ThreatExpert Report: Backdoor.Darkmoon.E, BKDR_POISON.IU, Trojan.Win32.Inject

Visit ThreatExpert web site

Close Report

Submission Summary:

Submission details:

Submission received: 10 August 2012, 11:56:40
Processing time: 13 min 2 sec
Submitted sample:

File MD5: 0x7AA047CD6DAC1D0A4FBC6D968C1B6407
File SHA-1: 0xE2147AD681A84BF7ECADB7A218513F27D02075E9
Filesize: 40,960 bytes
Alias:

Backdoor.Darkmoon.E [Symantec]
BKDR_POISON.IU [Trend Micro]
Trojan.Win32.Inject [Ikarus]

Summary of the findings:

What's been found	Severity Level
Produces outbound traffic.
Contains characteristics of an identified security risk.

Technical Details:

Possible Security Risk

Attention! The following threat category was identified:

Threat Category	Description
	A malicious backdoor trojan that runs in the background and allows remote access to the compromised system

File System Modifications

The following file was created in the system:

#	Filename(s)	File Size	File Hash	Alias
1	[file and pathname of the sample #1]	40,960 bytes	MD5: 0x7AA047CD6DAC1D0A4FBC6D968C1B6407 SHA-1: 0xE2147AD681A84BF7ECADB7A218513F27D02075E9	Backdoor.Darkmoon.E [Symantec] BKDR_POISON.IU [Trend Micro] Trojan.Win32.Inject [Ikarus]

The following Alternate Data Stream was created in the system:

#	ADS name(s)	ADS Size	ADS Hash	Alias
1	%Windir%\system32:msvideor.exe	40,960 bytes	MD5: 0x7AA047CD6DAC1D0A4FBC6D968C1B6407 SHA-1: 0xE2147AD681A84BF7ECADB7A218513F27D02075E9	Backdoor.Darkmoon.E [Symantec] BKDR_POISON.IU [Trend Micro] Trojan.Win32.Inject [Ikarus]

Note:

%Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows or C:\Winnt.

Memory Modifications

There was a new process created in the system:

Process Name	Process Filename	Main Module Size
[filename of the sample #1]	[file and pathname of the sample #1]	40,960 bytes

Registry Modifications

The following Registry Keys were created:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CCA83B17-5681-7E29-5E75-AC054D65A322}
HKEY_CURRENT_USER\Software\Local AppWizard-Generated Applications
HKEY_CURRENT_USER\Software\Local AppWizard-Generated Applications\PIVC
HKEY_CURRENT_USER\Software\Local AppWizard-Generated Applications\PIVC\Settings

The newly created Registry Value is:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CCA83B17-5681-7E29-5E75-AC054D65A322}]

StubPath = "%Windir%\system32:msvideor.exe"

Other details

Analysis of the file resources indicate the following possible country of origin:

China

To mark the presence in the system, the following Mutex object was created:

)!VuSR.I4

The following Host Name was requested from a host database:

ngcc.8800.org

There was registered attempt to establish connection with the remote host. The connection details are:

Remote Host	Port Number
ngcc.8800.org	443

Outbound traffic (potentially malicious)

There was an outbound traffic produced on port 443:

00000000 | E570 6780 DE78 F14E 89C7 3DA4 3AA9 4333 | .pg..x.N..=.:.C3
00000010 | AECF 0415 A67F AE05 C4C0 2270 64E5 6A3E | .........."pd.j>
00000020 | 559E 8160 8D5E 9BB3 6712 726E 721F 1677 | U..`.^..g.rnr..w
00000030 | 57F1 C6F0 E209 EFBD 9BD4 972C 9CB3 4753 | W..........,..GS
00000040 | E1D0 2E6A 92EF 5A4D 61D3 C03C 7E66 BAE5 | ...j..ZMa..<~f..
00000050 | 65E6 D851 4581 6B89 519A 4EC6 61F3 EFB6 | e..QE.k.Q.N.a...
00000060 | D8E6 71DB EDE6 C172 3A9D C1CB CE6B 6DA4 | ..q....r:....km.
00000070 | BA61 39E1 689A 95A4 6077 0FFF 7A3E 6821 | .a9.h...`w..z>h!
00000080 | 072C BD41 6085 93A8 623F BF45 D6D7 C3B3 | .,.A`...b?.E....
00000090 | DB0C F51E CFF2 7BA6 7BDA E715 877B 31BA | ......{.{....{1.
000000A0 | 70D8 5EAB 7B67 FC57 55CE 8C24 5D9E F9B8 | p.^.{g.WU..$]...
000000B0 | E897 7A06 685A AD6E 1DE4 5CBA 7123 8156 | ..z.hZ.n..\.q#.V
000000C0 | 04D8 2F87 78C6 1286 F615 D3B3 D6C8 1A86 | ../.x...........
000000D0 | 9358 C19F 0D12 C7DC E033 0FE0 29CE E978 | .X.......3..)..x
000000E0 | 6A72 33B4 4F3F 83F1 BE8A C725 0AB6 AE4C | jr3.O?.....%...L
000000F0 | D9D2 1FCD 7C36 3595 304B 1EFE 20D8 6332 | ....|65.0K.. .c2

All content ("Information") contained in this report is the copyrighted work of Threat Expert Ltd and its associated companies ("ThreatExpert") and may not be copied without the express permission of ThreatExpert.

The Information is provided on an "as is" basis. ThreatExpert disclaims all warranties, whether express or implied, to the maximum extent permitted by law, including the implied warranties that the Information is merchantable, of satisfactory quality, accurate, fit for a particular purpose or need, or non-infringing, unless such implied warranties are legally incapable of exclusion. Further, ThreatExpert does not warrant or make any representations regarding the use or the results of the use of the Information in terms of their correctness, accuracy, reliability, or otherwise.