ThreatExpert Report: Trojan.Gen.2, VirTool:Win32/VBInject.gen!FA, Trojan.SuspectCRC..

Visit ThreatExpert web site

Close Report

Submission Summary:

Submission details:

Submission received: 18 September 2012, 02:18:12
Processing time: 8 min 5 sec
Submitted sample:

File MD5: 0x7C152B99D5F21E327F8A52044E5E4F81
File SHA-1: 0x0BCA01AA4272517CE7DE9BA9CE43A492CDBD2D86
Filesize: 84,480 bytes
Alias:

Trojan.Gen.2 [Symantec]
VirTool:Win32/VBInject.gen!FA [Microsoft]
Trojan.SuspectCRC [Ikarus]

Summary of the findings:

What's been found	Severity Level
Produces outbound traffic.
Creates a startup registry entry.
Contains characteristics of an identified security risk.

Technical Details:

The new window was created, as shown below:

NOTICE: The content shown in the above window is captured automatically and is not controlled or endorsed by ThreatExpert.
Please contact us on this link should any material be offensive or inappropriate and we will ensure any such content is blocked from future viewers of the report.

Possible Security Risk

Attention! The following threat category was identified:

Threat Category	Description
	A malicious trojan horse or bot that may represent security risk for the compromised system and/or its network environment

File System Modifications

The following files were created in the system:

#	Filename(s)	File Size	File Hash	Alias
1	%Temp%\IXP000.TMP\xp-7.exe	53,248 bytes	MD5: 0xC86A4A9DC318B37D9823D36987F96BF3 SHA-1: 0x77D5FF3A62F641852C3BF18F9944083172DFB992	Trojan.Usuge!gen3 [Symantec] Generic VB.fl [McAfee] Mal/VBCheMan-C, Mal/VBCheMan-C [Sophos] VirTool:Win32/VBInject.OT [Microsoft] Trojan.SuspectCRC [Ikarus]
2	[file and pathname of the sample #1]	84,480 bytes	MD5: 0x7C152B99D5F21E327F8A52044E5E4F81 SHA-1: 0x0BCA01AA4272517CE7DE9BA9CE43A492CDBD2D86	Trojan.Gen.2 [Symantec] VirTool:Win32/VBInject.gen!FA [Microsoft] Trojan.SuspectCRC [Ikarus]

Note:

%Temp% is a variable that refers to the temporary folder in the short path form. By default, this is C:\Documents and Settings\[UserName]\Local Settings\Temp\ (Windows NT/2000/XP).

The following directory was created:

%Temp%\IXP000.TMP

Memory Modifications

There were new processes created in the system:

Process Name	Process Filename	Main Module Size
[filename of the sample #1]	[file and pathname of the sample #1]	98,304 bytes
1cam-o~1.exe	%Temp%\ixp000.tmp\1cam-o~1.exe	32,768 bytes
xp-7.exe	%Temp%\ixp000.tmp\xp-7.exe	57,344 bytes

There were new memory pages created in the address space of the system process(es):

Process Name	Process Filename	Allocated Size
xp-7.exe	%Temp%\ixp000.tmp\xp-7.exe	8,192 bytes
xp-7.exe	%Temp%\ixp000.tmp\xp-7.exe	8,192 bytes

Registry Modifications

The newly created Registry Value is:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

toki.exe = "%Temp%\IXP000.TMP\xp-7.exe"

so that xp-7.exe runs every time Windows starts

Other details

Analysis of the file resources indicate the following possible country of origin:

Saudi Arabia

To mark the presence in the system, the following Mutex object was created:

)!VoqA.I4

The following Host Names were requested from a host database:

192.5.5.241
toooki.no-ip.biz

There was registered attempt to establish connection with the remote host. The connection details are:

Remote Host	Port Number
toooki.no-ip.biz	3460

There was application-defined hook procedure installed into the hook chain (e.g. to monitor keystrokes). The installed hook is handled by the following module:

%Temp%\ixp000.tmp\xp-7.exe

Outbound traffic (potentially malicious)

There was an outbound traffic produced on port 3460:

00000000 | 8EC3 E622 944E 127A 6589 3266 5BE0 E3B6 | ...".N.ze.2f[...
00000010 | 4D6D 967D B18A CE29 02AA 5524 5541 99A6 | Mm.}...)..U$UA..
00000020 | 69F1 72DC A827 B865 3713 643F FAE2 F2E2 | i.r..'.e7.d?....
00000030 | 95F7 353F DD53 1184 855A ADEB 3354 E4BF | ..5?.S...Z..3T..
00000040 | 029D 0111 4D25 86CC F958 033C E528 D86D | ....M%...X.<.(.m
00000050 | 26DB 9B22 DA37 6288 DE9B 14A1 7DDF B7C6 | &..".7b.....}...
00000060 | F2B3 4C43 0C7D CD66 B17A 7745 33E0 6D2E | ..LC.}.f.zwE3.m.
00000070 | 2DE3 BFF2 FE12 AD6A 5E03 52AE 3F2D 8400 | -......j^.R.?-..
00000080 | 0980 8AF3 DEAB 56E4 A7E6 B463 BB71 1E08 | ......V....c.q..
00000090 | 4F44 3DAA 96CE 2C5C 3A9D 26F7 AC45 6FA6 | OD=...,\:.&..Eo.
000000A0 | E401 9735 D3FD AC72 BAA0 E509 757F 632C | ...5...r....u.c,
000000B0 | 2314 E53D 12AF 06DD D16A 8E1A 6074 2102 | #..=.....j..`t!.
000000C0 | 9F35 AC08 9740 EFC6 695E E86E 6A8B 6296 | .5...@..i^.nj.b.
000000D0 | 256D C50F 2360 54BB 7983 61DC 85FB E53C | %m..#`T.y.a....<
000000E0 | 918D 624A F34C 3289 94B1 A509 9FB7 B896 | ..bJ.L2.........
000000F0 | D46C 200C 9F2D 210B 0CE8 B81F B936 5523 | .l ..-!......6U#
00000000 | A6EC 7CDC 90D5 8AD4 7209 40CD 0BAA 3E7A | ..|.....r.@...>z
00000010 | 40F6 12FB 139D DE0E 7E5C C83A 5F40 65B0 | @.......~\.:_@e.
00000020 | B24F 4DC7 2D1C 00DD F111 3629 A0C2 D0E8 | .OM.-.....6)....
00000030 | A3C6 5E90 6C88 F150 E5D1 06F3 16A7 5876 | ..^.l..P......Xv
00000040 | 0C07 2615 7821 2C18 EEE9 461A A6BD CC29 | ..&.x!,...F....)
00000050 | C84A 16B3 A8FF F62E 58E3 FFC2 0783 9B57 | .J......X......W
00000060 | 5FB5 075F 3AC2 A47F D9A0 570E D688 18C9 | _.._:.....W.....
00000070 | 7EA2 3092 CBF7 426D 70AE 05E2 93E6 7EE3 | ~.0...Bmp.....~.
00000080 | 8B14 36F5 8793 9D38 C2FD FCFC CCB5 3D58 | ..6....8......=X
00000090 | C816 FE73 0C71 BC60 8EB2 43C2 85C2 4ECC | ...s.q.`..C...N.
000000A0 | AA29 7A2C 0A21 0897 E883 83C6 C21D 9640 | .)z,.!.........@
000000B0 | 4F48 EB86 0FFF 90EE 1915 A02B CF23 7443 | OH.........+.#tC
000000C0 | 03BD F520 B43A 6021 9E47 40A4 A057 661A | ... .:`!.G@..Wf.
000000D0 | 74F9 EB69 C2E6 A644 C96D B599 7496 4253 | t..i...D.m..t.BS
000000E0 | 244D 799B C72E C48E 96E8 4BA0 CBAA 3E6D | $My.......K...>m
000000F0 | 50E5 504D 679C 4233 8035 009C 6D15 78DA | P.PMg.B3.5..m.x.

All content ("Information") contained in this report is the copyrighted work of Threat Expert Ltd and its associated companies ("ThreatExpert") and may not be copied without the express permission of ThreatExpert.

The Information is provided on an "as is" basis. ThreatExpert disclaims all warranties, whether express or implied, to the maximum extent permitted by law, including the implied warranties that the Information is merchantable, of satisfactory quality, accurate, fit for a particular purpose or need, or non-infringing, unless such implied warranties are legally incapable of exclusion. Further, ThreatExpert does not warrant or make any representations regarding the use or the results of the use of the Information in terms of their correctness, accuracy, reliability, or otherwise.