ThreatExpert Report: Mal/FakeAV-BG, Trojan.Crypt, Trojan.Script, HTML/Xema

Submission Summary:

Submission details:

Submission received: 5 October 2009, 20:15:53
Processing time: 9 min 54 sec
Submitted sample:

File MD5: 0x86201292CB9697A72FAFDBE12E3F0501
File SHA-1: 0x52C812356F473F4F91337DA7B5173B1EA10BD73C
Filesize: 2,977,829 bytes
Alias: Mal/FakeAV-BG [Sophos]

Summary of the findings:

What's been found	Severity Level
Downloads/requests other files from Internet.
Registers a 32-bit in-process server DLL.
Registers a Browser Helper Object (Microsoft's Internet Explorer plugin module).
Contains characteristics of an identified security risk.

Technical Details:

Possible Security Risk

Attention! Characteristics of the following security risk was identified in the system:

Security Risk	Description
RogueAntiSpyware.AntiVirusPro	RogueAntiSpyware.AntiVirusPro is a Rogue Anti-Spyware product which comes bundled along with a malicious downloader. It is downloaded and installed without the users consent.

File System Modifications

The following files were created in the system:

#	Filename(s)	File Size	File Hash	Alias
1	%Windir%\svchast.exe	429,568 bytes	MD5: 0xC2F5002B18E94A267FCC31C6805CDB10 SHA-1: 0x21F5C4222174D43C7A97F04C11CC7DD50FA12A04	Trojan.Crypt [Ikarus] packed with Execryptor [Kaspersky Lab]
2	%System%\dbsinit.exe	131,731 bytes	MD5: 0xB731A85AADEC7C07DDD2A33B6336C758 SHA-1: 0xFA9BA97824DAA4DDD00F33DE62522541FB137A2B	Trojan.Script [Ikarus]
3	%System%\images\i1.gif	1,744 bytes	MD5: 0xD76AA095C7BBBB776A7A23265B225A3D SHA-1: 0xB8D5258344350310A51EB9C4711685F05CD0A61D	(not available)
4	%System%\images\i2.gif	1,663 bytes	MD5: 0xA4B546FF96E833A78B4668CE192B4CC3 SHA-1: 0x94BB99076B4296DF34C05B992359DBC40BF89202	(not available)
5	%System%\images\i3.gif	1,689 bytes	MD5: 0x8598B9748C737242B50D91FEA4DFA9F0 SHA-1: 0xC508FAA5954117C4CFF454A64B00F316B3D63B44	(not available)
6	%System%\images\j1.gif	3,957 bytes	MD5: 0x99F9F01323DD47FA2FF9C46164364C9A SHA-1: 0xE8DEC6E590B414CA7E7C64C2FE9A9408A928FF87	(not available)
7	%System%\images\j2.gif	47 bytes	MD5: 0x70902CEDFDE493658E47E1D60155F5C3 SHA-1: 0x0099B30D2B40784640F6DC472D26F43980D1AC0A	(not available)
8	%System%\images\j3.gif	3,857 bytes	MD5: 0xC0E3C3F95973FBDFC3D7C5B4C16B2988 SHA-1: 0x24BC72F11E72529F33C398F671613928FF039F81	(not available)
9	%System%\images\jj1.gif	114 bytes	MD5: 0x6EAF773C60E233E4A27AC99A2491DFE6 SHA-1: 0x0F90F6217280912166A887A2ACD42AB3BD22F9BA	(not available)
10	%System%\images\jj2.gif	48 bytes	MD5: 0x745975524FEA29121ED5F4BB9E422AB5 SHA-1: 0x351400F4BE06A1EAE071258CAC9A663502193155	(not available)
11	%System%\images\jj3.gif	105 bytes	MD5: 0x09C210A0A41489B3A9E1B9117AA5686E SHA-1: 0xAE92400BC35213D54AE2ED98DF79AA0F3936E0F9	(not available)
12	%System%\images\l1.gif	3,749 bytes	MD5: 0x94AB0618D502DAF24BED9450B9BCAA38 SHA-1: 0x101AF6F573EA588DF70CA11B341E2D996DA49AE1	(not available)
13	%System%\images\l2.gif	92 bytes	MD5: 0x77FE12E4807D1ABFE9E998629615F1B0 SHA-1: 0x620E56E7ED10315A121E3D99ADB1209962741D57	(not available)
14	%System%\images\l3.gif	468 bytes	MD5: 0x015D02E2256EBF1DE10DF7391F208480 SHA-1: 0x7AAA65837F50D3B148BC06088DD09C866D26B33B	(not available)
15	%System%\images\pix.gif	70 bytes	MD5: 0xF7EB3F820EDD7F05BBAE8021B7A7C3DE SHA-1: 0x25BD83866C2A9BD7BC61D26ED6FC7BB58DBB43E9	(not available)
16	%System%\images\t1.gif	621 bytes	MD5: 0x11B91A9A65AD3BB030EC3D9CE07B3862 SHA-1: 0x1F5A36BEC18AA94ED1139F68F35DED63746D6B88	(not available)
17	%System%\images\t2.gif	1,015 bytes	MD5: 0x4E629E426C553631ED38B4363F41F824 SHA-1: 0x417C9395F9E32CF7D573EC1FEC2B227EA2E49719	(not available)
18	%System%\images\up1.gif	5,568 bytes	MD5: 0xB38868B01AF72AED2F144EC5BAB8F083 SHA-1: 0x5997AD30CA267D0CEAD151EE141EAE6ED8044A7C	(not available)
19	%System%\images\up2.gif	696 bytes	MD5: 0xE04D135D8F5074E1767274FB19140BA3 SHA-1: 0x3EAF2BA8A6D76FF72B88A57044A7CA1367D3A0D8	(not available)
20	%System%\images\w1.gif	3,028 bytes	MD5: 0xE67BB1DDC5B8991F9F45FEFE787424AF SHA-1: 0x48B2F386A7F8E0BBF766FD08AAEBEFA412CEE4BF	(not available)
21	%System%\images\w11.gif	3,431 bytes	MD5: 0x7B2345EBF342EFA04D9B005ACB354D6C SHA-1: 0x6B4F0669A780C45BB2D278F3BC84A30CB3E061CB	(not available)
22	%System%\images\w2.gif	47 bytes	MD5: 0x54C6502B2880E2C28CABFCE05BC054D6 SHA-1: 0x7D3E49A8E223E5A0AEA814DF7D2CE9920574C2E5	(not available)
23	%System%\images\w3.gif	3,430 bytes	MD5: 0x2669A2DA46C8F727F3802D8889F5F8C3 SHA-1: 0xDE6B3B91BAEBF5E6AC222183881654484FDC7F78	(not available)
24	%System%\images\w3.jpg	1,912 bytes	MD5: 0x71F0FAE3427D661C2B5DD27148A2112E SHA-1: 0xE886E18BF7516FD59B66339F6C73D8BE817D85D6	(not available)
25	%System%\images\wt1.gif	176 bytes	MD5: 0x1C76CE328401D00D96FD495215609D91 SHA-1: 0x561D8C1E9960FDDFAA55F8E22624FD069731C519	(not available)
26	%System%\images\wt2.gif	51 bytes	MD5: 0x78C728CCF262A6C7FDDD35B138DC1381 SHA-1: 0x5F51DAE174CF14C20C1112111F52F3867041D4E8	(not available)
27	%System%\images\wt3.gif	119 bytes	MD5: 0x3946582DD142022BF90BAB9190B7FCB2 SHA-1: 0x16C9F00145D9EA95E0544BB1CDF9B191BC2714F4	(not available)
28	%System%\msvcm80.dll	479,232 bytes	MD5: 0xCDCC63E967D64ECE3729246720AF4FCC SHA-1: 0x856ABCCDACD3B0C78A57158505AE9B9EFE2110EC	(not available)
29	%System%\msvcp80.dll	548,864 bytes	MD5: 0x2BC650257FB0867ABD54FD460EC2BAFC SHA-1: 0xEC063526AA14BCADEEFFA6D859B39A80680015B7	(not available)
30	%System%\msvcr80.dll	626,688 bytes	MD5: 0x16D7DDF3B659F7CF1CB9F4DCFF4219F0 SHA-1: 0xA61454131940799F01C26943F1594EE6E7409D11	(not available)
31	%System%\nuar.old	9 bytes	MD5: 0x5EC83D5A5A3248AC8CE878496B1E15AE SHA-1: 0x4E52CA534692C985580038C38DDF78A3221D5F7D	(not available)
32	%System%\plugie.dll	653,824 bytes	MD5: 0xE7BAF6DD61D9032A51322F21CD05F172 SHA-1: 0xAA2C3C932309C82218BF02CC7C892C8CDBC52BAA	packed with Execryptor [Kaspersky Lab]
33	%System%\pump.exe	539,648 bytes	MD5: 0x627AB2B02A5B161BDECE59EBABE49003 SHA-1: 0x1A4B909E5FC24ED3AA6070BEA02B4DB66051D0C6	(not available)
34	[file and pathname of the sample #1]	2,977,829 bytes	MD5: 0x86201292CB9697A72FAFDBE12E3F0501 SHA-1: 0x52C812356F473F4F91337DA7B5173B1EA10BD73C	Mal/FakeAV-BG [Sophos]
35	%System%\skynet.dat	36 bytes	MD5: 0x61211AF1F8C45D7B64DD23BD590BB270 SHA-1: 0x7F8647CE01D2655BA26210614D70CDF6393C2AD9	(not available)
36	%System%\windows Police Pro.exe	9,458,688 bytes	MD5: 0x8DEFB3E1F5596F185A07AA2EB17CA0CD SHA-1: 0xAD39C2814AB03C1A4EFFB6E2D5024BD4092F37B7	packed with PE_Patch [Kaspersky Lab]
37	%System%\wispex.html	8,551 bytes	MD5: 0x4DBD2D35AFE87A4D8D81E17624E34A8D SHA-1: 0xEF5965853D375179F9FE4F711CAEE29F175FCCDE	HTML/Xema [AhnLab]
38	%Windir%\wf3.dat	2 bytes	MD5: 0xC4103F122D27677C9DB144CAE1394A66 SHA-1: 0x1489F923C4DCA729178B3E3233458550D8DDDF29	(not available)
39	%Windir%\wf4.dat	42 bytes	MD5: 0xC183857770364B05C2011BDEBB914ED3 SHA-1: 0x040E5AC904DE86328CCA053A15596E118FC5DA24	(not available)

Notes:

%Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows or C:\Winnt.
%System% is a variable that refers to the System folder. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

The following directory was created:

%System%\images

Memory Modifications

There were new processes created in the system:

Process Name	Process Filename	Main Module Size
windows Police Pro.exe	%System%\windows police pro.exe	8,192 bytes
svchast.exe	%Windir%\svchast.exe	8,192 bytes
pump.exe	%System%\pump.exe	8,192 bytes
dbsinit.exe	%System%\dbsinit.exe	151,552 bytes
[filename of the sample #1]	[file and pathname of the sample #1]	151,552 bytes

There was a new service created in the system:

Service Name	Display Name	Status	Service Filename
AntiPol	AntiPol	"Running"	%Windir%\svchast.exe

Registry Modifications

The following Registry Keys were created:

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{77DC0B63-1535-4ba9-8BE8-D59EB676FA02}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{77DC0B63-1535-4ba9-8BE8-D59EB676FA02}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{77DC0B63-1535-4ba9-8BE8-D59EB676FA02}
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_ANTIPOL
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_ANTIPOL\0000
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_ANTIPOL\0000\Control
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\AntiPol
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\AntiPol\Security
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\AntiPol\Enum
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_ANTIPOL
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_ANTIPOL\0000
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_ANTIPOL\0000\Control
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AntiPol
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AntiPol\Security
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AntiPol\Enum
HKEY_CURRENT_USER\Software\Softimer
HKEY_CURRENT_USER\Software\Windows Police Pro
HKEY_CURRENT_USER\Software\Windows Police Pro\windows police pro
HKEY_CURRENT_USER\Software\Windows Police Pro\windows police pro\Registration
HKEY_CURRENT_USER\Software\Windows Police Pro\windows police pro\setdata

The newly created Registry Values are:

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{77DC0B63-1535-4ba9-8BE8-D59EB676FA02}\InprocServer32]

(Default) = "%System%\plugie.dll"
ThreadingModel = "Apartment"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{77DC0B63-1535-4ba9-8BE8-D59EB676FA02}]

(Default) = "ICQSys (IE PlugIn)"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_ANTIPOL\0000\Control]

*NewlyCreated* = 0x00000000
ActiveService = "AntiPol"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_ANTIPOL\0000]

Service = "AntiPol"
Legacy = 0x00000001
ConfigFlags = 0x00000000
Class = "LegacyDriver"
ClassGUID = "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
DeviceDesc = "AntiPol"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_ANTIPOL]

NextInstance = 0x00000001

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\AntiPol\Enum]

0 = "Root\LEGACY_ANTIPOL\0000"
Count = 0x00000001
NextInstance = 0x00000001

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\AntiPol\Security]

Security = 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 0

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\AntiPol]

Type = 0x00000010
Start = 0x00000002
ErrorControl = 0x00000001
ImagePath = "%Windir%\svchast.exe"
DisplayName = "AntiPol"
ObjectName = "LocalSystem"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_ANTIPOL\0000\Control]

*NewlyCreated* = 0x00000000
ActiveService = "AntiPol"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_ANTIPOL\0000]

Service = "AntiPol"
Legacy = 0x00000001
ConfigFlags = 0x00000000
Class = "LegacyDriver"
ClassGUID = "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
DeviceDesc = "AntiPol"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_ANTIPOL]

NextInstance = 0x00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AntiPol\Enum]

0 = "Root\LEGACY_ANTIPOL\0000"
Count = 0x00000001
NextInstance = 0x00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AntiPol\Security]

Security = 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AntiPol]

Type = 0x00000010
Start = 0x00000002
ErrorControl = 0x00000001
ImagePath = "%Windir%\svchast.exe"
DisplayName = "AntiPol"
ObjectName = "LocalSystem"

[HKEY_CURRENT_USER\Software\Softimer]

sysEth0 = 0x00000AA0

[HKEY_CURRENT_USER\Software\Windows Police Pro\windows police pro\setdata]

scantime = "5.10.2009 20:19:5"
scncnt = 0x00000001

The following Registry Values were modified:

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell\open\command]

(Default) =

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\ServiceCurrent]

(Default) =

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ServiceCurrent]

(Default) =

Other details

Analysis of the file resources indicate the following possible countries of origin:

	Russian Federation
	Ukraine

To mark the presence in the system, the following Mutex objects were created:

_stdioerr_
__system64_x_ntfs
_!SHMSFTHISTORY!_

The following port was open in the system:

Port	Protocol	Process
1041	UDP	windows police pro.exe (%System%\windows police pro.exe)

The following Host Names were requested from a host database:

core2720.letsworknowx.com
time.windows.com

There were registered attempts to establish connection with the remote hosts. The connection details are:

Remote Host	Port Number
time.windows.com	1037
time.windows.com	1040

The following Internet Connections were established:

Server Name	Server Port	Connect as User	Connection Password
jn2720.paybyccnowx.com	80	(null)	(null)
ï¿½	80	ï¿½	ï¿½

The following GET requests were made:

signup.cgi?ver=3&aff=2720
index.jpg

The following HTTP URL was started reading:

http://core2720.letsworknowx.com/stat/action3.cgi?p=3&a=2720

All content ("Information") contained in this report is the copyrighted work of Threat Expert Ltd and its associated companies ("ThreatExpert") and may not be copied without the express permission of ThreatExpert.

The Information is provided on an "as is" basis. ThreatExpert disclaims all warranties, whether express or implied, to the maximum extent permitted by law, including the implied warranties that the Information is merchantable, of satisfactory quality, accurate, fit for a particular purpose or need, or non-infringing, unless such implied warranties are legally incapable of exclusion. Further, ThreatExpert does not warrant or make any representations regarding the use or the results of the use of the Information in terms of their correctness, accuracy, reliability, or otherwise.