ThreatExpert Report: Trojan.Gpcoder!sd6, Virus.Win32.Gpcode.ak, Trojan.Gpcoder.F, GPcoder.i..

Visit ThreatExpert web site

Close Report

Submission Summary:

Submission details:

Submission received: 8 December 2008, 09:40:11
Processing time: 5 min 27 sec
Submitted sample:

File MD5: 0x7CD8E2FC5FE2DC351F24417CC1D23AFA
File SHA-1: 0x1490EE2D05B8862D17BB87BC00F0F0CC21C5505F
Filesize: 8,030 bytes
Alias:

Trojan.Gpcoder!sd6 [PCTools]
Trojan.Gpcoder.F [Symantec]
Virus.Win32.Gpcode.ak [Kaspersky Lab]
GPcoder.i [McAfee]
Troj/Gpcode-D [Sophos]
Trojan:Win32/Gpcode.G [Microsoft]
Virus.Win32.Gpcode [Ikarus]

Summary of the findings:

What's been found	Severity Level
Contains characteristics of an identified security risk.

Technical Details:

Possible Security Risk

Attention! Characteristics of the following security risk was identified in the system:

Security Risk	Description
Trojan.Gpcoder!sd6	Trojan.Gpcoder!sd6 is a malicious program that does not infect other files but may represents security risk for your computer and/or network environment.

Attention! The following threat categories were identified:

Threat Category	Description
	A virus capable to modify other files by infecting, prepending, or overwriting them them with its own body
	A malicious trojan horse or bot that may represent security risk for the compromised system and/or its network environment

File System Modifications

The following files were created in the system:

#	Filename(s)	File Size	File Hash	Alias
1	c:\!_READ_ME_!.txt %CommonDocuments%\My Pictures\Sample Pictures\!_READ_ME_!.txt c:\Inetpub\wwwroot\!_READ_ME_!.txt	502 bytes	MD5: 0x71D20D61391A76477BE76485A6F9A6B1 SHA-1: 0x40F1DEABBAA9716E1F375C80280E23EF7B8ADD4B	(not available)
2	c:\contacts.html._CRYPT	295 bytes	MD5: 0x918B3F6F8AD66DBF4099F63B1582288F SHA-1: 0x1BA3035F954C3C170F68868C19C665CCC70917C7	(not available)
3	%CommonDocuments%\My Pictures\Sample Pictures\Blue hills.jpg._CRYPT	28,537 bytes	MD5: 0x88476A7394AF153D64E4F94056441038 SHA-1: 0x2A257E835CE27E27F06567604E5C95865CB952D7	(not available)
4	%CommonDocuments%\My Pictures\Sample Pictures\Sunset.jpg._CRYPT	71,205 bytes	MD5: 0x1803A790D36244AF5F0716819835AA78 SHA-1: 0x42469E681E177748D05CCBA4D696B0A7E368F006	(not available)
5	%CommonDocuments%\My Pictures\Sample Pictures\Water lilies.jpg._CRYPT	83,810 bytes	MD5: 0xE2F8A5491DD5238A72F073EB9EFA0888 SHA-1: 0x39ED2FF44CF2625A6FB204FCEB3C9F41D095B54C	(not available)
6	%CommonDocuments%\My Pictures\Sample Pictures\Winter.jpg._CRYPT	105,558 bytes	MD5: 0x0313C28D5C0010B7B9A34DF54FBC5D48 SHA-1: 0x48DEC2241624E7D043773B52DC383CF8D42402AB	(not available)
7	c:\Inetpub\wwwroot\index.html._CRYPT	141 bytes	MD5: 0x63D08B2798DA76E9393DAC1F69FDA2D3 SHA-1: 0x590082F0FC11CB129056AB44C8D9F7A70097981B	(not available)
8	c:\Inetpub\wwwroot\index.jpg._CRYPT	176,110 bytes	MD5: 0xD35A1CA544DC9773A05AF0F7171D5100 SHA-1: 0x694A75B2205A1DD059F806BBBFDCA47DF9AE552F	(not available)
9	c:\main.wab._CRYPT	178,894 bytes	MD5: 0x12474B045006F68C3726075708BEEAED SHA-1: 0xE0FEF955FCADFE53C553DF7C454E0F3871AC85B0	(not available)
10	[file and pathname of the sample #1]	8,030 bytes	MD5: 0x7CD8E2FC5FE2DC351F24417CC1D23AFA SHA-1: 0x1490EE2D05B8862D17BB87BC00F0F0CC21C5505F	Trojan.Gpcoder!sd6 [PCTools] Trojan.Gpcoder.F [Symantec] Virus.Win32.Gpcode.ak [Kaspersky Lab] GPcoder.i [McAfee] Troj/Gpcode-D [Sophos] Trojan:Win32/Gpcode.G [Microsoft] Virus.Win32.Gpcode [Ikarus]
11	%System%\[filename of the sample #1 without extension].vbs	360 bytes	MD5: 0xB09A2541091195F82808082497CBDE8C SHA-1: 0x0BDC2722386BC28707CC44ED00664933FAE83234	(not available)

Notes:

%CommonDocuments% is a variable that refers to the file system directory that contains documents that are common to all users. A typical paths is C:\Documents and Settings\All Users\Documents.
%System% is a variable that refers to the System folder. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

The following files were deleted:

c:\contacts.html
%CommonDocuments%\My Pictures\Sample Pictures\Blue hills.jpg
%CommonDocuments%\My Pictures\Sample Pictures\Sunset.jpg
%CommonDocuments%\My Pictures\Sample Pictures\Water lilies.jpg
%CommonDocuments%\My Pictures\Sample Pictures\Winter.jpg
c:\Inetpub\wwwroot\index.html
c:\Inetpub\wwwroot\index.jpg
c:\main.wab

Memory Modifications

There was a new process created in the system:

Process Name	Process Filename	Main Module Size
[filename of the sample #1]	[file and pathname of the sample #1]	1,073,664 bytes

Registry Modifications

The following Registry Keys were created:

HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host
HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings

Other details

To mark the presence in the system, the following Mutex object was created:

_G_P_C_

All content ("Information") contained in this report is the copyrighted work of Threat Expert Ltd and its associated companies ("ThreatExpert") and may not be copied without the express permission of ThreatExpert.

The Information is provided on an "as is" basis. ThreatExpert disclaims all warranties, whether express or implied, to the maximum extent permitted by law, including the implied warranties that the Information is merchantable, of satisfactory quality, accurate, fit for a particular purpose or need, or non-infringing, unless such implied warranties are legally incapable of exclusion. Further, ThreatExpert does not warrant or make any representations regarding the use or the results of the use of the Information in terms of their correctness, accuracy, reliability, or otherwise.