ThreatExpert Report

Submission Summary:

Submission details:

Submission received: 24 February 2009, 03:10:02
Processing time: 7 min 16 sec
Submitted sample:

File MD5: 0x7644526A5A7644872958733B1CDA703F
File SHA-1: 0x7D08FDA3A1505736EF473FAF1FEC5DDE5FEF1F95
Filesize: 76,838 bytes

Summary of the findings:

What's been found	Severity Level
Downloads/requests other files from Internet.

Technical Details:

The new window was created, as shown below:

NOTICE: The content shown in the above window is captured automatically and is not controlled or endorsed by ThreatExpert.
Please contact us on this link should any material be offensive or inappropriate and we will ensure any such content is blocked from future viewers of the report.

File System Modifications

The following file was created in the system:

#	Filename(s)	File Size	File Hash
1	[file and pathname of the sample #1]	76,838 bytes	MD5: 0x7644526A5A7644872958733B1CDA703F SHA-1: 0x7D08FDA3A1505736EF473FAF1FEC5DDE5FEF1F95

Memory Modifications

There was a new process created in the system:

Process Name	Process Filename	Main Module Size
[filename of the sample #1]	[file and pathname of the sample #1]	188,416 bytes

Other details

The following Internet Connection was established:

Server Name	Server Port	Connect as User	Connection Password
stabilitytraceweb.com	80	stabilitytraceweb.com	stabilitytraceweb.com

The following GET request was made:

install/ws.zip

Downloaded File Summary:

Download details:

Download retrieved: 24 February 2009 03:17:22
Processing time: 6 min 14 sec
Downloaded sample:

File MD5: 0x173BFFC3101C712A49FAFF7261B5B23F
File SHA-1: 0x8E398530E0690D271900FC6C6B7E30CA3353608E
Filesize: 1,198,534 bytes

Summary of the findings:

What's been found	Severity Level
Creates a startup registry entry.
Contains characteristics of an identified security risk.

Technical Details:

Possible Security Risk

Attention! Characteristics of the following security risks were identified in the system:

Security Risk	Description
RogueAntiSpyware.System Security	RogueAntiSpyware.System Security is a rogue anti-spyware program which pretends to scan your computer and show severe system threats installed on it. After that it prompts you to buy this software.
RogueAntiSpyware.WinwebSecurity	RogueAntiSpyware.WinwebSecurity displays fake alerts in malware payloads in order to persuade users into buying the rogue antispyware products.

File System Modifications

The following files were created in the system:

#	Filename(s)	File Size	File Hash
1	%CommonAppData%\pc1042274547ins	20 bytes	MD5: 0xCABEFD1071B118471F73269F18EB9D39 SHA-1: 0x6504356837AEC4C063F2ECFA8C89B55E4E39DF3A
2	%DesktopDir%\System Security.lnk	801 bytes	MD5: 0xA478D5C9C7F41BBFEC468443EAA23AEA SHA-1: 0xD981138E75A39F519DB492FC016E86A2641863D7
3	%Temp%\config.udb	96 bytes	MD5: 0x1622E2BC37791726ED6AF2E948508D99 SHA-1: 0xDE6C67D131C62E4660897DAB02E46E6AB6F91838
4	%Temp%\init.udb	241 bytes	MD5: 0x4E9D5FD2E13EDC40F238865FDD4CDE49 SHA-1: 0xBDA718AD8BF41025BB0A2DE62717F77554E69E29
5	%Temp%\Langs.udb	12,930 bytes	MD5: 0x8C2F38CFFDBD7264B8528B7D1B7EDD87 SHA-1: 0x907F90DD6D1A51FF2D9EA0DB97236E95CC9FD777
6	%Temp%\SystemSecurity.exe	1,196,544 bytes	MD5: 0x51FE3A6B9C2B35A5FF5040B66290390E SHA-1: 0x7D53F7EB9CE0136F8618386EF453AF784CDA0247
7	%Programs%\System Security\System Security.lnk	813 bytes	MD5: 0xDC491C7FC8FCC7D129C51534458E52FB SHA-1: 0xE60336CDCEEF46AA9910EF94292B17B968D7DC3A
8	[file and pathname of the sample #1]	1,198,534 bytes	MD5: 0x173BFFC3101C712A49FAFF7261B5B23F SHA-1: 0x8E398530E0690D271900FC6C6B7E30CA3353608E

Notes:

%CommonAppData% is a variable that refers to the file system directory containing application data for all users. A typical path is C:\Documents and Settings\All Users\Application Data.
%DesktopDir% is a variable that refers to the file system directory used to physically store file objects on the desktop. A typical path is C:\Documents and Settings\[UserName]\Desktop.
%Temp% is a variable that refers to the temporary folder in the short path form. By default, this is C:\Documents and Settings\[UserName]\Local Settings\Temp\ (Windows NT/2000/XP).
%Programs% is a variable that refers to the file system directory that contains the user's program groups. A typical path is C:\Documents and Settings\[UserName]\Start Menu\Programs.

The following directory was created:

%Programs%\System Security

Memory Modifications

There was a new process created in the system:

Process Name	Process Filename	Main Module Size
SystemSecurity.exe	%Temp%\systemsecurity.exe	2,908,160 bytes

Registry Modifications

The following Registry Key was created:

HKEY_LOCAL_MACHINE\SOFTWARE\618CAC1

The newly created Registry Values are:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

SystemSecurity = ""%Temp%\SystemSecurity.exe""

so that SystemSecurity.exe runs every time Windows starts

[HKEY_LOCAL_MACHINE\SOFTWARE\618CAC1]

pc1042274547ins = 0x00000001

Other details

Analysis of the file resources indicate the following possible country of origin:

Russian Federation

To mark the presence in the system, the following Mutex object was created:

{DCC48B8D-50BC-460B-B6D6-35E4E9BF258D}

All content ("Information") contained in this report is the copyrighted work of Threat Expert Ltd and its associated companies ("ThreatExpert") and may not be copied without the express permission of ThreatExpert.

The Information is provided on an "as is" basis. ThreatExpert disclaims all warranties, whether express or implied, to the maximum extent permitted by law, including the implied warranties that the Information is merchantable, of satisfactory quality, accurate, fit for a particular purpose or need, or non-infringing, unless such implied warranties are legally incapable of exclusion. Further, ThreatExpert does not warrant or make any representations regarding the use or the results of the use of the Information in terms of their correctness, accuracy, reliability, or otherwise.