keys were created:

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\CMVideo.DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{D14760D1-4702-45FD-BF33-171BCA9B546B}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9B81714C-0D6D-4A8C-AF4A-FEC8631E61C2}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9B81714C-0D6D-4A8C-AF4A-FEC8631E61C2}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9B81714C-0D6D-4A8C-AF4A-FEC8631E61C2}\ProgID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9B81714C-0D6D-4A8C-AF4A-FEC8631E61C2}\Programmable
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9B81714C-0D6D-4A8C-AF4A-FEC8631E61C2}\TypeLib
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9B81714C-0D6D-4A8C-AF4A-FEC8631E61C2}\VersionIndependentProgID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CC1E2BF4-4B60-4E9E-8A3D-F9ED08453A1E}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CC1E2BF4-4B60-4E9E-8A3D-F9ED08453A1E}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CC1E2BF4-4B60-4E9E-8A3D-F9ED08453A1E}\ProgID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CC1E2BF4-4B60-4E9E-8A3D-F9ED08453A1E}\Programmable
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CC1E2BF4-4B60-4E9E-8A3D-F9ED08453A1E}\TypeLib
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CC1E2BF4-4B60-4E9E-8A3D-F9ED08453A1E}\VersionIndependentProgID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{318C2B40-180C-4CC1-9D40-C7DF1C39CBD6}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{318C2B40-180C-4CC1-9D40-C7DF1C39CBD6}\ProxyStubClsid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{318C2B40-180C-4CC1-9D40-C7DF1C39CBD6}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{318C2B40-180C-4CC1-9D40-C7DF1C39CBD6}\TypeLib
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{643FB6A3-F6C0-4CC2-9466-CEEA6D8F6E7B}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{643FB6A3-F6C0-4CC2-9466-CEEA6D8F6E7B}\ProxyStubClsid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{643FB6A3-F6C0-4CC2-9466-CEEA6D8F6E7B}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{643FB6A3-F6C0-4CC2-9466-CEEA6D8F6E7B}\TypeLib
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{18919121-1B80-4CD7-860E-3E5E9B21A750}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{18919121-1B80-4CD7-860E-3E5E9B21A750}\1.0
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{18919121-1B80-4CD7-860E-3E5E9B21A750}\1.0\0
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{18919121-1B80-4CD7-860E-3E5E9B21A750}\1.0\0\win32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{18919121-1B80-4CD7-860E-3E5E9B21A750}\1.0\FLAGS
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{18919121-1B80-4CD7-860E-3E5E9B21A750}\1.0\HELPDIR
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CMVideo.CMVideoPlugin
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CMVideo.CMVideoPlugin\CLSID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CMVideo.CMVideoPlugin\CurVer
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CMVideo.CMVideoPlugin.1
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CMVideo.CMVideoPlugin.1\CLSID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CMVideo.XMLDOMDocumentEventsSink
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CMVideo.XMLDOMDocumentEventsSink\CLSID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CMVideo.XMLDOMDocumentEventsSink\CurVer
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CMVideo.XMLDOMDocumentEventsSink.1
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CMVideo.XMLDOMDocumentEventsSink.1\CLSID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{CC1E2BF4-4B60-4E9E-8A3D-F9ED08453A1E}
HKEY_CURRENT_USER\Software\CMVideoPlugin

The newly created Registry Values are:

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\CMVideo.DLL]

AppID = "{D14760D1-4702-45FD-BF33-171BCA9B546B}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{D14760D1-4702-45FD-BF33-171BCA9B546B}]

(Default) = "CMVideo"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9B81714C-0D6D-4A8C-AF4A-FEC8631E61C2}\VersionIndependentProgID]

(Default) = "CMVideo.XMLDOMDocumentEventsSink"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9B81714C-0D6D-4A8C-AF4A-FEC8631E61C2}\TypeLib]

(Default) = "{18919121-1B80-4CD7-860E-3E5E9B21A750}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9B81714C-0D6D-4A8C-AF4A-FEC8631E61C2}\ProgID]

(Default) = "CMVideo.XMLDOMDocumentEventsSink.1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9B81714C-0D6D-4A8C-AF4A-FEC8631E61C2}\InprocServer32]

(Default) = "%System%\CMVideo.dll"
ThreadingModel = "Apartment"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9B81714C-0D6D-4A8C-AF4A-FEC8631E61C2}]

(Default) = "XMLDOMDocumentEventsSink Class"
AppID = "{D14760D1-4702-45FD-BF33-171BCA9B546B}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CC1E2BF4-4B60-4E9E-8A3D-F9ED08453A1E}\VersionIndependentProgID]

(Default) = "CMVideo.CMVideoPlugin"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CC1E2BF4-4B60-4E9E-8A3D-F9ED08453A1E}\TypeLib]

(Default) = "{18919121-1B80-4CD7-860E-3E5E9B21A750}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CC1E2BF4-4B60-4E9E-8A3D-F9ED08453A1E}\ProgID]

(Default) = "CMVideo.CMVideoPlugin.1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CC1E2BF4-4B60-4E9E-8A3D-F9ED08453A1E}\InprocServer32]

(Default) = "%System%\CMVideo.dll"
ThreadingModel = "Apartment"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CC1E2BF4-4B60-4E9E-8A3D-F9ED08453A1E}]

(Default) = "CMVideoPlugin Class"
AppID = "{D14760D1-4702-45FD-BF33-171BCA9B546B}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{318C2B40-180C-4CC1-9D40-C7DF1C39CBD6}\TypeLib]

(Default) = "{18919121-1B80-4CD7-860E-3E5E9B21A750}"
Version = "1.0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{318C2B40-180C-4CC1-9D40-C7DF1C39CBD6}\ProxyStubClsid32]

(Default) = "{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{318C2B40-180C-4CC1-9D40-C7DF1C39CBD6}\ProxyStubClsid]

(Default) = "{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{318C2B40-180C-4CC1-9D40-C7DF1C39CBD6}]

(Default) = "ICMVideoPlugin"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{643FB6A3-F6C0-4CC2-9466-CEEA6D8F6E7B}\TypeLib]

(Default) = "{18919121-1B80-4CD7-860E-3E5E9B21A750}"
Version = "1.0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{643FB6A3-F6C0-4CC2-9466-CEEA6D8F6E7B}\ProxyStubClsid32]

(Default) = "{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{643FB6A3-F6C0-4CC2-9466-CEEA6D8F6E7B}\ProxyStubClsid]

(Default) = "{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{643FB6A3-F6C0-4CC2-9466-CEEA6D8F6E7B}]

(Default) = "IXMLDOMDocumentEventsSink"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{18919121-1B80-4CD7-860E-3E5E9B21A750}\1.0\0\win32]

(Default) = "%System%\CMVideo.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{18919121-1B80-4CD7-860E-3E5E9B21A750}\1.0\HELPDIR]

(Default) = "%System%\"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{18919121-1B80-4CD7-860E-3E5E9B21A750}\1.0\FLAGS]

(Default) = "0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{18919121-1B80-4CD7-860E-3E5E9B21A750}\1.0]

(Default) = "CMVideo 1.0 Type Library"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CMVideo.CMVideoPlugin\CurVer]

(Default) = "CMVideo.CMVideoPlugin.1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CMVideo.CMVideoPlugin\CLSID]

(Default) = "{CC1E2BF4-4B60-4E9E-8A3D-F9ED08453A1E}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CMVideo.CMVideoPlugin]

(Default) = "CMVideoPlugin Class"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CMVideo.CMVideoPlugin.1\CLSID]

(Default) = "{CC1E2BF4-4B60-4E9E-8A3D-F9ED08453A1E}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CMVideo.CMVideoPlugin.1]

(Default) = "CMVideoPlugin Class"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CMVideo.XMLDOMDocumentEventsSink\CurVer]

(Default) = "CMVideo.XMLDOMDocumentEventsSink.1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CMVideo.XMLDOMDocumentEventsSink\CLSID]

(Default) = "{9B81714C-0D6D-4A8C-AF4A-FEC8631E61C2}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CMVideo.XMLDOMDocumentEventsSink]

(Default) = "XMLDOMDocumentEventsSink Class"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CMVideo.XMLDOMDocumentEventsSink.1\CLSID]

(Default) = "{9B81714C-0D6D-4A8C-AF4A-FEC8631E61C2}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CMVideo.XMLDOMDocumentEventsSink.1]

(Default) = "XMLDOMDocumentEventsSink Class"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{CC1E2BF4-4B60-4E9E-8A3D-F9ED08453A1E}]

(Default) = "CMVideoPlugin"
NoExplorer = 0x00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

svchost.exe = "%System%\svcnost.exe"

so that svcnost.exe runs every time Windows starts

[HKEY_CURRENT_USER\Software\CMVideoPlugin]

v0 = "?~Uï¿½ï¿½ï¿½ï¿½j>?ï¿½yï¿½Ä¶ï¿½ï¿½Dï¿½ï¿½Sï¿½ï¿½nNasï¿½K?"
v6 = "Mp>ï¿½ï¿½ï¿½ï¿½)>Dï¿½Zï¿½ï¿½ï¿½ï¿½4ï¿½ï¿½?ï¿½2n?ï¿½F

[ï¿½a"]

HKEY_CURRENT_USER\Software\CMVideoPlugin = v5

["D"=ï¿½ï¿½ï¿½ï¿½*rCï¿½?ï¿½ï¿½ï¿½×1Ì?ï¿½ï¿½,-;eï¿½?[ï¿½0ï¿½#?ï¿½"]

HKEY_CURRENT_USER\Software\CMVideoPlugin = v4

["?0}ï¿½Íºï¿½k0?ï¿½Jï¿½Ì²ï¿½ï¿½7ï¿½ï¿½Yï¿½ï¿½"]

HKEY_CURRENT_USER\Software\CMVideoPlugin = v3

["L"]

HKEY_CURRENT_USER\Software\CMVideoPlugin = v2
HKEY_CURRENT_USER\Software\CMVideoPlugin = v1

["?0}ï¿½Íºï¿½j,?ï¿½Zï¿½ï¿½ï¿½ï¿½ï¿½jÎ_ï¿½ï¿½h}h)ï¿½L]

ï¿½}ï¿½aJï¿½?ï¿½ti@ ï¿½?ï¿½?xV?ï¿½}^ï¿½ï¿½ï¿½vï¿½ï¿½oï¿½ï¿½Zcï¿½??F:StT" = HKEY_CURRENT_USER\Software\CMVideoPlugin

[v9]

"L" = HKEY_CURRENT_USER\Software\CMVideoPlugin

[v14]

"M" = HKEY_CURRENT_USER\Software\CMVideoPlugin

The following Registry Value was modified:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]

System = "%System%\svcnost.exe,"

so that svcnost.exe runs every time Windows starts

Other details

Analysis of the file resources indicate the following possible country of origin:

Russian Federation

To mark the presence in the system, the following Mutex object was created:

WinUpdaterMuXXX

The following Internet Connections were established:

Server Name	Server Port	Connect as User	Connection Password
softupdate09.com	80	(null)	(null)
rscserv.com	80	(null)	(null)

The following GET requests were made:

service/index.php
inst/index.php?affid=0&subid=0&guid=8f451e62-468e-47c6-a80a-36cd42853280&ver=1.0&key=14755bd1a32e6a1d23a06713ac98ddbd

The following HTTP URLs were started reading:

http://rscserv.com/service/index.php
http://rscserv.cn/service/index.php
http://mysearchdir.net/feed/get.php
http://nsearchdir.com/feed/get.php

Heuristics Analysis

Heuristically identified capability to use BITS (Background Intelligent Transfer Service) to schedule the following download task:

http://pingpinghost.com/xl.php?t=3&guid=unknown&channel=8428095463&ua=mozilla%2f4.0+(compatible%3b+msie+6.0%3b+windows+nt+5.1%3b+sv1%3b+.net+clr+2.0.50727)

All content ("Information") contained in this report is the copyrighted work of Threat Expert Ltd and its associated companies ("ThreatExpert") and may not be copied without the express permission of ThreatExpert.

The Information is provided on an "as is" basis. ThreatExpert disclaims all warranties, whether express or implied, to the maximum extent permitted by law, including the implied warranties that the Information is merchantable, of satisfactory quality, accurate, fit for a particular purpose or need, or non-infringing, unless such implied warranties are legally incapable of exclusion. Further, ThreatExpert does not warrant or make any representations regarding the use or the results of the use of the Information in terms of their correctness, accuracy, reliability, or otherwise.