Submission Summary:

• Submission details:
• Submission received: 8 December 2011, 23:37:45
• Processing time: 9 min 22 sec
• Submitted sample:
• File MD5: 0x78F3CD7C37891188074204FD5B798DB7
• File SHA-1: 0xC62B2D9215F53129B48CA985B88BECEC8EF3445C
• Filesize: 2,943,056 bytes
• Alias:
• Trojan.Gen [PCTools]
• Trojan.Gen [Symantec]
• Trojan-Dropper.MSIL.Late.aqg [Kaspersky Lab]
• Generic Dropper.yj [McAfee]
• Mal/Mdrop-BF [Sophos]
• VirTool:Win32/Obfuscator.NL [Microsoft]
• Virus.MSIL [Ikarus]

• Summary of the findings:

What's been found	Severity Level
Downloads/requests other files from Internet.
Creates a startup registry entry.
Contains characteristics of an identified security risk.

Technical Details:

Possible Security Risk

• Attention! The following threat categories were identified:

Threat Category	Description
	A network-aware worm that attempts to replicate across the existing network(s)
	A malicious trojan horse or bot that may represent security risk for the compromised system and/or its network environment
	A spyware program that represents security risk for a local system
	A keylogger program that can capture all user keystrokes (including confidential details such username, password, credit card number, etc.)

File System Modifications

• The following files were created in the system:

#	Filename(s)	File Size	File Hash	Alias
1	%AppData%\Microsoft\winlog.exe %Temp%\server.exe	144,384 bytes	MD5: 0x66001572B5154C767E7E59052656071F SHA-1: 0x776191D0075FCB821186D6AF93614FC48F65FED6	Net-Worm.SillyFDC!rem [PCTools] W32.SillyFDC [Symantec] Worm.Win32.Bybz.kg [Kaspersky Lab] W32/Autorun.worm.aae [McAfee] Mal/Generic-E [Sophos] Backdoor:Win32/IRCbot.DL [Microsoft] Worm.Win32.Bybz [Ikarus] Win32/Autorun.worm.144384 [AhnLab]
2	%AppData%\TweetWorm.exe.exe %Temp%\TweetWorm.exe	41,014 bytes	MD5: 0x93404EF0811742F96FD43387E65C664F SHA-1: 0x76EEA66B2B3BE181129FC8AB4ED9649EC6069A5B	Trojan.Gen [PCTools] Trojan.Gen.2 [Symantec] Trojan.Win32.Scar.dlhf [Kaspersky Lab] Generic.dx!zep [McAfee] Mal/VBDldr-B [Sophos] Trojan:Win32/Dynamer!dtc [Microsoft] Trojan.Win32.Scar [Ikarus]
3	%Temp%\1 hour keylogger with out screen.exe	501,665 bytes	MD5: 0xCCD06348B01185788EEB435E82DA2891 SHA-1: 0xA645099B5673B3AC7598F2978E04C8746E9E462C	Spyware.ADH [PCTools] Spyware.ADH [Symantec] Trojan-Dropper.Win32.Agent.bcw [Kaspersky Lab] Spy-Agent.cv [McAfee] TROJ_DROPPER.CKT [Trend Micro] Troj/Dropper-QR [Sophos] TrojanDropper:Win32/Agent [Microsoft] Trojan-Spy.Win32.Ardamax [Ikarus] Dropper/Agent.14336.B [AhnLab]
4	%Temp%\@2.tmp %Temp%\@4.tmp	904,760 bytes	MD5: 0x3361A4E6B88DDB433FE88EB1A8B34C06 SHA-1: 0x6DAFB0EB353267180E1F66F5059DF9EC84B59ECD	Application.Ardamax_Keylogger [PCTools] Spyware.Ardakey [Symantec]
5	%Temp%\task bar clear.exe	12,288 bytes	MD5: 0x6491DF4B89670BEFA1B357920B63B0C9 SHA-1: 0xA96CE890643A6C49A367E980BF725D4EB4E63451	(not available)
6	%Temp%\Zombie and Keylogger and TweetWorm.exe	1,953,745 bytes	MD5: 0x7CECF0CD662C35E04ABCD0C712C1D58C SHA-1: 0xD05FCE127217AB1CC3129CC42D6F16742BA11492	Trojan.Gen [PCTools] Trojan.Gen [Symantec] Trojan-Dropper.MSIL.Late.aqj [Kaspersky Lab] Generic Dropper.yj [McAfee] Mal/Mdrop-BF [Sophos] VirTool:Win32/Obfuscator.NL [Microsoft] Virus.MSIL [Ikarus]
7	%Temp%\Zombie and Keylogger.exe	1,183,066 bytes	MD5: 0x3C5D4AE1B1901C4EDC42F61CB2FDF154 SHA-1: 0x311423963C7E97F7F0E7D7320BB50733DADD02E9	Trojan.Gen [PCTools] Trojan.Gen [Symantec] Generic Dropper.yj [McAfee] Mal/Mdrop-BF [Sophos] VirTool:Win32/Obfuscator.NL [Microsoft] Virus.MSIL [Ikarus]
8	[file and pathname of the sample #1]	2,943,056 bytes	MD5: 0x78F3CD7C37891188074204FD5B798DB7 SHA-1: 0xC62B2D9215F53129B48CA985B88BECEC8EF3445C	Trojan.Gen [PCTools] Trojan.Gen [Symantec] Trojan-Dropper.MSIL.Late.aqg [Kaspersky Lab] Generic Dropper.yj [McAfee] Mal/Mdrop-BF [Sophos] VirTool:Win32/Obfuscator.NL [Microsoft] Virus.MSIL [Ikarus]
9	%System%\Sys32\AKV.exe	400,384 bytes	MD5: 0x869461E168A87283A8782E70F5D5A3A8 SHA-1: 0xAB189B5F2682AE66162226B4F646B1E80486C653	Spyware.Ardakey!rem [PCTools] Spyware.Ardakey [Symantec] Trojan-Spy.Win32.Ardamax.g [Kaspersky Lab] Keylog-Ardamax.dll!a [McAfee] MonitoringTool:Win32/Ardamax [Microsoft] not-a-virus:Monitor.Win32.Ardamax.ah [Ikarus]
10	%System%\Sys32\HSMD.001	484 bytes	MD5: 0xEAD7A84E6E08640FCAFE7458316C09A3 SHA-1: 0x2DCC0509114AF287A08F22EEF5CD695FED2B2418	(not available)
11	%System%\Sys32\HSMD.002	9,830 bytes	MD5: 0xE12768514A1B35CEBFBFFD78F0185E01 SHA-1: 0xF882E34BEA87686A03E2F4E6DBF114CF8D5BB8C6	(not available)
12	%System%\Sys32\HSMD.006	7,680 bytes	MD5: 0x928CC65DC793834C709A054CA57C19C8 SHA-1: 0xA1E5D8407199C1BD6A4B274044DE640FE0D9E99B	Spyware.Ardakey!rem [PCTools] Spyware.Ardakey [Symantec] not-a-virus:Monitor.Win32.Ardamax.o [Kaspersky Lab] Keylog-Ardamax.dll [McAfee] MonitoringTool:Win32/Ardamax [Microsoft] not-a-virus:Monitor.Win32.Ardamax [Ikarus] Win-Trojan/Ardamax.7680 [AhnLab]
13	%System%\Sys32\HSMD.007	5,632 bytes	MD5: 0x3E1F5D5A06CF97B0495B8D129FBE02E4 SHA-1: 0xB0DE258A813F5EDDE85004F6865B6ED91F6D6F8F	Spyware.Ardakey!rem [PCTools] Spyware.Ardakey [Symantec] not-a-virus:Monitor.Win32.Ardamax.o [Kaspersky Lab] Keylog-Ardamax.dll [McAfee] MonitoringTool:Win32/Ardamax [Microsoft] not-a-virus:Monitor.Win32.Ardamax [Ikarus] Win-Trojan/Ardamax.5632.B [AhnLab]
14	%System%\Sys32\HSMD.exe	487,936 bytes	MD5: 0xEF52B540CB404D908338E9CBF7CFF283 SHA-1: 0x778765E1736C0A197685978C3FEE7A44E7BDE419	Spyware.Ardakey!sd6 [PCTools] Spyware.Ardakey [Symantec] Trojan-Spy.Win32.Ardamax.h [Kaspersky Lab] Keylog-Ardamax.dll [McAfee] MonitoringTool:Win32/Ardamax [Microsoft] Virus.Win32.Ardamax.CI [Ikarus] Win-Trojan/Ardamax.491520 [AhnLab]

• Notes:
• %AppData% is a variable that refers to the file system directory that serves as a common repository for application-specific data. A typical path is C:\Documents and Settings\[UserName]\Application Data.
• %Temp% is a variable that refers to the temporary folder in the short path form. By default, this is C:\Documents and Settings\[UserName]\Local Settings\Temp\ (Windows NT/2000/XP).
• %System% is a variable that refers to the System folder. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

• The following directory was created:
• %System%\Sys32

Memory Modifications

• There were new processes created in the system:

Process Name	Process Filename	Main Module Size
TweetWorm.exe	%Temp%\tweetworm.exe	40,960 bytes
winlog.exe	%AppData%\microsoft\winlog.exe	172,032 bytes
TweetWorm.exe.exe	%AppData%\tweetworm.exe.exe	40,960 bytes

• Attention! The following process was intentionally hidden from the user:

Registry Modifications

• The newly created Registry Values are:
• [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
• TweetWorm.exe = "%AppData%\TweetWorm.exe.exe"
• HSMD Agent = "%System%\Sys32\HSMD.exe"

so that TweetWorm.exe.exe runs every time Windows starts
so that HSMD.exe runs every time Windows starts

• [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
• winlog.exe = "%AppData%\Microsoft\winlog.exe"

so that winlog.exe runs every time Windows starts

Other details

• Analysis of the file resources indicate the following possible country of origin:

	Russian Federation

• The following ports were open in the system:

• There were registered attempts to establish connection with the remote hosts. The connection details are:

• The data identified by the following URL was then requested from the remote web server:
• http://twitter.com/kody15562