ThreatExpert Report: Suspicious.MH690, Trojan.Win32.ServStart, Trojan.Win32.Scar.glpt, Mal/Nitol-C..

Visit ThreatExpert web site

Close Report

Submission Summary:

Submission details:

Submission received: 14 September 2012, 17:57:26
Processing time: 7 min 56 sec
Submitted sample:

File MD5: 0x7C31F5B0DDE1924004FB187C71728177
File SHA-1: 0xB65D9F76C9F9011F0C572989FB7E2E7362383FA5
Filesize: 19,456 bytes
Alias & packer info:

Suspicious.MH690 [Symantec]
Trojan.Win32.ServStart [Ikarus]
packed with: UPX [Kaspersky Lab]

Summary of the findings:

What's been found	Severity Level
Produces outbound traffic.
Contains characteristics of an identified security risk.

Technical Details:

Possible Security Risk

Attention! The following threat category was identified:

Threat Category	Description
	A malicious trojan horse or bot that may represent security risk for the compromised system and/or its network environment

File System Modifications

The following files were created in the system:

#	Filename(s)	File Size	File Hash	Alias
1	%AppData%\Microsoft\Installer\{B53D42E8-872B-430E-82D4-80065A31FCE1}\lpk.dll [pathname with a string SHARE]\lpk.dll [pathname with a string SHARE]\lpk.dll [pathname with a string SHARE]\lpk.dll %ProgramFiles%\Internet Explorer\Connection Wizard\lpk.dll %ProgramFiles%\Internet Explorer\lpk.dll %ProgramFiles%\Messenger\lpk.dll %ProgramFiles%\Web Publish\lpk.dll %ProgramFiles%\Windows NT\lpk.dll %ProgramFiles%\WinPcap\lpk.dll %System%\gei33.dll	29,184 bytes	MD5: 0xE99553CDE9C5B912E302B5F003361693 SHA-1: 0x6AB711F66AA685F99A52015C405D89FF5C24C504	Trojan.Win32.Scar.glpt [Kaspersky Lab] Mal/Nitol-C [Sophos] Trojan.Win32.Patcher [Ikarus]
2	%Temp%\SOFTWARE.LOG %System%\kkwgks.exe	19,456 bytes	MD5: 0x7C31F5B0DDE1924004FB187C71728177 SHA-1: 0xB65D9F76C9F9011F0C572989FB7E2E7362383FA5	Suspicious.MH690 [Symantec] Trojan.Win32.ServStart [Ikarus] packed with UPX [Kaspersky Lab]

Notes:

%AppData% is a variable that refers to the file system directory that serves as a common repository for application-specific data. A typical path is C:\Documents and Settings\[UserName]\Application Data.
%ProgramFiles% is a variable that refers to the Program Files folder. A typical path is C:\Program Files.
%System% is a variable that refers to the System folder. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
%Temp% is a variable that refers to the temporary folder in the short path form. By default, this is C:\Documents and Settings\[UserName]\Local Settings\Temp\ (Windows NT/2000/XP).

Memory Modifications

There were new processes created in the system:

Process Name	Process Filename	Main Module Size
kkwgks.exe	%System%\kkwgks.exe	90,112 bytes
[filename of the sample #1]	[file and pathname of the sample #1]	90,112 bytes

The following module was loaded into the address space of other process(es):

Module Name	Module Filename	Address Space Details
gei33.dll	%System%\gei33.dll	Process name: kkwgks.exe Process filename: %System%\kkwgks.exe Address space: 0x3E0000 - 0x3EB000

There was a new service created in the system:

Service Name	Display Name	Status	Service Filename
stmwcysyyc	qpevikeffmznimkkasvw	"Running"	%System%\kkwgks.exe

Registry Modifications

The following Registry Keys were created:

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_STMWCYSYYC
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_STMWCYSYYC\0000
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_STMWCYSYYC\0000\Control
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\stmwcysyyc
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\stmwcysyyc\Security
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\stmwcysyyc\Enum
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_STMWCYSYYC
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_STMWCYSYYC\0000
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_STMWCYSYYC\0000\Control
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\stmwcysyyc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\stmwcysyyc\Security
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\stmwcysyyc\Enum

The newly created Registry Values are:

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_STMWCYSYYC\0000\Control]

*NewlyCreated* = 0x00000000
ActiveService = "stmwcysyyc"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_STMWCYSYYC\0000]

Service = "stmwcysyyc"
Legacy = 0x00000001
ConfigFlags = 0x00000000
Class = "LegacyDriver"
ClassGUID = "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
DeviceDesc = "qpevikeffmznimkkasvw"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_STMWCYSYYC]

NextInstance = 0x00000001

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\stmwcysyyc\Enum]

0 = "Root\LEGACY_STMWCYSYYC\0000"
Count = 0x00000001
NextInstance = 0x00000001

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\stmwcysyyc\Security]

Security = 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 0

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\stmwcysyyc]

Type = 0x00000010
Start = 0x00000002
ErrorControl = 0x00000000
ImagePath = "%System%\kkwgks.exe"
DisplayName = "qpevikeffmznimkkasvw"
ObjectName = "LocalSystem"
Description = "srenzkycxfxtlsgypsfadpooefxzbc"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_STMWCYSYYC\0000\Control]

*NewlyCreated* = 0x00000000
ActiveService = "stmwcysyyc"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_STMWCYSYYC\0000]

Service = "stmwcysyyc"
Legacy = 0x00000001
ConfigFlags = 0x00000000
Class = "LegacyDriver"
ClassGUID = "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
DeviceDesc = "qpevikeffmznimkkasvw"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_STMWCYSYYC]

NextInstance = 0x00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\stmwcysyyc\Enum]

0 = "Root\LEGACY_STMWCYSYYC\0000"
Count = 0x00000001
NextInstance = 0x00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\stmwcysyyc\Security]

Security = 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\stmwcysyyc]

Type = 0x00000010
Start = 0x00000002
ErrorControl = 0x00000000
ImagePath = "%System%\kkwgks.exe"
DisplayName = "qpevikeffmznimkkasvw"
ObjectName = "LocalSystem"
Description = "srenzkycxfxtlsgypsfadpooefxzbc"

The following Registry Values were modified:

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\ServiceCurrent]

(Default) =

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ServiceCurrent]

(Default) =

Other details

Analysis of the file resources indicate the following possible country of origin:

China

To mark the presence in the system, the following Mutex object was created:

stmwcysyyc

The following ports were open in the system:

Port	Protocol	Process
1033	TCP	kkwgks.exe (%System%\kkwgks.exe)
1034	TCP	kkwgks.exe (%System%\kkwgks.exe)

The following Host Names were requested from a host database:

192.5.5.241
kddos9.8800.org
rat2.100geili.com

There were registered attempts to establish connection with the remote hosts. The connection details are:

Remote Host	Port Number
kddos9.8800.org	8888
rat2.100geili.com	8000

Outbound traffic (potentially malicious)

There was an outbound traffic produced on port 8888:

00000000 | 6401 0000 7700 0000 4500 6E00 6700 6C00 | d...w...E.n.g.l.
00000010 | 6900 7300 6800 2000 2800 5500 6E00 6900 | i.s.h. .(.U.n.i.
00000020 | 7400 6500 6400 2000 5300 7400 6100 7400 | t.e.d. .S.t.a.t.
00000030 | 6500 7300 2900 0000 0000 0000 0000 0000 | e.s.)...........
00000040 | 0000 0000 0000 0000 434F 4D50 5554 4552 | ........COMPUTER
00000050 | 4E41 4D45 0000 0000 0000 0000 0000 0000 | NAME............
00000060 | 0000 0000 0000 0000 0000 0000 0000 0000 | ................
00000070 | 0000 0000 0000 0000 0000 0000 0000 0000 | ................
00000080 | 0000 0000 0000 0000 0000 0000 0000 0000 | ................
00000090 | 0000 0000 0000 0000 0000 0000 0000 0000 | ................
000000A0 | 0000 0000 0000 0000 0000 0000 0000 0000 | ................
000000B0 | 0000 0000 0000 0000 0000 0000 0000 0000 | ................
000000C0 | 0000 0000 0000 0000 5769 6E58 5000 0000 | ........WinXP...
000000D0 | 0000 0000 0000 0000 0000 0000 0000 0000 | ................
000000E0 | 0000 0000 0000 0000 0000 0000 0000 0000 | ................
000000F0 | 0000 0000 0000 0000 0000 0000 0000 0000 | ................
00000100 | 0000 0000 0000 0000 3235 3620 4D42 0000 | ........256 MB..
00000110 | 0000 0000 0000 0000 0000 0000 0000 0000 | ................
00000120 | 0000 0000 0000 0000 3239 3939 204D 487A | ........2999 MHz
00000130 | 0000 0000 0000 0000 0000 0000 0000 0000 | ................
00000140 | 0000 0000 0000 0000 39D4 C236 C8D5 0000 | ........9..6....
00000150 | 0000 0000 0000 0000 0000 0000 0000 0000 | ................
00000160 | 0000 0000 0200 0000 D27B 0100           | .........{..

There was an outbound traffic produced on port 8000:

All content ("Information") contained in this report is the copyrighted work of Threat Expert Ltd and its associated companies ("ThreatExpert") and may not be copied without the express permission of ThreatExpert.

The Information is provided on an "as is" basis. ThreatExpert disclaims all warranties, whether express or implied, to the maximum extent permitted by law, including the implied warranties that the Information is merchantable, of satisfactory quality, accurate, fit for a particular purpose or need, or non-infringing, unless such implied warranties are legally incapable of exclusion. Further, ThreatExpert does not warrant or make any representations regarding the use or the results of the use of the Information in terms of their correctness, accuracy, reliability, or otherwise.