ThreatExpert Report

Submission Summary:

Submission details:

Submission received: 1 August 2008, 07:14:19
Processing time: 3 min 32 sec
Submitted sample:

File MD5: 0x889A039D80CA35E67A2A6C1FC7F94CAB
File SHA-1: 0x6AE4EE826E36E026E04BB9B6394F581E793C897C
Filesize: 1,245,209 bytes

Summary of the findings:

What's been found	Severity Level
Downloads/requests other files from Internet.
Creates a startup registry entry.

Technical Details:

File System Modifications

The following files were created in the system:

#	Filename(s)	File Size	File Hash
1	%AppData%\.#\MBX@398@AB3218.###	2,048 bytes	MD5: 0xBDCE888E4AD3AA21948ABA61D7B94A95 SHA-1: 0x23A7DDD9D1CE8D6239D3D2880023671B90674A09
2	%AppData%\.#\MBX@6EC@AB3218.###	2,048 bytes	MD5: 0xF93925CE085DD571348463DD1BAD4771 SHA-1: 0xA39754E22B80D0F68CA5B1D284B7039A405753B8
3	%AppData%\Vista Start Menu\error.log	3,364 bytes	MD5: 0x97451223236B8F0C14D0A536CCC40664 SHA-1: 0xEB7BCF9155A49FEAC3FFDCCFFAAB9188E98AA355
4	%AppData%\Vista Start Menu\file.idx	224 bytes	MD5: 0x43FEB4AC83E78431CB6AB0CA0897093F SHA-1: 0xA19D177D87D12C3DDC5820F7A20DA64368BD97CF
5	%AppData%\Vista Start Menu\file.log	36,120 bytes	MD5: 0xB12555F223E2C21BE10ED320F813EBF6 SHA-1: 0x50547D39EF37106721B27721168B64C8175674D5
6	%AppData%\Vista Start Menu\FolderOptions_0.txt	472 bytes	MD5: 0xD598129282CE8804F6F8CB3AC42718D7 SHA-1: 0xB3796AAACD3D51673305554CCF111DE5B2CB7BD5
7	%AppData%\Vista Start Menu\FoldersList.txt	140 bytes	MD5: 0xF241C554DC50B22292E23C6502AE42C3 SHA-1: 0x7D68C796EB9F095C4FC166D76B12BE579FE1199A
8	[file and pathname of the sample #1]	1,245,209 bytes	MD5: 0x889A039D80CA35E67A2A6C1FC7F94CAB SHA-1: 0x6AE4EE826E36E026E04BB9B6394F581E793C897C

Note:

%AppData% is a variable that refers to the file system directory that serves as a common repository for application-specific data. A typical path is C:\Documents and Settings\[UserName]\Application Data.

The following directories were created:

%AppData%\.#
%AppData%\Vista Start Menu

Memory Modifications

There was a new process created in the system:

Process Name	Process Filename	Main Module Size
[filename of the sample #1]	[file and pathname of the sample #1]	2,437,120 bytes

The following modules were loaded into the address space of other process(es):

Module Name	Module Filename	Address Space Details
MBX@398@AB3218.###	%AppData%\.#\MBX@398@AB3218.###	Process name: [filename of the sample #1] Process filename: [file and pathname of the sample #1] Address space: 0xE30000 - 0xE3E000
MBX@6EC@AB3218.###	%AppData%\.#\MBX@6EC@AB3218.###	Process name: [filename of the sample #1] Process filename: [file and pathname of the sample #1] Address space: 0xE30000 - 0xE3E000

Registry Modifications

The following Registry Keys were created:

HKEY_CURRENT_USER\Software\Ordinarysoft
HKEY_CURRENT_USER\Software\Ordinarysoft\Vista Start Menu SE
HKEY_CURRENT_USER\Software\Ordinarysoft\Vista Start Menu SE\640x480
HKEY_CURRENT_USER\Software\Ordinarysoft\Vista Start Menu SE\Environment
HKEY_CURRENT_USER\Software\Ordinarysoft\Vista Start Menu SE\Environment\0
HKEY_CURRENT_USER\Software\Ordinarysoft\Vista Start Menu SE\Environment\0\0
HKEY_CURRENT_USER\Software\Ordinarysoft\Vista Start Menu SE\Environment\0\1
HKEY_CURRENT_USER\Software\Ordinarysoft\Vista Start Menu SE\Environment\0\2
HKEY_CURRENT_USER\Software\Ordinarysoft\Vista Start Menu SE\Environment\1
HKEY_CURRENT_USER\Software\Ordinarysoft\Vista Start Menu SE\Environment\1\0
HKEY_CURRENT_USER\Software\Ordinarysoft\Vista Start Menu SE\Environment\2
HKEY_CURRENT_USER\Software\Ordinarysoft\Vista Start Menu SE\Environment\2\0
HKEY_CURRENT_USER\Software\Ordinarysoft\Vista Start Menu SE\Environment\3
HKEY_CURRENT_USER\Software\Ordinarysoft\Vista Start Menu SE\Environment\3\0
HKEY_CURRENT_USER\Software\Ordinarysoft\Vista Start Menu SE\Environment\4
HKEY_CURRENT_USER\Software\Ordinarysoft\Vista Start Menu SE\Environment\4\0
HKEY_CURRENT_USER\Software\Ordinarysoft\Vista Start Menu SE\Environment\5
HKEY_CURRENT_USER\Software\Ordinarysoft\Vista Start Menu SE\Environment\5\0
HKEY_CURRENT_USER\Software\Ordinarysoft\Vista Start Menu SE\Environment\6
HKEY_CURRENT_USER\Software\Ordinarysoft\Vista Start Menu SE\Environment\6\0
HKEY_CURRENT_USER\Software\Ordinarysoft\Vista Start Menu SE\Environment\7
HKEY_CURRENT_USER\Software\Ordinarysoft\Vista Start Menu SE\Environment\7\0
HKEY_CURRENT_USER\Software\Ordinarysoft\Vista Start Menu SE\Environment\8
HKEY_CURRENT_USER\Software\Ordinarysoft\Vista Start Menu SE\Environment\8\0
HKEY_CURRENT_USER\Software\Ordinarysoft\Vista Start Menu SE\Shortcut

The newly created Registry Values are:

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]

VistaStartMenu = ""[file and pathname of the sample #1]""

so that [file and pathname of the sample #1] runs every time Windows starts

[HKEY_CURRENT_USER\Software\Ordinarysoft\Vista Start Menu SE\Environment\0\2]

TabName = "Autorun"
PathCount = 0x00000002
ExcludePathCount = 0x00000000
CSIDL0 = 0x00000007
CSIDL1 = 0x00000018

[HKEY_CURRENT_USER\Software\Ordinarysoft\Vista Start Menu SE\Environment\0\1]

TabName = "Quick Start"
PathCount = 0x00000002
ExcludePathCount = 0x00000002
CSIDL0 = 0x0000000B
CSIDL1 = 0x00000016
ExcludeCSIDL0 = 0x00000002
ExcludeCSIDL1 = 0x00000017

[HKEY_CURRENT_USER\Software\Ordinarysoft\Vista Start Menu SE\Environment\0\0]

TabName = "All Programs"
PathCount = 0x00000002
ExcludePathCount = 0x00000002
CSIDL0 = 0x00000002
CSIDL1 = 0x00000017
ExcludeCSIDL0 = 0x00000007
ExcludeCSIDL1 = 0x00000018

[HKEY_CURRENT_USER\Software\Ordinarysoft\Vista Start Menu SE\Environment\1\0]

TabName = "My Documents"
PathCount = 0x00000001
ExcludePathCount = 0x00000000
CSIDL0 = 0x00000005

[HKEY_CURRENT_USER\Software\Ordinarysoft\Vista Start Menu SE\Environment\2\0]

TabName = "My Pictures"
PathCount = 0x00000001
ExcludePathCount = 0x00000000
CSIDL0 = 0x00000027

[HKEY_CURRENT_USER\Software\Ordinarysoft\Vista Start Menu SE\Environment\3\0]

TabName = "My Music"
PathCount = 0x00000001
ExcludePathCount = 0x00000000
CSIDL0 = 0x0000000D

[HKEY_CURRENT_USER\Software\Ordinarysoft\Vista Start Menu SE\Environment\4\0]

TabName = "Control Panel"
PathCount = 0x00000001
ExcludePathCount = 0x00000000
CSIDL0 = 0x00000003

[HKEY_CURRENT_USER\Software\Ordinarysoft\Vista Start Menu SE\Environment\5\0]

TabName = "My Computer"
PathCount = 0x00000001
ExcludePathCount = 0x00000000
CSIDL0 = 0x00000011

[HKEY_CURRENT_USER\Software\Ordinarysoft\Vista Start Menu SE\Environment\6\0]

TabName = "windows update"
PathCount = 0x00000001
ExcludePathCount = 0x00000000
Path0 = "%CommonStartMenu%\windows update.lnk"

[HKEY_CURRENT_USER\Software\Ordinarysoft\Vista Start Menu SE\Environment\7\0]

TabName = "windows catalog"
PathCount = 0x00000001
ExcludePathCount = 0x00000000
Path0 = "%CommonStartMenu%\windows catalog.lnk"

[HKEY_CURRENT_USER\Software\Ordinarysoft\Vista Start Menu SE\Environment\8\0]

TabName = "set program access and defaults"
PathCount = 0x00000001
ExcludePathCount = 0x00000000
Path0 = "%CommonStartMenu%\set program access and defaults.lnk"

[HKEY_CURRENT_USER\Software\Ordinarysoft\Vista Start Menu SE\Environment\8]

CSIDL = 0xFFFFFFFF
Path = "%CommonStartMenu%\set program access and defaults.lnk"
MenuName = "set program access and defaults"
TabsCount = 0x00000001

[HKEY_CURRENT_USER\Software\Ordinarysoft\Vista Start Menu SE\Environment\7]

CSIDL = 0xFFFFFFFF
Path = "%CommonStartMenu%\windows catalog.lnk"
MenuName = "windows catalog"
TabsCount = 0x00000001

[HKEY_CURRENT_USER\Software\Ordinarysoft\Vista Start Menu SE\Environment\6]

CSIDL = 0xFFFFFFFF
Path = "%CommonStartMenu%\windows update.lnk"
MenuName = "windows update"
TabsCount = 0x00000001

[HKEY_CURRENT_USER\Software\Ordinarysoft\Vista Start Menu SE\Environment\5]

CSIDL = 0x00000011
MenuName = "My Computer"
TabsCount = 0x00000001

[HKEY_CURRENT_USER\Software\Ordinarysoft\Vista Start Menu SE\Environment\4]

CSIDL = 0x00000003
MenuName = "Control Panel"
TabsCount = 0x00000001

[HKEY_CURRENT_USER\Software\Ordinarysoft\Vista Start Menu SE\Environment\3]

CSIDL = 0x0000000D
MenuName = "My Music"
TabsCount = 0x00000001

[HKEY_CURRENT_USER\Software\Ordinarysoft\Vista Start Menu SE\Environment\2]

CSIDL = 0x00000027
MenuName = "My Pictures"
TabsCount = 0x00000001

[HKEY_CURRENT_USER\Software\Ordinarysoft\Vista Start Menu SE\Environment\1]

CSIDL = 0x00000005
MenuName = "My Documents"
TabsCount = 0x00000001

[HKEY_CURRENT_USER\Software\Ordinarysoft\Vista Start Menu SE\Environment\0]

CSIDL = 0x00000002
MenuName = "Programs"
TabsCount = 0x00000003

[HKEY_CURRENT_USER\Software\Ordinarysoft\Vista Start Menu SE\Shortcut]

sca_ChangeUser = "F4"
sca_LogOff = "F5"
sca_Reboot = "F6"
sca_StandBy = "F7"
sca_PowerOff = "F8"
sca_Hibernate = "F9"
sca_Undock = "F10"
sca_PowerControl = "F11"
sca_PowerTimer = "F12"
sca_MenuAdd = "Ctrl+2"
sca_MenuDelete = "Ctrl+3"
sca_MenuRun = "Ctrl+4"
sca_Bookmarks = "Ctrl+1"
sca_Options = "F2"
sca_User = "F3"
sca_EnlargeScale = "Ctrl+Num +"
sca_ReduceScale = "Ctrl+Num -"
sca_ResetScale = "Ctrl+Num *"

Other details

Analysis of the file resources indicate the following possible countries of origin:

	Germany
	Russian Federation

To mark the presence in the system, the following Mutex object was created:

sample_1.exe

The following Internet Connection was established:

Server Name	Server Port	Connect as User	Connection Password
www.vistastartmenu.com	80	(null)	(null)

All content ("Information") contained in this report is the copyrighted work of Threat Expert Ltd and its associated companies ("ThreatExpert") and may not be copied without the express permission of ThreatExpert.

The Information is provided on an "as is" basis. ThreatExpert disclaims all warranties, whether express or implied, to the maximum extent permitted by law, including the implied warranties that the Information is merchantable, of satisfactory quality, accurate, fit for a particular purpose or need, or non-infringing, unless such implied warranties are legally incapable of exclusion. Further, ThreatExpert does not warrant or make any representations regarding the use or the results of the use of the Information in terms of their correctness, accuracy, reliability, or otherwise.