ThreatExpert Report: Backdoor.Win32.Turkojan.r, Generic BackDoor!bbt, Mal/Generic-A..

Visit ThreatExpert web site

Close Report

Submission Summary:

Submission details:

Submission received: 13 November 2009, 19:59:37
Processing time: 8 min 40 sec
Submitted sample:

File MD5: 0x7ABAB5B82B9832DCB96506D24CFE3436
File SHA-1: 0xDE00EA0E5092A45F861508AA4EE795CF7937588F
Filesize: 451,057 bytes
Alias & packer info:

Backdoor.Win32.Turkojan.r [Kaspersky Lab]
Generic BackDoor!bbt [McAfee]
Mal/Generic-A [Sophos]
Backdoor.Win32.Turkojan [Ikarus]
Dropper/Malware.451057 [AhnLab]
packed with: PE_Patch.UPX [Kaspersky Lab]

Summary of the findings:

What's been found	Severity Level
Produces outbound traffic.
Creates a startup registry entry.
Contains characteristics of an identified security risk.

Technical Details:

The new window was created, as shown below:

NOTICE: The content shown in the above window is captured automatically and is not controlled or endorsed by ThreatExpert.
Please contact us on this link should any material be offensive or inappropriate and we will ensure any such content is blocked from future viewers of the report.

Possible Security Risk

Attention! Characteristics of the following security risk was identified in the system:

Security Risk	Description
Backdoor.Turkojan	Backdoor.Turkojan provides a remote attacker unauthorized access to an infected machine. It can steal passwords, log keystrokes, create screenshots, and control the infected system.

Attention! The following threat categories were identified:

Threat Category	Description
	A malicious trojan horse or bot that may represent security risk for the compromised system and/or its network environment
	A malicious backdoor trojan that runs in the background and allows remote access to the compromised system

File System Modifications

The following files were created in the system:

#	Filename(s)	File Size	File Hash	Alias
1	%Temp%\LightningCrypter.exe	118,784 bytes	MD5: 0xAFC85B8E541714AA453ED0A42B502DF3 SHA-1: 0x5F8BE521EA25B8761F4B09A532E882291D10A3C1	Trojan.Dropper [Symantec] Mal/Generic-A [Sophos] Virus.Win32.VB [Ikarus]
2	%Windir%\cmsetac.dll	33,280 bytes	MD5: 0x28F0F1BE53743A0D4F06A90B8BA42393 SHA-1: 0xB5E2B456C1799D22735B1F750B2C5002073D83D0	Backdoor.Win32.Turkojan.jv [Kaspersky Lab] BackDoor-DWS [McAfee] TROJ_DELF.EMO [Trend Micro] Troj/Agent-GMF [Sophos] TrojanSpy:Win32/Turkahn.A [Microsoft] Backdoor.Win32.Turkojan [Ikarus] Win-Trojan/Agent.33280.DM [AhnLab]
3	%Windir%\KB8888239.log	1,030 bytes	MD5: 0xBB13AD3FA4206AE67AEB703E21526E66 SHA-1: 0xF21F1A0423547E0C77F34E24268FB5F46CBA3035	packed with Edit [Kaspersky Lab]
4	%Windir%\mstwain32.exe	110,592 bytes	MD5: 0x9A5033349A2A8CB1F3A6AEA16E4A2117 SHA-1: 0x04B1D6939A1E9F6EE261EA9637188C216947EE5D	W32.IRCBot.Gen [Symantec] Backdoor.Win32.Turkojan.r [Kaspersky Lab] BackDoor-CZP.dr [McAfee] Troj/Agent-GMF [Sophos] Backdoor:Win32/Turkojan.AI [Microsoft] Downloader.Delphi [Ikarus] Win-Trojan/Turkojan.307712 [AhnLab] packed with UPX [Kaspersky Lab]
5	%Windir%\ntdtcstp.dll	7,168 bytes	MD5: 0x67587E25A971A141628D7F07BD40FFA0 SHA-1: 0x76FCD014539A3BB247CC0B761225F68BD6055F6B	Backdoor.Ciadoor [Symantec] Backdoor.Win32.Turkojan.ake [Kaspersky Lab] BackDoor-CZP [McAfee] BKDR_TURKOJAN.AT [Trend Micro] Troj/Agent-GMF [Sophos] Trojan:Win32/Turkojan.A!dll [Microsoft] Backdoor.Win32.Turkojan [Ikarus] Win-Trojan/Turkojan.7168.M [AhnLab]
6	[file and pathname of the sample #1]	451,057 bytes	MD5: 0x7ABAB5B82B9832DCB96506D24CFE3436 SHA-1: 0xDE00EA0E5092A45F861508AA4EE795CF7937588F	Backdoor.Win32.Turkojan.r [Kaspersky Lab] Generic BackDoor!bbt [McAfee] Mal/Generic-A [Sophos] Backdoor.Win32.Turkojan [Ikarus] Dropper/Malware.451057 [AhnLab] packed with PE_Patch.UPX [Kaspersky Lab]

Notes:

%Temp% is a variable that refers to the temporary folder in the short path form. By default, this is C:\Documents and Settings\[UserName]\Local Settings\Temp\ (Windows NT/2000/XP).
%Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows or C:\Winnt.

Memory Modifications

There were new processes created in the system:

Process Name	Process Filename	Main Module Size
LightningCrypter.exe	%Temp%\LightningCrypter.exe	122,880 bytes
ksa.exe	%Temp%\ksa.exe	327,680 bytes
[filename of the sample #1]	[file and pathname of the sample #1]	753,664 bytes

Attention! The following processes were intentionally hidden from the user:

Process Name	Main Module Size
mstwain32.exe	327,680 bytes
mstwain32.exe	327,680 bytes

The following modules were loaded into the address space of other process(es):

Module Name	Module Filename	Address Space Details
cmsetac.dll	%Windir%\cmsetac.dll	Process name: dllhost.exe Process filename: %System%\dllhost.exe Address space: 0x17B0000 - 0x17BE000
cmsetac.dll	%Windir%\cmsetac.dll	Process name: sdnsmain.exe Process filename: %Windir%\dns\sdnsmain.exe Address space: 0x1620000 - 0x162E000
ntdtcstp.dll	%Windir%\ntdtcstp.dll	Process name: sdnsmain.exe Process filename: %Windir%\dns\sdnsmain.exe Address space: 0x1640000 - 0x1648000
cmsetac.dll	%Windir%\cmsetac.dll	Process name: VMwareUser.exe Process filename: %ProgramFiles%\vmware\vmware tools\vmwareuser.exe Address space: 0x9A0000 - 0x9AE000

Notes:

%System% is a variable that refers to the System folder. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
%ProgramFiles% is a variable that refers to the Program Files folder. A typical path is C:\Program Files.

Registry Modifications

The newly created Registry Value is:

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]

mstwain32 = "%Windir%\mstwain32.exe"

so that mstwain32.exe runs every time Windows starts

Other details

Analysis of the file resources indicate the following possible countries of origin:

	Spain
	United Kingdom

To mark the presence in the system, the following Mutex objects were created:

ASPLOG
WBEMPROVIDERSTATICMUTEX
DENEK

The following ports were open in the system:

Port	Protocol	Process
1033	TCP	mstwain32.exe (%Windir%\mstwain32.exe)
1034	TCP	mstwain32.exe (%Windir%\mstwain32.exe)

The following Host Name was requested from a host database:

koook.no-ip.info

There was registered attempt to establish connection with the remote host. The connection details are:

Remote Host	Port Number
koook.no-ip.info	15963

There were application-defined hook procedures installed into the hook chain (e.g. to monitor keystrokes). The installed hooks are handled by the following modules:

%System%\MSVBVM60.DLL
%Windir%\ntdtcstp.dll
%Windir%\cmsetac.dll

Outbound traffic (potentially malicious)

There was an outbound traffic produced on port 15963:

All content ("Information") contained in this report is the copyrighted work of Threat Expert Ltd and its associated companies ("ThreatExpert") and may not be copied without the express permission of ThreatExpert.

The Information is provided on an "as is" basis. ThreatExpert disclaims all warranties, whether express or implied, to the maximum extent permitted by law, including the implied warranties that the Information is merchantable, of satisfactory quality, accurate, fit for a particular purpose or need, or non-infringing, unless such implied warranties are legally incapable of exclusion. Further, ThreatExpert does not warrant or make any representations regarding the use or the results of the use of the Information in terms of their correctness, accuracy, reliability, or otherwise.