ThreatExpert Report: Backdoor.ForBot.DL

Submission Summary:

Submission details:

Submission received: 25 May 2008, 20:12:45
Processing time: 4 min 12 sec
Submitted sample:

File MD5: 0x86FC177B659818225BDC77E83DF4D341
File SHA-1: 0x2E6F2995F426E33C8E8C205F6608222EFCAFE928
Filesize: 851,643 bytes

Summary of the findings:

What's been found	Severity Level
Creates a startup registry entry.

Technical Details:

File System Modifications

The following files were created in the system:

#	Filename(s)	File Size	File Hash	Alias
1	%Programs%\MP3 CD Extractor\MP3 CD Extractor.lnk	778 bytes	MD5: 0xF15C0B1121CB828B7E60B0B37E0442A1 SHA-1: 0x4B194D5C50A5F73472D69D267865B1F180415436	(not available)
2	%ProgramFiles%\MP3 CD Extractor\CD-Extractor.exe	437,248 bytes	MD5: 0x01D5BEE1D54CB91CE180948EFEDE528F SHA-1: 0x7C74C08ED735F2D7E14C6C6A98C8193EDAEFEF0C	(not available)
3	%ProgramFiles%\MP3 CD Extractor\CDRIP.DLL	47,616 bytes	MD5: 0xE929CDFBDDE6DD986596E9F4F9733294 SHA-1: 0x770DD254293EEDB70F917994FD57417B484B6E75	(not available)
4	%ProgramFiles%\MP3 CD Extractor\lame_enc.dll	86,528 bytes	MD5: 0xD42BC80159CC84CABE5C3C9908A616E0 SHA-1: 0x36E84ABACE7CFF33E6A2C82C5AAE1E125F35551C	(not available)
5	%ProgramFiles%\MP3 CD Extractor\setup.exe	125 bytes	MD5: 0x7C5F5A68051F6B0C0E9A2AD33C40D415 SHA-1: 0x120865765927A61AF83F02B83DC297EEDE61EC41	(not available)
6	%ProgramFiles%\MP3 CD Extractor\uninst.exe	44,941 bytes	MD5: 0x8FBAEA96ACFD16B4A443F8E75491D1F6 SHA-1: 0x54B7D6BF97F2B1CF2F3B42F2BFB1C4558AD97D84	(not available)
7	%ProgramFiles%\MP3 CD Extractor\Version.dat	186 bytes	MD5: 0x0AEA065E3066883E5288088B8DFE5636 SHA-1: 0x159E2326410E2466A9C7113B948708C8EF7F4409	(not available)
8	%ProgramFiles%\MP3 CD Extractor\wnaspi32.dll	71,680 bytes	MD5: 0xEFA8D1581864BC30953094896389BCF0 SHA-1: 0x2868580F7A2B2D78C8196FF474B761E0AE53C3F1	(not available)
9	%System%\drivers\npf.sys	32,512 bytes	MD5: 0xD21FEE8DB254BA762656878168AC1DB6 SHA-1: 0xA394B1BC33A3C678E4B6B3C55373468E6AFA7B28	(not available)
10	%System%\mce.dat	36 bytes	MD5: 0x9BDA9FBAD83EAB7C10F654A6A1BC6CAD SHA-1: 0xC6B411153EB85612143AE356A715BB4AE938808A	(not available)
11	%System%\Packet.dll	29,696 bytes	MD5: 0x71E5C7D492E1F7869DFD1A4E1FA0D773 SHA-1: 0x46BF69AE847924FB99CB227A906A93BA9D174BC9	(not available)
12	%System%\pthreadVC.dll	14,336 bytes	MD5: 0x034CEE072ED16D475ADBB068661EFFFA SHA-1: 0x8281B734C64D2E6301B7DD6C4902B461781181E6	(not available)
13	[file and pathname of the sample #1]	851,643 bytes	MD5: 0x86FC177B659818225BDC77E83DF4D341 SHA-1: 0x2E6F2995F426E33C8E8C205F6608222EFCAFE928	(not available)
14	%System%\WanPacket.dll	24,064 bytes	MD5: 0x53D930455521886F60925C9272201FBA SHA-1: 0x828D8D96A3A252278575D807B3560D92670149D8	Backdoor.ForBot.DL [PCTools]
15	%System%\wpcap.dll	93,696 bytes	MD5: 0x1D5E0EA381A37DEDF5549D2B6387B75C SHA-1: 0xA97918DECD2496DA63410B66CA2DE9721191D072	(not available)

Notes:

%Programs% is a variable that refers to the file system directory that contains the user's program groups. A typical path is C:\Documents and Settings\[UserName]\Start Menu\Programs.
%ProgramFiles% is a variable that refers to the Program Files folder. A typical path is C:\Program Files.
%System% is a variable that refers to the System folder. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

The following directories were created:

%Programs%\MP3 CD Extractor
%ProgramFiles%\MP3 CD Extractor

Memory Modifications

There was a new process created in the system:

Process Name	Process Filename	Main Module Size
[filename of the sample #1]	[file and pathname of the sample #1]	249,856 bytes

The following modules were loaded into the address space of other process(es):

Module Name	Module Filename	Address Space Details
wpcap.dll	%System%\wpcap.dll	Process name: CD-Extractor.exe Process filename: %ProgramFiles%\mp3 cd extractor\cd-extractor.exe Address space: 0x1360000 - 0x13A5000
packet.dll	%System%\packet.dll	Process name: CD-Extractor.exe Process filename: %ProgramFiles%\mp3 cd extractor\cd-extractor.exe Address space: 0xF50000 - 0xF68000
WanPacket.dll	%System%\WanPacket.dll	Process name: CD-Extractor.exe Process filename: %ProgramFiles%\mp3 cd extractor\cd-extractor.exe Address space: 0xFC0000 - 0xFD3000

There was a new kernel-mode driver installed in the system:

Driver Name	Driver Filename
Netgroup Packet Filter	%System%\Drivers\npf.sys

Registry Modifications

The following Registry Keys were created:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MP3 CD Extractor
HKEY_LOCAL_MACHINE\SOFTWARE\mce
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_NPF
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_NPF\0000
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_NPF\0000\Control
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\NPF
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\NPF\Security
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\NPF\Enum
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NPF
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NPF\0000
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NPF\0000\Control
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NPF
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NPF\Security
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NPF\Enum

The newly created Registry Values are:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

MCE = ""%ProgramFiles%\mp3 cd extractor\setup.exe" /S"

so that setup.exe runs every time Windows starts

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MP3 CD Extractor]

DisplayName = "MP3 CD Extractor "
UninstallString = "%ProgramFiles%\MP3 CD Extractor\uninst.exe"
(Default) = "%ProgramFiles%\MP3 CD Extractor"
DisplayIcon = "%ProgramFiles%\MP3 CD Extractor\CD-Extractor.exe"
DisplayVersion = ""
URLInfoAbout = ""
Publisher = ""

[HKEY_LOCAL_MACHINE\SOFTWARE\mce]

key = "0007-0001-07D8-000F-000F-0000-03B9"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_NPF\0000\Control]

*NewlyCreated* = 0x00000000
ActiveService = "NPF"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_NPF\0000]

Service = "NPF"
Legacy = 0x00000001
ConfigFlags = 0x00000000
Class = "LegacyDriver"
ClassGUID = "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
DeviceDesc = "Netgroup Packet Filter"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_NPF]

NextInstance = 0x00000001

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\NPF\Enum]

0 = "Root\LEGACY_NPF\0000"
Count = 0x00000001
NextInstance = 0x00000001

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\NPF\Security]

Security = 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 0

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\NPF]

Type = 0x00000001
Start = 0x00000003
ErrorControl = 0x00000001
ImagePath = "%System%\Drivers\npf.sys"
DisplayName = "Netgroup Packet Filter"
TimestampMode = 0x00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NPF\0000\Control]

*NewlyCreated* = 0x00000000
ActiveService = "NPF"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NPF\0000]

Service = "NPF"
Legacy = 0x00000001
ConfigFlags = 0x00000000
Class = "LegacyDriver"
ClassGUID = "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
DeviceDesc = "Netgroup Packet Filter"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NPF]

NextInstance = 0x00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NPF\Enum]

0 = "Root\LEGACY_NPF\0000"
Count = 0x00000001
NextInstance = 0x00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NPF\Security]

Security = 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NPF]

Type = 0x00000001
Start = 0x00000003
ErrorControl = 0x00000001
ImagePath = "%System%\Drivers\npf.sys"
DisplayName = "Netgroup Packet Filter"
TimestampMode = 0x00000000

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]

MP3 CD Extractor = ""%ProgramFiles%\MP3 CD Extractor\CD-Extractor.exe" hmw"

so that CD-Extractor.exe runs every time Windows starts

Other details

To mark the presence in the system, the following Mutex object was created:

mp3cdextractor

The following Host Name was requested from a host database:

mp3-cd-extractor.ivefound.com

All content ("Information") contained in this report is the copyrighted work of Threat Expert Ltd and its associated companies ("ThreatExpert") and may not be copied without the express permission of ThreatExpert.

The Information is provided on an "as is" basis. ThreatExpert disclaims all warranties, whether express or implied, to the maximum extent permitted by law, including the implied warranties that the Information is merchantable, of satisfactory quality, accurate, fit for a particular purpose or need, or non-infringing, unless such implied warranties are legally incapable of exclusion. Further, ThreatExpert does not warrant or make any representations regarding the use or the results of the use of the Information in terms of their correctness, accuracy, reliability, or otherwise.