ThreatExpert Report: Trojan.Dropper, Generic StartPage!l, Mal/Generic-A, Trojan:Win32/Meredrop..

Visit ThreatExpert web site

Close Report

Submission Summary:

Submission details:

Submission received: 20 August 2009, 21:25:22
Processing time: 8 min 33 sec
Submitted sample:

File MD5: 0x85EB9B8F35BF328CAC83499DD08FCFCD
File SHA-1: 0xE0CF71B2B0A4246EE2B811DD484D81F0F1EDBBF8
Filesize: 6,656 bytes
Alias & packer info:

Trojan.Dropper [Symantec]
Generic StartPage!l [McAfee]
Mal/Generic-A [Sophos]
Trojan:Win32/Meredrop [Microsoft]
Generic.XPL.ADODB [Ikarus]
VBS/Runner.8192 [AhnLab]
packed with: WScript [Kaspersky Lab]

Summary of the findings:

What's been found	Severity Level
Downloads/requests other files from Internet.
Contains characteristics of an identified security risk.

Technical Details:

Possible Security Risk

Attention! The following threat category was identified:

Threat Category	Description
	A malicious trojan horse or bot that may represent security risk for the compromised system and/or its network environment

File System Modifications

The following files were created in the system:

#	Filename(s)	File Size	File Hash	Alias
1	%Windir%\internet.vbs	1,610 bytes	MD5: 0x38ABEBAC6BC21B73DCF47A40915EB2D5 SHA-1: 0x0C049F3BFDD92271528C3F562EDB926955CBD575	HTML.Psyme.Gen [PCTools] VBS/Psyme [McAfee] VBS_SMALL.IHE [Trend Micro]
2	[file and pathname of the sample #1]	6,656 bytes	MD5: 0x85EB9B8F35BF328CAC83499DD08FCFCD SHA-1: 0xE0CF71B2B0A4246EE2B811DD484D81F0F1EDBBF8	Trojan.Dropper [Symantec] Generic StartPage!l [McAfee] Mal/Generic-A [Sophos] Trojan:Win32/Meredrop [Microsoft] Generic.XPL.ADODB [Ikarus] VBS/Runner.8192 [AhnLab] packed with WScript [Kaspersky Lab]
3	%Windir%\Temp\00004.exe %Windir%\Temp\00005.exe %Windir%\Temp\00006.exe %Windir%\Temp\00007.exe %Windir%\Temp\00008.exe	125 bytes	MD5: 0x7C5F5A68051F6B0C0E9A2AD33C40D415 SHA-1: 0x120865765927A61AF83F02B83DC297EEDE61EC41	(not available)
4	%Windir%\Temp\scsC.tmp %Windir%\Temp\scsD.tmp %Windir%\Temp\scsE.tmp	2,686 bytes	MD5: 0x4A587187D760161311010B03417B3C3F SHA-1: 0x863BBF5F7F4114A1307C6BAD5DD89224D511FED5	(not available)
5	%Windir%\Temp\scsF.tmp	0 bytes	MD5: 0xD41D8CD98F00B204E9800998ECF8427E SHA-1: 0xDA39A3EE5E6B4B0D3255BFEF95601890AFD80709	(not available)

Note:

%Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows or C:\Winnt.

Memory Modifications

There was a new process created in the system:

Process Name	Process Filename	Main Module Size
[filename of the sample #1]	[file and pathname of the sample #1]	12,288 bytes

Registry Modifications

The following Registry Keys were created:

HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host
HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings

Other details

Analysis of the file resources indicate the following possible country of origin:

Russian Federation

The following Internet Connection was established:

Server Name	Server Port	Connect as User	Connection Password
www.procto.cn	80	(null)	(null)

The following GET requests were made:

xz/00004.exe
dll/00005.exe
xz/00006.exe
xz/00007.exe
xz/00008.exe

Downloaded File Summary:

Download details:

Download retrieved: 20 August 2009 21:33:56
Processing time: 7 min 12 sec
Downloaded sample #1:

File MD5: 0xD95898AECA7F04DC6B70AE96EB5D7F60
File SHA-1: 0xC6E819E96E9DA8C9F665F0150966473EDC795E94
Filesize: 71,604 bytes

Downloaded sample #2:

File MD5: 0x2F2F4BD15CE7B365F8C0FF88212C0618
File SHA-1: 0xFE4E58041E0651494ED08DCEE32B7384E56F968C
Filesize: 196,932 bytes
Alias & packer info:

W32.Induc.A [Symantec]
Virus.Win32.Induc.a [Kaspersky Lab]
W32/Induc-A [Sophos]
Trojan.Win32.Agent [Ikarus]
packed with: UPX [Kaspersky Lab]

Downloaded sample #3:

File MD5: 0xF2D95064A84B85F7DA015B82A7F7DC8A
File SHA-1: 0xA9C6A4BA5D0E175416981F4C8DD2CD7678359C7F
Filesize: 3,584 bytes
Alias & packer info:

Generic StartPage!f [McAfee]
Mal/Generic-A [Sophos]
Win32.SuspectCrc [Ikarus]
VBS/Runner.8192 [AhnLab]
packed with: WScript [Kaspersky Lab]

Downloaded sample #4:

File MD5: 0x70520C8FE94251B433FBC7655FCB7D74
File SHA-1: 0x06AF992A9D14EEE88D415B0B5A639F54ACB64D95
Filesize: 29,245 bytes
Alias & packer info:

Trojan-PWS.OnlineGames.AHRG [PCTools]
Downloader [Symantec]
Trojan-Downloader.Win32.VB.oyy [Kaspersky Lab]
Mal/Packer [Sophos]
HackTool.Win32.PHPWind [Ikarus]
Win-Trojan/Xema.variant [AhnLab]
packed with: FSG [Kaspersky Lab]

Summary of the findings:

What's been found	Severity Level
Downloads/requests other files from Internet.
Creates a startup registry entry.
Contains characteristics of an identified security risk.

Technical Details:

Possible Security Risk

Attention! Characteristics of the following security risk was identified in the system:

Security Risk	Description
Trojan-PWS.OnlineGames.AHRG	Trojan-PWS.OnlineGames.AHRG attempts to steal password information associated to various online games.

Attention! The following threat categories were identified:

Threat Category	Description
	A program that downloads files to the local computer that may represent security risk
	A malicious trojan horse or bot that may represent security risk for the compromised system and/or its network environment
	A virus capable to modify other files by infecting, prepending, or overwriting them them with its own body

File System Modifications

The following files were created in the system:

#	Filename(s)	File Size	File Hash	Alias
1	%ProgramFiles%\[filename of the sample #4] [file and pathname of the sample #4]	29,245 bytes	MD5: 0x70520C8FE94251B433FBC7655FCB7D74 SHA-1: 0x06AF992A9D14EEE88D415B0B5A639F54ACB64D95	Trojan-PWS.OnlineGames.AHRG [PCTools] Downloader [Symantec] Trojan-Downloader.Win32.VB.oyy [Kaspersky Lab] Mal/Packer [Sophos] HackTool.Win32.PHPWind [Ikarus] Win-Trojan/Xema.variant [AhnLab] packed with FSG [Kaspersky Lab]
2	%ProgramFiles%\vstart.exe	57,344 bytes	MD5: 0xD9C704FD6F42AFD16B224DC25D15DE42 SHA-1: 0x6A638E2DD4F42C1472960352D03C3D470A9E9C86	Trojan Horse [Symantec] Trojan-Downloader.Win32.VB.pma [Kaspersky Lab] Downloader-BRB.gen [McAfee] Mal/Emogen-H, Mal/Emogen-F [Sophos] HackTool.Win32.PHPWind [Ikarus] Win-Trojan/Xema.variant [AhnLab]
3	%System%\2003.bat	108 bytes	MD5: 0x9B55BB88CEC77220F15A2C234A55F96C SHA-1: 0xE9D1454901A695C5F4D8E44B6307F4A1106217AD	(not available)
4	[file and pathname of the sample #1]	71,604 bytes	MD5: 0xD95898AECA7F04DC6B70AE96EB5D7F60 SHA-1: 0xC6E819E96E9DA8C9F665F0150966473EDC795E94	(not available)
5	[file and pathname of the sample #2]	196,932 bytes	MD5: 0x2F2F4BD15CE7B365F8C0FF88212C0618 SHA-1: 0xFE4E58041E0651494ED08DCEE32B7384E56F968C	W32.Induc.A [Symantec] Virus.Win32.Induc.a [Kaspersky Lab] W32/Induc-A [Sophos] Trojan.Win32.Agent [Ikarus] packed with UPX [Kaspersky Lab]
6	[file and pathname of the sample #3]	3,584 bytes	MD5: 0xF2D95064A84B85F7DA015B82A7F7DC8A SHA-1: 0xA9C6A4BA5D0E175416981F4C8DD2CD7678359C7F	Generic StartPage!f [McAfee] Mal/Generic-A [Sophos] Win32.SuspectCrc [Ikarus] VBS/Runner.8192 [AhnLab] packed with WScript [Kaspersky Lab]
7	%System%\stimon.pif	125 bytes	MD5: 0x7C5F5A68051F6B0C0E9A2AD33C40D415 SHA-1: 0x120865765927A61AF83F02B83DC297EEDE61EC41	(not available)
8	%System%\up2039.bat	198 bytes	MD5: 0x336EBCF7E419A6153E55670EDD7A2413 SHA-1: 0x1478466AF218591797B4208FC653977C43198C2B	(not available)

Notes:

%ProgramFiles% is a variable that refers to the Program Files folder. A typical path is C:\Program Files.
%System% is a variable that refers to the System folder. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

The following file was deleted:

%System%\stclient.dll

Memory Modifications

There were new processes created in the system:

Process Name	Process Filename	Main Module Size
[filename of the sample #4]	%ProgramFiles%\[filename of the sample #4]	135,168 bytes
vstart.exe	%ProgramFiles%\vstart.exe	61,440 bytes
[filename of the sample #4]	[file and pathname of the sample #4]	135,168 bytes
[filename of the sample #3]	[file and pathname of the sample #3]	12,288 bytes
[filename of the sample #2]	[file and pathname of the sample #2]	532,480 bytes
stimon.pif	%System%\stimon.pif	73,728 bytes
[filename of the sample #1]	[file and pathname of the sample #1]	245,760 bytes
[generic host process]	[generic host process filename]	45,056 bytes

Notes:

[generic host process filename] is a full path filename of [generic host process].

The following system services were modified:

Service Name	Display Name	New Status	Service Filename
ALG	Application Layer Gateway Service	"Stopped"	%System%\alg.exe
SharedAccess	Windows Firewall/Internet Connection Sharing (ICS)	"Stopped"	%System%\svchost.exe -k netsvcs

Registry Modifications

The following Registry Keys were created:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{2bf41072-b2b1-21c1-b5c1-0305f4545525}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ESENT\Process\ipconfig
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ESENT\Process\ipconfig\DEBUG
HKEY_CURRENT_USER\Software\Microsoft\Active Setup\Installed Components\{2bf41072-b2b1-21c1-b5c1-0305f4545525}

The newly created Registry Values are:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{2bf41072-b2b1-21c1-b5c1-0305f4545525}]

StubPath = "%System%\stimon.pif"

so that stimon.pif runs every time Windows starts

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ESENT\Process\ipconfig\DEBUG]

Trace Level = ""

The following Registry Values were modified:

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\ServiceCurrent]

(Default) = 0x0000000C

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ServiceCurrent]

(Default) = 0x0000000C

Other details

Analysis of the file resources indicate the following possible countries of origin:

	China
	Russian Federation

To mark the presence in the system, the following Mutex objects were created:

DTEssF_ST_Mssutex
CK_Jump_EXE_Mazi
_install_dl
DesktopCleanupMutex

The following Host Name was requested from a host database:

ckc01.hdhdv.cn

The following HTTP URLs were started reading:

http://ckc01.hdhdv.cn/getVer.asp?mstr=cj080501-A47014B09DEC2C3C6FCCF840B5A89840
http://ckc01.hdhdv.cn/getupdate.asp?f=dd
http://ckc01.hdhdv.cn/getupdate.asp?f=ee
http://download.leeboo.com/leeboo11_740.exe|http://download.jieku.com/pipi/pipi_215_6890.exe|http://down.kuwo.cn/mbox/ab2/kwun/2/music_kwun2383.exe

The data identified by the following URL was then requested from the remote web server:

http://www.procto.cn/cpa.txt

There was application-defined hook procedure installed into the hook chain (e.g. to monitor keystrokes). The installed hook is handled by the following module:

%System%\stclient.dll

All content ("Information") contained in this report is the copyrighted work of Threat Expert Ltd and its associated companies ("ThreatExpert") and may not be copied without the express permission of ThreatExpert.

The Information is provided on an "as is" basis. ThreatExpert disclaims all warranties, whether express or implied, to the maximum extent permitted by law, including the implied warranties that the Information is merchantable, of satisfactory quality, accurate, fit for a particular purpose or need, or non-infringing, unless such implied warranties are legally incapable of exclusion. Further, ThreatExpert does not warrant or make any representations regarding the use or the results of the use of the Information in terms of their correctness, accuracy, reliability, or otherwise.