ThreatExpert Report: Backdoor.Win32.Poison.aped, Troj/Banker-EWZ, Trojan-Banker.Win32.Qhost.jt..

Visit ThreatExpert web site

Close Report

Submission Summary:

Submission details:

Submission received: 6 April 2010, 16:41:06
Processing time: 6 min 16 sec
Submitted sample:

File MD5: 0x8D8A30B099D27FBDB6472875EB7C8F7B
File SHA-1: 0xBD4831B2C1F263F725D7F19971598DB54940E2CB
Filesize: 75,829 bytes
Alias:

Backdoor.Win32.Poison.aped [Kaspersky Lab]
Troj/Banker-EWZ [Sophos]

Summary of the findings:

What's been found	Severity Level
Downloads/requests other files from Internet.
Contains characteristics of an identified security risk.

Technical Details:

Possible Security Risk

Attention! The following threat category was identified:

Threat Category	Description
	A malicious backdoor trojan that runs in the background and allows remote access to the compromised system

File System Modifications

The following files were created in the system:

#	Filename(s)	File Size	File Hash	Alias
1	%System%\[filename of the sample #1 without extension].bat	140 bytes	MD5: 0x8B77378506A0C6D1B7E3957F29E70527 SHA-1: 0xE124482FCE298DE18B14AA90C202150D01B03610	(not available)
2	[file and pathname of the sample #1]	75,829 bytes	MD5: 0x8D8A30B099D27FBDB6472875EB7C8F7B SHA-1: 0xBD4831B2C1F263F725D7F19971598DB54940E2CB	Backdoor.Win32.Poison.aped [Kaspersky Lab] Troj/Banker-EWZ [Sophos]

Note:

%System% is a variable that refers to the System folder. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

Memory Modifications

There were new processes created in the system:

Process Name	Process Filename	Main Module Size
[generic host process]	[generic host process filename]	20,480 bytes
[filename of the sample #1]	[file and pathname of the sample #1]	36,865 bytes

Notes:

[generic host process filename] is a full path filename of [generic host process].

Other details

Analysis of the file resources indicate the following possible country of origin:

Spain

The following Internet downloads were started (the retrieved bits are saved into the local file):

URL to be downloaded	Filename for the downloaded bits
http://pgroadrunners.ca/pictures/cannabis.jpg	%ProgramFiles%\Common Files\count.exe
http://pgroadrunners.ca/pictures/acannabis.jpg	%ProgramFiles%\Common Files\write.exe
http://pgroadrunners.ca/pictures/NissanModule.dll	%ProgramFiles%\Common Files\nsafrt.dll

Notes:

%ProgramFiles% is a variable that refers to the Program Files folder. A typical path is C:\Program Files.

Downloaded File Summary:

Download details:

Download retrieved: 6 April 2010 16:47:22
Processing time: 7 min 34 sec
Downloaded sample #1:

File MD5: 0x2B21E120937F43F20F7F4CFA152B3F65
File SHA-1: 0x1C277DACC80BF8CFB8DF7B5F5F66E9E5FDAEDE44
Filesize: 1,593,856 bytes

Downloaded sample #2:

File MD5: 0xED0600A67EF4E9BA89CEEC980613485E
File SHA-1: 0xEADE455B4CAA19C28AAA81FC845A1B05FE0EFAF3
Filesize: 771,584 bytes
Alias:

Trojan-Banker.Win32.Qhost.jt [Kaspersky Lab]
Trojan-Banker.Win32.Qhost [Ikarus]

Downloaded sample #3:

File MD5: 0x5B0426AE59A9E5DC73E5B277AD874361
File SHA-1: 0xD1489C619E0D7FAD5AF4CD0305D0901E23651017
Filesize: 756,224 bytes
Alias:

Troj/Banker-EWZ [Sophos]
Win32.SuspectCrc [Ikarus]

Summary of the findings:

What's been found	Severity Level
Hosts file modification that may block access to the security web sites.
Registers a 32-bit in-process server DLL.
Registers a Browser Helper Object (Microsoft's Internet Explorer plugin module).

Technical Details:

The new window was created, as shown below:

NOTICE: The content shown in the above window is captured automatically and is not controlled or endorsed by ThreatExpert.
Please contact us on this link should any material be offensive or inappropriate and we will ensure any such content is blocked from future viewers of the report.

File System Modifications

The following file was modified:

%System%\drivers\etc\hosts

Note:

%System% is a variable that refers to the System folder. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

Memory Modifications

There were new processes created in the system:

Process Name	Process Filename	Main Module Size
[filename of the sample #1]	[file and pathname of the sample #1]	1,622,016 bytes
[generic host process]	[generic host process filename]	20,480 bytes
[filename of the sample #2]	[file and pathname of the sample #2]	802,816 bytes

Notes:

[generic host process filename] is a full path filename of [generic host process].

The following modules were loaded into the address space of other process(es):

Module Name	Module Filename	Address Space Details
[filename of the sample #3]	[file and pathname of the sample #3]	Process name: [generic host process] Process filename: [generic host process filename] Address space: 0xAA0000 - 0xB5D000
[filename of the sample #3]	[file and pathname of the sample #3]	Process name: [generic host process] Process filename: [generic host process filename] Address space: 0xB10000 - 0xBCD000
[filename of the sample #3]	[file and pathname of the sample #3]	Process name: IEXPLORE.EXE Process filename: %ProgramFiles%\internet explorer\iexplore.exe Address space: 0xF80000 - 0x103D000

Notes:

%ProgramFiles% is a variable that refers to the Program Files folder. A typical path is C:\Program Files.

Registry Modifications

The following Registry Keys were created:

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{FCADDC14-BD46-408A-9842-CDBE1C6D37EB}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{FCADDC14-BD46-408A-9842-CDBE1C6D37EB}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FCADDC14-BD46-408A-9842-CDBE1C6D37EB}
HKEY_CURRENT_USER\full

The newly created Registry Values are:

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{FCADDC14-BD46-408A-9842-CDBE1C6D37EB}\InprocServer32]

(Default) = "[file and pathname of the sample #3]"
ThreadingModel = "Apartment"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{FCADDC14-BD46-408A-9842-CDBE1C6D37EB}]

(Default) = ""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

winFile = "%ProgramFiles%\Common Files\system32\winFile.exe"

Other details

The HOSTS file was updated with the following URL-to-IP mappings:

# Copyright (c) 1993-1999 Microsoft Corp.
#
# Este ï¿½ um exemplo do arquivo HOSTS utilizado pela Microsoft TCP/IP
# para o Windows.
# Este arquivo contï¿½m  os endereï¿½os IP no nome dos hï¿½spedes.
# Cada entrada deve ser feita  em uma linha em branco. O endereï¿½o IP deve ser colocado
# na primeira coluna, seguido pelo nome do hï¿½spede correspondente. O endereï¿½o
# IP e o nome do hï¿½spede devem ficar separados por, pelo menos, um espaï¿½o.
# Alï¿½m disso, os comentï¿½rios (como este) podem ser inseridos em
# linhas em branco ou depois do nome do computador. Eles sï¿½o indicados pelo
# sï¿½mbolo #.
# Por exemplo :
#      102.54.94.97     rhino.acme.com          # servidor de origem
#       38.25.63.10     x.acme.com              # hï¿½spede cliente x
213.175.197.210     www.itau.com.br
127.0.0.1     localhost
213.175.197.210     www.itaupersonnalite.com.br
213.175.197.210     itau.com.br
213.175.197.210     itaupersonnalite.com.br
213.175.197.210     www.bancoreal.com.br
213.175.197.210     www.real.com.br
213.175.197.210     bancoreal.com.br
213.175.197.210     real.com.br
213.175.197.210     www.banrisul.com.br
213.175.197.210     banrisul.com.br
213.175.197.210     www.bradesco.com.br
213.175.197.210     www.bradescoprime.com.br
213.175.197.210     www.prime.com.br
213.175.197.210     bradesco.com.br
213.175.197.210     bradescoprime.com.br
213.175.197.210     prime.com.br
213.175.197.210     www.santander.com.br
213.175.197.210     www.banespa.com.br
213.175.197.210     www.santanderbanespa.com.br
213.175.197.210     santander.com.br
213.175.197.210     banespa.com.br
213.175.197.210     santanderbanespa.com.br
213.175.197.210     www.americanexpress.com.br
213.175.197.210     americanexpress.com.br
213.175.197.210     www.americanexpress.com
213.175.197.210     americanexpress.com
213.175.197.210     www.cef.com.br
213.175.197.210     www.caixa.com.br
213.175.197.210     www.caixa.gov.br
213.175.197.210     www.caixa.com
213.175.197.210     www.caixaeconomicafederal.com.br
213.175.197.210     www.caixaeconomicafederal.gov.br
213.175.197.210     cef.com.br
213.175.197.210     caixa.com.br
213.175.197.210     caixa.gov.br
213.175.197.210     caixa.com
213.175.197.210     caixaeconomicafederal.com.br
213.175.197.210     caixaeconomicafederal.gov.br
213.175.197.210    www4.itau.com.br
213.175.197.210    www4.bancoreal.com.br
213.175.197.210    www4.banrisul.com.br
213.175.197.210    www4.bradesco.com.br
213.175.197.210    www4.santander.com.br
213.175.197.210    www4.americanexpress.com.br
213.175.197.210    www4.caixa.gov.br

The following Host Name was requested from a host database:

www.aabbcomunidade.com.br

All content ("Information") contained in this report is the copyrighted work of Threat Expert Ltd and its associated companies ("ThreatExpert") and may not be copied without the express permission of ThreatExpert.

The Information is provided on an "as is" basis. ThreatExpert disclaims all warranties, whether express or implied, to the maximum extent permitted by law, including the implied warranties that the Information is merchantable, of satisfactory quality, accurate, fit for a particular purpose or need, or non-infringing, unless such implied warranties are legally incapable of exclusion. Further, ThreatExpert does not warrant or make any representations regarding the use or the results of the use of the Information in terms of their correctness, accuracy, reliability, or otherwise.