ThreatExpert Report: Backdoor.Ciadoor, Backdoor.Win32.Poison.ckym, BackDoor-DSS.gen.a..

Visit ThreatExpert web site

Close Report

Submission Summary:

Submission details:

Submission received: 5 October 2012, 10:48:10
Processing time: 7 min 35 sec
Submitted sample:

File MD5: 0x760231C7BFFCFD5473962A8332E1FC7E
File SHA-1: 0x0C1C051AF27E963A883D6E6FDD2AC5B61147CF73
Filesize: 6,144 bytes
Alias:

Backdoor.Ciadoor [Symantec]
Backdoor.Win32.Poison.ckym [Kaspersky Lab]
BackDoor-DSS.gen.a [McAfee]
Troj/Keylog-JV [Sophos]
Backdoor:Win32/Poison.E [Microsoft]
Virus.Win32.Poison [Ikarus]
Win-Trojan/Poison.8192.AF [AhnLab]

Technical Details:

Possible Security Risk

Attention! The following threat category was identified:

Threat Category	Description
	A malicious backdoor trojan that runs in the background and allows remote access to the compromised system

File System Modifications

The following file was created in the system:

#	Filename(s)	File Size	File Hash	Alias
1	[file and pathname of the sample #1]	6,144 bytes	MD5: 0x760231C7BFFCFD5473962A8332E1FC7E SHA-1: 0x0C1C051AF27E963A883D6E6FDD2AC5B61147CF73	Backdoor.Ciadoor [Symantec] Backdoor.Win32.Poison.ckym [Kaspersky Lab] BackDoor-DSS.gen.a [McAfee] Troj/Keylog-JV [Sophos] Backdoor:Win32/Poison.E [Microsoft] Virus.Win32.Poison [Ikarus] Win-Trojan/Poison.8192.AF [AhnLab]

Memory Modifications

There was a new process created in the system:

Process Name	Process Filename	Main Module Size
[filename of the sample #1]	[file and pathname of the sample #1]	6,144 bytes

Other details

To mark the presence in the system, the following Mutex object was created:

)!VoqG.I8

The following port was open in the system:

Port	Protocol	Process
1033	TCP	[file and pathname of the sample #1]

The following Host Names were requested from a host database:

192.5.5.241
27.228.187.116

There was registered attempt to establish connection with the remote host. The connection details are:

Remote Host	Port Number
27.228.187.116	3460

Outbound traffic (potentially malicious)

There was an outbound traffic produced on port 3460:

00000000 | 5B3C 8497 5F55 B921 8407 8FF0 4104 8ACD | [<.._U.!....A...
00000010 | 346B 4A5E 7676 1E13 8566 EDEC DF25 85B5 | 4kJ^vv...f...%..
00000020 | 304F E85E 6BC4 F7EF 0A13 8D7D 9F2F 27F8 | 0O.^k......}./'.
00000030 | B128 3258 7D6F 5ECF 0B38 BBC8 4AAA 0574 | .(2X}o^..8..J..t
00000040 | BC3A 2478 5BB1 8F23 266B 9B41 1FFC 9B8F | .:$x[..#&k.A....
00000050 | 92EE BF09 60DD 0CAA 7355 2CAD BEE1 516E | ....`...sU,...Qn
00000060 | 2386 8C45 3644 5E6E 25C9 9167 79D5 1F5F | #..E6D^n%..gy.._
00000070 | 33E1 C105 0268 1E97 D6E0 3561 CFC1 EA33 | 3....h....5a...3
00000080 | AAC3 86B4 2CEF 7B8E F474 136D 2CF4 97AB | ....,.{..t.m,...
00000090 | 7D01 FC31 34BF 4BB4 D2EF 3440 795D 3E9B | }..14.K...4@y]>.
000000A0 | 8E06 B9A7 FD55 EF3D E19F D1CD B54C AF26 | .....U.=.....L.&
000000B0 | B27D 1F6E 8B72 E0DD F4C8 9A4D B68A 1CAD | .}.n.r.....M....
000000C0 | 5495 BEEA 0C27 20C6 593F 070D F7A1 1937 | T....' .Y?.....7
000000D0 | 0CCF F88A 85D0 B80D 175B E8B0 F3C2 A3E1 | .........[......
000000E0 | 414E BEA7 DF6A 99DD 9A4F B14E 361C 4F71 | AN...j...O.N6.Oq
000000F0 | A854 E808 1C43 E4F0 F53F 683B F0CD 69D7 | .T...C...?h;..i.

All content ("Information") contained in this report is the copyrighted work of Threat Expert Ltd and its associated companies ("ThreatExpert") and may not be copied without the express permission of ThreatExpert.

The Information is provided on an "as is" basis. ThreatExpert disclaims all warranties, whether express or implied, to the maximum extent permitted by law, including the implied warranties that the Information is merchantable, of satisfactory quality, accurate, fit for a particular purpose or need, or non-infringing, unless such implied warranties are legally incapable of exclusion. Further, ThreatExpert does not warrant or make any representations regarding the use or the results of the use of the Information in terms of their correctness, accuracy, reliability, or otherwise.