Submission Summary:

• Submission details:
• Submission received: 4 November 2008, 23:33:45
• Processing time: 5 min 34 sec
• Submitted sample:
• File MD5: 0x89064CD3D0BF9BB4E23C522ACE408B9D
• File SHA-1: 0x5D5F3CCB6C35867DB621F15B45463BF60039DD36
• Filesize: 33,280 bytes
• Alias:
• Trojan Horse [Symantec]
• Trojan.Win32.Crypt.mv [Kaspersky Lab]
• Generic Dropper [McAfee]
• TROJ_PANDEX.DV [Trend Micro]
• Mal/Pushdo-A [Sophos]
• TrojanDropper:Win32/Cutwail.AL [Microsoft]
• Trojan.Win32.Crypt.mv [Ikarus]

• Summary of the findings:

What's been found	Severity Level
Contains characteristics of an identified security risk.

Technical Details:

Possible Security Risk

• Attention! Characteristics of the following security risk was identified in the system:

Security Risk	Description
Trojan-Downloader.Agent	Trojan.Downloader.Agent downloads and installs other malware onto infected machine.

• Attention! The following threat categories were identified:

Threat Category	Description
	A code with the rootkit-specific techniques designed to hide the software presence in the system
	A malicious trojan horse or bot that may represent security risk for the compromised system and/or its network environment

File System Modifications

• The following files were created in the system:

#	Filename(s)	File Size	File Hash	Alias
1	%Temp%\WERf1d8.dir00\appcompat.txt	16,296 bytes	MD5: 0xF560A82E9385739415E085B4553CBA8F SHA-1: 0x958B55E9517896C07D689F6BDDED4EF10D0718A9	(not available)
2	%Temp%\WERf1d8.dir00\manifest.txt	1,742 bytes	MD5: 0xBA7B0F2347D1ACA953E805E2A4E9E92F SHA-1: 0xA3832B4D9A6DC61EDB12779D9E4A3D2AB7578C75	(not available)
3	%Temp%\WERf1d8.dir00\services.exe.hdmp	6,273,748 bytes	MD5: 0xD3976492400330E4EABCDD706675C8BF SHA-1: 0x7CFDF30487C2A869FDC8B24906D1D45226DEA99A	(not available)
4	%Temp%\WERf1d8.dir00\services.exe.mdmp	59,713 bytes	MD5: 0xC70A91E783C1A8D967CC758C66D4D8C4 SHA-1: 0x45785A2A123448695ED7C51ED7150E0836021E87	(not available)
5	%System%\drivers\Lyi33.sys	32,256 bytes	MD5: 0x7B10E0A21869E736929D2153AC5C12C4 SHA-1: 0x8FCD149BA361B78182B113C22295ECC18267AFBF	Trojan-Downloader.Agent [PCTools] Trojan.Pandex [Symantec] Rootkit.Win32.Agent.cmo [Kaspersky Lab] Cutwail.gen.a [McAfee] TROJ_ROOTKIT.FV [Trend Micro] Troj/Pushu-Gen [Sophos] VirTool:WinNT/Cutwail.K [Microsoft] Rootkit.Win32.Agent.cmo [Ikarus]
6	[file and pathname of the sample #1]	33,280 bytes	MD5: 0x89064CD3D0BF9BB4E23C522ACE408B9D SHA-1: 0x5D5F3CCB6C35867DB621F15B45463BF60039DD36	Trojan Horse [Symantec] Trojan.Win32.Crypt.mv [Kaspersky Lab] Generic Dropper [McAfee] TROJ_PANDEX.DV [Trend Micro] Mal/Pushdo-A [Sophos] TrojanDropper:Win32/Cutwail.AL [Microsoft] Trojan.Win32.Crypt.mv [Ikarus]

• Notes:
• %Temp% is a variable that refers to the temporary folder in the short path form. By default, this is C:\Documents and Settings\[UserName]\Local Settings\Temp\ (Windows NT/2000/XP).
• %System% is a variable that refers to the System folder. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

• The following directory was created:
• %Temp%\WERf1d8.dir00

Memory Modifications

• There was a new process created in the system:

• There was a new kernel-mode driver installed in the system:

Driver Name	Driver Filename
Lyi33.sys	%System%\drivers\lyi33.sys

• Attention! The following Major I/O Request Packet (IRP) function was hooked in the kernel-mode driver:
• IRP_MJ_CREATE

Registry Modifications

• The following Registry Keys were created:
• HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Lyi33.sys
• HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\Lyi33.sys
• HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_LYI33
• HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_LYI33\0000
• HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_LYI33\0000\Control
• HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Lyi33
• HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Lyi33\Security
• HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Lyi33\Enum
• HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Lyi33
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lyi33.sys
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Lyi33.sys
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_LYI33
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_LYI33\0000
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_LYI33\0000\Control
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Lyi33
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Lyi33\Security
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Lyi33\Enum

• The newly created Registry Values are:
• [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Lyi33.sys]
• (Default) = "Driver"
• [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\Lyi33.sys]
• (Default) = "Driver"
• [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_LYI33\0000\Control]
• *NewlyCreated* = 0x00000000
• ActiveService = "Lyi33"
• [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_LYI33\0000]
• Service = "Lyi33"
• Legacy = 0x00000001
• ConfigFlags = 0x00000000
• Class = "LegacyDriver"
• ClassGUID = "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
• DeviceDesc = "Lyi33"
• [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_LYI33]
• NextInstance = 0x00000001
• [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Lyi33\Enum]
• 0 = "Root\LEGACY_LYI33\0000"
• Count = 0x00000001
• NextInstance = 0x00000001
• [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Lyi33\Security]
• Security = 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 0
• [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Lyi33]
• Type = 0x00000001
• Start = 0x00000000
• ErrorControl = 0x00000000
• ImagePath = "%System%\Drivers\Lyi33.sys"
• Group = "SCSI Class"
• [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Lyi33]
• Type = 0x00000001
• Start = 0x00000000
• ImagePath = "%System%\Drivers\Lyi33.sys"
• Group = "SCSI Class"
• [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lyi33.sys]
• (Default) = "Driver"
• [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Lyi33.sys]
• (Default) = "Driver"
• [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_LYI33\0000\Control]
• *NewlyCreated* = 0x00000000
• ActiveService = "Lyi33"
• [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_LYI33\0000]
• Service = "Lyi33"
• Legacy = 0x00000001
• ConfigFlags = 0x00000000
• Class = "LegacyDriver"
• ClassGUID = "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
• DeviceDesc = "Lyi33"
• [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_LYI33]
• NextInstance = 0x00000001
• [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Lyi33\Enum]
• 0 = "Root\LEGACY_LYI33\0000"
• Count = 0x00000001
• NextInstance = 0x00000001
• [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Lyi33\Security]
• Security = 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 0
• [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Lyi33]
• Type = 0x00000001
• Start = 0x00000000
• ErrorControl = 0x00000000
• ImagePath = "%System%\Drivers\Lyi33.sys"
• Group = "SCSI Class"

Other details

• There was registered attempt to establish connection with the remote host. The connection details are: