ThreatExpert Report: W32/Mariofev!enc, Trojan.Win32.Patched.gq, Patched User32, Troj/User32Hk-A..

Submission Summary:

Submission details:

Submission received: 14 November 2009, 06:32:18
Processing time: 9 min 42 sec
Submitted sample:

File MD5: 0x764F15F5AEE309F104F68FB5E8677A4F
File SHA-1: 0x1D77E06C1115A79D952F7D747CC742AED376C5A6
Filesize: 214,016 bytes

Summary of the findings:

What's been found	Severity Level
Downloads/requests other files from Internet.
Contains characteristics of an identified security risk.

Technical Details:

Possible Security Risk

Attention! The following threat category was identified:

Threat Category	Description
	A malicious trojan horse or bot that may represent security risk for the compromised system and/or its network environment

File System Modifications

The following files were created in the system:

#	Filename(s)	File Size	File Hash	Alias
1	%System%\2346g.4e	32,768 bytes	MD5: 0x3388D687B9CB2F133DB055415CB36F00 SHA-1: 0x36801563C0B5065F6333010B79A00722F55BF5B7	W32/Mariofev!enc [McAfee]
2	%System%\bbri.few	65,024 bytes	MD5: 0x3ECBA925B22DF8457927AD1E965FD5F6 SHA-1: 0x16B1A0A78DC79B7992B747A0EC085EE321D3C332	W32/Mariofev!enc [McAfee]
3	%System%\cooper.mine [file and pathname of the sample #1]	214,016 bytes	MD5: 0x764F15F5AEE309F104F68FB5E8677A4F SHA-1: 0x1D77E06C1115A79D952F7D747CC742AED376C5A6	(not available)
4	%System%\dllcache\termsrv.dll	215,552 bytes	MD5: 0xA77219A971029DC2FB683E8513713803 SHA-1: 0x1C456520A7B7FAF71900C71167038185F5A7D312	(not available)
5	%System%\dllcache\user32.dll	577,024 bytes	MD5: 0x0CE745E0DB8C2A87B2EBE53DF2442E6B SHA-1: 0x765235324AB1B4309220EEB5A2EDB33F05F6E48C	Trojan.Win32.Patched.gq [Kaspersky Lab] Patched User32 [McAfee] Troj/User32Hk-A [Sophos] Virus:Win32/Mariofev.A [Microsoft]
6	%System%\few46dx.4e	28,672 bytes	MD5: 0x081C7DDB1DCF227649BF7EFFDB948965 SHA-1: 0x69795E23ADE0CB093A9A129D70DEC54FC45CF1E9	W32/Mariofev!enc [McAfee]
7	%System%\nmklo.dll	88,064 bytes	MD5: 0x242472A24D025FF3F4496969BF76AE6B SHA-1: 0xA9B5DD256665D891DFF28AB9EF7A2B30DFFC6DF3	(not available)
8	%System%\wbem\AutoRecover\23BDE61F1F4FACE17E9B0C01F2A1FD9B.mof	32,872 bytes	MD5: 0x5E221F2B645FB0AFDC3071EF7C6A5C25 SHA-1: 0x52B1511D97141D80A65B0A541CD171A1F8BA7119	(not available)
9	%System%\wbem\AutoRecover\C8463ECBE33BC240263A0B094E46D510.mof	2,570,652 bytes	MD5: 0x034A2302F68BF59F4CE451DCDBD69370 SHA-1: 0xBFA5D20C3F13AA6C3BA76DCF11486A44515127E7	(not available)
10	%System%\wef6.gy	19,968 bytes	MD5: 0xD9311E0DF1A748EDA46B0FA8133B0382 SHA-1: 0x807B6F0489E9746B9A846EFCB869EFDF5F277BF0	(not available)
11	%System%\yawbsf	577,024 bytes	MD5: 0xC72661F8552ACE7C5C85E16A3CF505C4 SHA-1: 0x19DC0854AAEAADF26BAE8B7DAACE8115B5209F73	(not available)
12	%System%\yysuwijk	295,424 bytes	MD5: 0xB60C877D16D9C880B952FDA04ADF16E6 SHA-1: 0xB93A2C8BDA208A76B033C67FA90128F5888890E5	(not available)

Note:

%System% is a variable that refers to the System folder. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

The following file was deleted:

%System%\user32.dll

The following file was modified:

%System%\termsrv.dll

Memory Modifications

There was a new process created in the system:

Process Name	Process Filename	Main Module Size
[filename of the sample #1]	[file and pathname of the sample #1]	N/A

The following module was loaded into the address space of other process(es):

Module Name	Module Filename	Address Space Details
nmklo.dll	%System%\nmklo.dll	Process name: [filename of the sample #1] Process filename: [file and pathname of the sample #1] Address space: 0xC60000 - 0xC60001

There were new kernel-mode drivers installed in the system:

Driver Name	Driver Filename
TDTCP.SYS	%System%\drivers\tdtcp.sys
RDPWD.SYS	%System%\drivers\rdpwd.sys

Registry Modifications

The following Registry Keys were created:

HKEY_LOCAL_MACHINE\SOFTWARE\1
HKEY_LOCAL_MACHINE\SOFTWARE\250
HKEY_LOCAL_MACHINE\SOFTWARE\3
HKEY_LOCAL_MACHINE\SOFTWARE\9
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_RDPWD
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_RDPWD\0000
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_RDPWD\0000\Control
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_TDTCP
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_TDTCP\0000
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_TDTCP\0000\Control
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_RDPWD
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_RDPWD\0000
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_RDPWD\0000\Control
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TDTCP
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TDTCP\0000
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TDTCP\0000\Control
HKEY_CURRENT_USER\Software\Microsoft\Wbem
HKEY_CURRENT_USER\Software\Microsoft\Wbem\WMIC

The newly created Registry Values are:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion]

MID = "1EE5B0843A714C5894D9E649B5B6F069A16322EEA6F54FA7A17480AED6FDD49D"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]

Appibwt_Dlls = "nmklo"

[HKEY_LOCAL_MACHINE\SOFTWARE\1]

31AC70412E939D72A9234CDEBB1AF5867B = "nqrckqqlqdrqrirprhqoqrqdopoinfnhmjmqrjrjlmmhmmnnmfqhmmmknl"
31897356954C2CD3D41B221E3F24F99BBA = 0x00609EED
31C2E1E4D78E6A11B88DFA803456A1FFA5 = 0x00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\250]

31AC70412E939D72A9234CDEBB1AF5867B = "ioeehkfrffeoekefejfqflfjdrdgdpdndhdogdgdekdfdfccgogrdqcfhegldn"
31897356954C2CD3D41B221E3F24F99BBA = 0x00609EED
31C2E1E4D78E6A11B88DFA803456A1FFA5 = 0x00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\3]

31AC70412E939D72A9234CDEBB1AF5867B = "kgomncpjpnogoconproiodorqjqoqhqfrprgmlmlocqmrnrllikrohpm"
31897356954C2CD3D41B221E3F24F99BBA = 0x00609EED
31C2E1E4D78E6A11B88DFA803456A1FFA5 = 0x00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\9]

31AC70412E939D72A9234CDEBB1AF5867B = "qdmrpjnenknlnrninomfmimmkgkdkmkqlqldoqoomffefefifhifenfeie"
31897356954C2CD3D41B221E3F24F99BBA = 0x00609EED
31C2E1E4D78E6A11B88DFA803456A1FFA5 = 0x00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Terminal Server\Licensing Core]

EnableConcurrentSessions = 0x00000001

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_RDPWD\0000\Control]

*NewlyCreated* = 0x00000000
ActiveService = "RDPWD"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_RDPWD\0000]

Service = "RDPWD"
Legacy = 0x00000001
ConfigFlags = 0x00000000
Class = "LegacyDriver"
ClassGUID = "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
DeviceDesc = "RDPWD"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_RDPWD]

NextInstance = 0x00000001

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_TDTCP\0000\Control]

*NewlyCreated* = 0x00000000
ActiveService = "TDTCP"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_TDTCP\0000]

Service = "TDTCP"
Legacy = 0x00000001
ConfigFlags = 0x00000000
Class = "LegacyDriver"
ClassGUID = "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
DeviceDesc = "TDTCP"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_TDTCP]

NextInstance = 0x00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\Licensing Core]

EnableConcurrentSessions = 0x00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_RDPWD\0000\Control]

*NewlyCreated* = 0x00000000
ActiveService = "RDPWD"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_RDPWD\0000]

Service = "RDPWD"
Legacy = 0x00000001
ConfigFlags = 0x00000000
Class = "LegacyDriver"
ClassGUID = "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
DeviceDesc = "RDPWD"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_RDPWD]

NextInstance = 0x00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TDTCP\0000\Control]

*NewlyCreated* = 0x00000000
ActiveService = "TDTCP"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TDTCP\0000]

Service = "TDTCP"
Legacy = 0x00000001
ConfigFlags = 0x00000000
Class = "LegacyDriver"
ClassGUID = "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
DeviceDesc = "TDTCP"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TDTCP]

NextInstance = 0x00000001

[HKEY_CURRENT_USER\Software\Microsoft\Wbem\WMIC]

WMICLC = 0x00000409
mofcompMUIStatus = 0xFFFFFFFF

The following Registry Values were modified:

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Terminal Server]

fDenyTSConnections =

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server]

fDenyTSConnections =

Other details

The following port was open in the system:

Port	Protocol	Process
1043	TCP	[file and pathname of the sample #1]

The following Internet Connections were established:

Server Name	Server Port	Connect as User	Connection Password
twido.ws	0	(null)	(null)
yomm.ws	0	(null)	(null)

All content ("Information") contained in this report is the copyrighted work of Threat Expert Ltd and its associated companies ("ThreatExpert") and may not be copied without the express permission of ThreatExpert.

The Information is provided on an "as is" basis. ThreatExpert disclaims all warranties, whether express or implied, to the maximum extent permitted by law, including the implied warranties that the Information is merchantable, of satisfactory quality, accurate, fit for a particular purpose or need, or non-infringing, unless such implied warranties are legally incapable of exclusion. Further, ThreatExpert does not warrant or make any representations regarding the use or the results of the use of the Information in terms of their correctness, accuracy, reliability, or otherwise.