ThreatExpert Report: Email-Worm.Agent, Generic Packed

Submission Summary:

Submission details:

Submission received: 19 July 2008, 21:15:08
Processing time: 3 min 33 sec
Submitted sample:

File MD5: 0x7422AD35F5F0735243AD8D0CF4DDDE06
File SHA-1: 0x5D5FF4284321FB54040E12F18E113E808D0E59D4
Filesize: 201,680 bytes
Alias: Email-Worm.Agent [PCTools]

Summary of the findings:

What's been found	Severity Level
Contains characteristics of an identified security risk.

Technical Details:

Possible Security Risk

Attention! Characteristics of the following security risk was identified in the system:

Security Risk	Description
Email-Worm.Agent	Email-Worm.Agent is a malicious worm capable of propagating via email. It normally arrives as a downloaded file when a user unwittingly visits a compromised web server. It may use other components to carry out its payloads which include downloading and installing other malware, propagating across the network via known exploits, and execute denial-of-service attacks.

Attention! The following threat category was identified:

Threat Category	Description
	A network-aware worm that attempts to replicate across the existing network(s)

File System Modifications

The following files were created in the system:

#	Filename(s)	File Size	File Hash	Alias
1	%Windir%\fxsst.dll	143,360 bytes	MD5: 0xEFA6058D2A84B4DA5F0DFACB251A7A2E SHA-1: 0xD6FD1551BAF284ED873C8001696AE509FB5C6D17	Email-Worm.Agent [PCTools] Generic Packed [McAfee]
2	%Windir%\Help\VBDEFL98.CHI [file and pathname of the sample #1]	201,680 bytes	MD5: 0x7422AD35F5F0735243AD8D0CF4DDDE06 SHA-1: 0x5D5FF4284321FB54040E12F18E113E808D0E59D4	Email-Worm.Agent [PCTools]
3	%Windir%\Uninst.bat	131 bytes	MD5: 0x875DD0C1684A83BA32EFACE8CFDE667A SHA-1: 0x0057960D514D3E9C61568EAE91BEA97C40FF0799	(not available)

Note:

%Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows or C:\Winnt.

Memory Modifications

There was a new process created in the system:

Process Name	Process Filename	Main Module Size
[filename of the sample #1]	[file and pathname of the sample #1]	208,896 bytes

The following module was loaded into the address space of other process(es):

Module Name	Module Filename	Address Space Details
fxsst.dll	%Windir%\fxsst.dll	Process name: explorer.exe Process filename: %Windir%\explorer.exe Address space: 0x1A70000 - 0x1A97000

Other details

Analysis of the file resources indicate the following possible country of origin:

China

The following Host Names were requested from a host database:

www.cobras.cn
update.microsoft.com

There was registered attempt to establish connection with the remote host. The connection details are:

Remote Host	Port Number
update.microsoft.com	8008

All content ("Information") contained in this report is the copyrighted work of Threat Expert Ltd and its associated companies ("ThreatExpert") and may not be copied without the express permission of ThreatExpert.

The Information is provided on an "as is" basis. ThreatExpert disclaims all warranties, whether express or implied, to the maximum extent permitted by law, including the implied warranties that the Information is merchantable, of satisfactory quality, accurate, fit for a particular purpose or need, or non-infringing, unless such implied warranties are legally incapable of exclusion. Further, ThreatExpert does not warrant or make any representations regarding the use or the results of the use of the Information in terms of their correctness, accuracy, reliability, or otherwise.