ThreatExpert Report: Packed.Generic.233, Generic Dropper.ke, Mal/EncPk-IF, Mal/Generic-A..

Visit ThreatExpert web site

Close Report

Submission Summary:

Submission details:

Submission received: 2 September 2009, 01:16:29
Processing time: 8 min 4 sec
Submitted sample:

File MD5: 0x8329E3F0549F76940AC4990C7383C5DB
File SHA-1: 0x226F7E6DC2D96186F1C37117EE931DAFF43121A8
Filesize: 50,176 bytes
Alias:

Packed.Generic.233 [Symantec]
Generic Dropper.ke [McAfee]
Mal/EncPk-IF [Sophos]

Summary of the findings:

What's been found	Severity Level
Downloads/requests other files from Internet.
Modifies some system settings that may have negative impact on overall system security state.
Creates a startup registry entry.
Contains characteristics of an identified security risk.

Technical Details:

Possible Security Risk

Attention! Characteristics of the following security risk was identified in the system:

Security Risk	Description
Adware.Agent.ZO	Adware.Agent.ZO lowers some IE security settings and downloads RogueAntiSpyware without user's permission.

Attention! The following threat categories were identified:

Threat Category	Description
	A malicious backdoor trojan that runs in the background and allows remote access to the compromised system
	A hacktool that could be used by attackers to break into a system

File System Modifications

The following files were created in the system:

#	Filename(s)	File Size	File Hash	Alias
1	%System%\braviax.exe	11,264 bytes	MD5: 0xE4A9B23CE5BF4F414D9C807E8CD78BF8 SHA-1: 0xC52E807E9D2C21E261D5B24C57661F083D97AC8E	Packed.Generic.233 [Symantec] Generic Dropper.ke [McAfee] Mal/Generic-A [Sophos]
2	%System%\dllcache\beep.sys %System%\dllcache\figaro.sys	29,184 bytes	MD5: 0x72F2B322821A968F6D62C4198434E317 SHA-1: 0xA9340797C830EADD9504EC82B7B1F824E1004B02	Hacktool.Rootkit [Symantec] Backdoor.Win32.UltimateDefender.igv [Kaspersky Lab] FakeAlert-C.dr [McAfee] Mal/FakeAle-C [Sophos] VirTool:WinNT/Xantvi.gen!A [Microsoft] Backdoor.Win32.UltimateDefender [Ikarus]
3	[file and pathname of the sample #1]	50,176 bytes	MD5: 0x8329E3F0549F76940AC4990C7383C5DB SHA-1: 0x226F7E6DC2D96186F1C37117EE931DAFF43121A8	Packed.Generic.233 [Symantec] Generic Dropper.ke [McAfee] Mal/EncPk-IF [Sophos]

Note:

%System% is a variable that refers to the System folder. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

The following file was modified:

%System%\drivers\beep.sys

Memory Modifications

There were new processes created in the system:

Process Name	Process Filename	Main Module Size
braviax.exe	%System%\braviax.exe	49,152 bytes
[filename of the sample #1]	[file and pathname of the sample #1]	81,920 bytes

Registry Modifications

The following Registry Key was created:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Associations

The following Registry Key was deleted:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}

The newly created Registry Values are:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0]

1208 = 0x00000000
2500 = 0x00000003

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1]

1208 = 0x00000000
2500 = 0x00000003

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2]

1208 = 0x00000000
2500 = 0x00000003

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3]

1208 = 0x00000000
2500 = 0x00000003

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4]

1208 = 0x00000000
2500 = 0x00000003

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

braviax = "%System%\braviax.exe"

so that braviax.exe runs every time Windows starts

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download]

RunInvalidSignatures = 0x00000001

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]

Enable Browser Extensions = "yes"
Search Bar = "http://www.google.com/ie"

[HKEY_CURRENT_USER\Software\Microsoft\Security Center]

AntiVirusDisableNotify = 0x00000001
FirewallDisableNotify = 0x00000001
UpdatesDisableNotify = 0x00000001

to disable notification of firewall, antivirus and/or update status through the Windows Security Center

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Associations]

LowRiskFileTypes = "zip;.rar;.cab;.txt;.exe;.reg;.msi;.htm;.html;.gif;.bmp;.jpg;.avi;.mov;.mp3;.wav"
SaveZoneInformation = 0x00000001

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]

braviax = "%System%\braviax.exe"

so that braviax.exe runs every time Windows starts

The following Registry Values were modified:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main]

Default_Search_URL =
Search Page =
Start Page =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Search]

SearchAssistant =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0]

1201 =
1804 =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1]

1201 =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2]

1201 =
1804 =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3]

1201 =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4]

1200 =
1201 =
1608 =
1804 =

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download]

CheckExeSignatures =

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]

Start Page =
Search Page =

Other details

To mark the presence in the system, the following Mutex objects were created:

{432780427656663764673647663354632a}
{432780427656663764673647663354632}

The following Internet downloads were started (the retrieved bits are saved into the local file):

URL to be downloaded	Filename for the downloaded bits
http://koliopewaqs.com/j1rb0Vh9iL7fMJ0I3G2li3CQ	%System%\wisdstr.exe
http://kasonkertub.com/uB1Tt0gkK9/H7W0vtf3lTZ2pg3U	%System%\wisdstr.exe
http://tahulavumbak.com/yow1K0tO9CQf7Ct0ZEf3u2G3x	%System%\wisdstr.exe
http://afedovascevo.com/cG1cW0tTu9wE7E/0T3xZ2P3g	%System%\wisdstr.exe
http://rdafervacex.com/BOa1Qug0Slv9uHs7F0Van3Dq2t3kjC	%System%\wisdstr.exe
http://buhervadoska.com/O1CpH0Ka9XR7h0qKx3Xg2Pgv3dH	%System%\wisdstr.exe
http://lionglervoa.com/jyU1J0Kx9VuN7VQ0q3sW2f3l	%System%\wisdstr.exe
http://elxolionave.com/l/1pz0BBE9Z7Ol0jNy3oNj2R3MbZ	%System%\wisdstr.exe
http://nuliborkawer.com/Zj1AnI0Nu9nFL7Fo0s/3UUb2VGN3Ba	%System%\wisdstr.exe

A system request is initiated to shut down and then restart the system.

Downloaded File Summary:

Download details:

Download retrieved: 2 September 2009 01:24:33
Processing time: 7 min 23 sec
Downloaded sample:

File MD5: 0x028E0AB8E9AF7D9D4B350BE552ED1AAD
File SHA-1: 0xB9D9B70463098E39B1E843BB1B6B582C5DF9D3B7
Filesize: 191,159 bytes
Alias:

Trojan.Win32.FraudPack.rcj [Kaspersky Lab]
FakeAlert-XPSecCenter [McAfee]
TrojanDownloader:Win32/FakeRean [Microsoft]
Trojan-Downloader.Win32.FakeRean [Ikarus]

Summary of the findings:

What's been found	Severity Level
Downloads/requests other files from Internet.
Contains characteristics of an identified security risk.

Technical Details:

Possible Security Risk

Attention! The following threat category was identified:

Threat Category	Description
	A malicious trojan horse or bot that may represent security risk for the compromised system and/or its network environment

File System Modifications

The following file was created in the system:

#	Filename(s)	File Size	File Hash	Alias
1	[file and pathname of the sample #1]	191,159 bytes	MD5: 0x028E0AB8E9AF7D9D4B350BE552ED1AAD SHA-1: 0xB9D9B70463098E39B1E843BB1B6B582C5DF9D3B7	Trojan.Win32.FraudPack.rcj [Kaspersky Lab] FakeAlert-XPSecCenter [McAfee] TrojanDownloader:Win32/FakeRean [Microsoft] Trojan-Downloader.Win32.FakeRean [Ikarus]

The following directory was created:

%ProgramFiles%\PC_Antispyware2010

Note:

%ProgramFiles% is a variable that refers to the Program Files folder. A typical path is C:\Program Files.

Other details

The following Internet downloads were started (the retrieved bits are saved into the local file):

URL to be downloaded	Filename for the downloaded bits
http://uiskddcuiretog.com/files/pca21/(1).(t)	%Temp%\tmpwr2
http://uiskddcuiretog.com/files/(AVE).(t)	%Temp%\tmpwr3
http://uiskddcuiretog.com/files/(Add).(t)	%Temp%\tmpwr4
http://uiskddcuiretog.com/files/pca21/(GUI).(t)	%Temp%\tmpwr5
http://uiskddcuiretog.com/files/(SC).(t)	%Temp%\tmpwr6
http://uiskddcuiretog.com/files/(Upd).(t)	%Temp%\tmpwr7

Notes:

%Temp% is a variable that refers to the temporary folder in the short path form. By default, this is C:\Documents and Settings\[UserName]\Local Settings\Temp\ (Windows NT/2000/XP).

Downloaded File Summary (Generation #2):

Download details:

Download retrieved: 2 September 2009 01:31:56
Processing time: 6 min 14 sec
Downloaded sample #1:

File MD5: 0xA2FFDA303D57537F723444B67169BADD
File SHA-1: 0x750C1A57FDEBDE5002F3640252445B2DA34A6A30
Filesize: 580,212 bytes

Downloaded sample #2:

File MD5: 0xC4DA69DA4B6621A9A6BF32BAB9D447EF
File SHA-1: 0x96E98629A19C0DBADBC1A808E032E46367829DF7
Filesize: 265,332 bytes

Downloaded sample #3:

File MD5: 0xF2BAF71285FFB06EB36414CD3DAD6FA6
File SHA-1: 0xEF106F40748A1115E166FA05C9843718878B4EDC
Filesize: 452,100 bytes

Downloaded sample #4:

File MD5: 0x7DE2F0DC2D313FE1B875F35D97E442D0
File SHA-1: 0x5622A01673E2DFB5167C57CA9AE6EA31FC469755
Filesize: 665,956 bytes

Downloaded sample #5:

File MD5: 0xE1BE838E4A06D9F1EDFC0F06CC798555
File SHA-1: 0x84BFF5A35EB963D6D00B2C7797CF473DFC2462F7
Filesize: 179,988 bytes

Downloaded sample #6:

File MD5: 0xBAA86A04A5FBBAE76D09A8431E772D8B
File SHA-1: 0x2B8904DF6AA39318622A813F5F4142322C537534
Filesize: 1,088,644 bytes

Technical Details:

File System Modifications

The following files were created in the system:

#	Filename(s)	File Size	File Hash
1	[file and pathname of the sample #1]	580,212 bytes	MD5: 0xA2FFDA303D57537F723444B67169BADD SHA-1: 0x750C1A57FDEBDE5002F3640252445B2DA34A6A30
2	[file and pathname of the sample #2]	265,332 bytes	MD5: 0xC4DA69DA4B6621A9A6BF32BAB9D447EF SHA-1: 0x96E98629A19C0DBADBC1A808E032E46367829DF7
3	[file and pathname of the sample #3]	452,100 bytes	MD5: 0xF2BAF71285FFB06EB36414CD3DAD6FA6 SHA-1: 0xEF106F40748A1115E166FA05C9843718878B4EDC
4	[file and pathname of the sample #4]	665,956 bytes	MD5: 0x7DE2F0DC2D313FE1B875F35D97E442D0 SHA-1: 0x5622A01673E2DFB5167C57CA9AE6EA31FC469755
5	[file and pathname of the sample #5]	179,988 bytes	MD5: 0xE1BE838E4A06D9F1EDFC0F06CC798555 SHA-1: 0x84BFF5A35EB963D6D00B2C7797CF473DFC2462F7
6	[file and pathname of the sample #6]	1,088,644 bytes	MD5: 0xBAA86A04A5FBBAE76D09A8431E772D8B SHA-1: 0x2B8904DF6AA39318622A813F5F4142322C537534

All content ("Information") contained in this report is the copyrighted work of Threat Expert Ltd and its associated companies ("ThreatExpert") and may not be copied without the express permission of ThreatExpert.

The Information is provided on an "as is" basis. ThreatExpert disclaims all warranties, whether express or implied, to the maximum extent permitted by law, including the implied warranties that the Information is merchantable, of satisfactory quality, accurate, fit for a particular purpose or need, or non-infringing, unless such implied warranties are legally incapable of exclusion. Further, ThreatExpert does not warrant or make any representations regarding the use or the results of the use of the Information in terms of their correctness, accuracy, reliability, or otherwise.