Submission Summary:

• Submission details:
• Submission received: 1 August 2012, 19:27:21
• Processing time: 13 min 54 sec
• Submitted sample:
• File MD5: 0x7BC9073E3AF99A0F049CF3CB6086B302
• File SHA-1: 0x5D8167AA536D80E82F27FBB751FD09E81046BB85
• Filesize: 297,472 bytes
• Alias:
• W32.Spyrat [Symantec]
• Trojan.Win32.Llac.bdm [Kaspersky Lab]
• Generic PWS.di [McAfee]
• Troj/Agent-LRO [Sophos]
• Backdoor:Win32/Hupigon.CN [Microsoft]
• Worm.Win32.Rebhip [Ikarus]
• Win-Trojan/Infostealer.410624 [AhnLab]

• Summary of the findings:

What's been found	Severity Level
Produces outbound traffic.
Creates a startup registry entry.
Contains characteristics of an identified security risk.

Technical Details:

Possible Security Risk

• Attention! The following threat category was identified:

Threat Category	Description
	A malicious trojan horse or bot that may represent security risk for the compromised system and/or its network environment

File System Modifications

• The following files were created in the system:

#	Filename(s)	File Size	File Hash	Alias
1	%AppData%\logs.dat	15 bytes	MD5: 0xE21BD9604EFE8EE9B59DC7605B927A2A SHA-1: 0x3240ECC5EE459214344A1BAAC5C2A74046491104	Troj/RebhipCn-A [Sophos]
2	%Temp%\UuU.uUu %Temp%\XxX.xXx	8 bytes	MD5: 0x7DEA362B3FAC8E00956A4952A3D4F474 SHA-1: 0x05FE405753166F125559E7C9AC558654F107C7E9	(not available)
3	%Temp%\XX--XX--XX.txt	235,385 bytes	MD5: 0x24D9AD9EC11749AC5DFE76CF5A491BEE SHA-1: 0x36D4BD80F1313A9D1E0F9BC77158302583C5A485	(not available)
4	[file and pathname of the sample #1] %System%\Win_Xp.exe	297,472 bytes	MD5: 0x7BC9073E3AF99A0F049CF3CB6086B302 SHA-1: 0x5D8167AA536D80E82F27FBB751FD09E81046BB85	W32.Spyrat [Symantec] Trojan.Win32.Llac.bdm [Kaspersky Lab] Generic PWS.di [McAfee] Troj/Agent-LRO [Sophos] Backdoor:Win32/Hupigon.CN [Microsoft] Worm.Win32.Rebhip [Ikarus] Win-Trojan/Infostealer.410624 [AhnLab]

• Notes:
• %AppData% is a variable that refers to the file system directory that serves as a common repository for application-specific data. A typical path is C:\Documents and Settings\[UserName]\Application Data.
• %Temp% is a variable that refers to the temporary folder in the short path form. By default, this is C:\Documents and Settings\[UserName]\Local Settings\Temp\ (Windows NT/2000/XP).
• %System% is a variable that refers to the System folder. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

Memory Modifications

• There were new processes created in the system:

Registry Modifications

• The following Registry Keys were created:
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{218A3Q1V-M05N-O32L-4AM8-MA0JEIMDL4ML}
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
• HKEY_CURRENT_USER\Software\????

• The newly created Registry Values are:
• [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{218A3Q1V-M05N-O32L-4AM8-MA0JEIMDL4ML}]
• StubPath = "%System%\Win_Xp.exe"

so that Win_Xp.exe runs every time Windows starts

• [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run]
• Policies = "%System%\Win_Xp.exe"

so that Win_Xp.exe runs every time Windows starts

• [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
• HKLM = "%System%\Win_Xp.exe"

so that Win_Xp.exe runs every time Windows starts

• [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run]
• Policies = "%System%\Win_Xp.exe"

so that Win_Xp.exe runs every time Windows starts

• [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
• HKCU = "%System%\Win_Xp.exe"

so that Win_Xp.exe runs every time Windows starts

• [HKEY_CURRENT_USER\Software\????]
• NewIdentification = "????"
• FirstExecution = "01/08/2012 -- 19:27"

Other details

• To mark the presence in the system, the following Mutex objects were created:
• _x_X_UPDATE_X_x_
• _x_X_PASSWORDLIST_X_x_
• _x_X_BLOCKMOUSE_X_x_
• ***MUTEX***
• ***MUTEX***_PERSIST
• ***MUTEX***_SAIR

• The following Host Name was requested from a host database:
• 01526523328.zapto.org

• There was registered attempt to establish connection with the remote host. The connection details are:

Outbound traffic (potentially malicious)

• There was an outbound traffic produced on port 81: