ThreatExpert Report: Trojan-Dropper.Win32.Agent.aokn, Trojan Horse, Generic Dropper!bc..

Visit ThreatExpert web site

Close Report

Submission Summary:

Submission details:

Submission received: 25 August 2009, 19:05:08
Processing time: 5 min 44 sec
Submitted sample:

File MD5: 0x8DD43E91498B1FE68EF0C8AEB63336B4
File SHA-1: 0x10CDAE7B729DBF0A738175E16383F8776FAA5A25
Filesize: 292,896 bytes
Alias:

Trojan Horse [Symantec]
Trojan-Dropper.Win32.Agent.aokn [Kaspersky Lab]
Generic Dropper!bc [McAfee]
Mal/Generic-A [Sophos]
Trojan-Dropper.Agent [Ikarus]
Dropper/Agent.1161760 [AhnLab]

Summary of the findings:

What's been found	Severity Level
Contains characteristics of an identified security risk.

Technical Details:

Possible Security Risk

Attention! Characteristics of the following security risks were identified in the system:

Security Risk	Description
RogueAntiSpyware.Component.Generic	Common Components for Rogue Anti-Spyware lists common registry and file entries between various Rogue Anti-Spyware applications.
Trojan-Dropper.Agent!sd6	Trojan-Dropper.Agent!sd6 is a threat that drops malicious files.

Attention! The following threat categories were identified:

Threat Category	Description
	A potentially unwanted adware program designed to deliver various advertisements to the users' systems
	A malicious trojan horse or bot that may represent security risk for the compromised system and/or its network environment
	A network-aware worm that attempts to replicate across the existing network(s)

File System Modifications

The following files were created in the system:

#	Filename(s)	File Size	File Hash	Alias
1	%System%\adlaunch32.dll	86,040 bytes	MD5: 0xF22C653B422EC6E9355D9A9DA2257374 SHA-1: 0x18E53B979AF2E696EA0EE03B6C2BB7FFB24D10AA	Trojan Horse [Symantec] not-a-virus:AdWare.Win32.AdAgent.ak [Kaspersky Lab] Generic PUP.x!ba [McAfee] Mal/Generic-A [Sophos] Trojan:Win32/Nuwvult.A!dll [Microsoft] not-a-virus:AdWare.Win32.AdAgent [Ikarus] Win-Trojan/Agent.86040 [AhnLab]
2	%System%\advhost.exe	122,384 bytes	MD5: 0xC92E80E8E3F2D3267346506A28CCF48F SHA-1: 0x6E88480DC48B1DC7362ABEA9AFFDBE64E7A6719F	IM-Worm.Win32.Agent.ql [Kaspersky Lab] Generic.dx!cfe [McAfee] Mal/Generic-A [Sophos] IM-Worm.Win32.Agent [Ikarus] Win32/Agent.worm.991248 [AhnLab]
3	[file and pathname of the sample #1]	292,896 bytes	MD5: 0x8DD43E91498B1FE68EF0C8AEB63336B4 SHA-1: 0x10CDAE7B729DBF0A738175E16383F8776FAA5A25	Trojan Horse [Symantec] Trojan-Dropper.Win32.Agent.aokn [Kaspersky Lab] Generic Dropper!bc [McAfee] Mal/Generic-A [Sophos] Trojan-Dropper.Agent [Ikarus] Dropper/Agent.1161760 [AhnLab]

Note:

%System% is a variable that refers to the System folder. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

The following directories were created:

%AppData%\Microsoft\SystemCertificates\Request
%AppData%\Microsoft\SystemCertificates\Request\Certificates
%AppData%\Microsoft\SystemCertificates\Request\CRLs
%AppData%\Microsoft\SystemCertificates\Request\CTLs

Notes:

%AppData% is a variable that refers to the file system directory that serves as a common repository for application-specific data. A typical path is C:\Documents and Settings\[UserName]\Application Data.

Memory Modifications

There were new processes created in the system:

Process Name	Process Filename	Main Module Size
advhost.exe	%System%\advhost.exe	1,028,096 bytes
[filename of the sample #1]	[file and pathname of the sample #1]	307,200 bytes

The following module was loaded into the address space of other process(es):

Module Name	Module Filename	Address Space Details
adlaunch32.dll	%System%\adlaunch32.dll	Process name: advhost.exe Process filename: %System%\advhost.exe Address space: 0x10000000 - 0x10019000

Registry Modifications

The following Registry Keys were created:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\C182152A34EFCEEBF10F3F56723529D5078EE4A0
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\REQUEST
HKEY_CURRENT_USER\Software\adv

The newly created Registry Values are:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\C182152A34EFCEEBF10F3F56723529D5078EE4A0]

Blob = 03 00 00 00 01 00 00 00 14 00 00 00 C1 82 15 2A 34 EF CE EB F1 0F 3F 56 72 35 29 D5 07 8E E4 A0 20 00 00 00 01 00 00 00 2D 02 00 00 30 82 02 29 30 82 01 92 A0 03 02 01 02 02 10 35 E3 7E FC 0E FD A2 AD 47 C0 31 BD 14 D2 39 D0 30 0D 06 09 2A 86 48 86 F

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]

LoadAppInit_DLLs = 0x00000001

[HKEY_CURRENT_USER\Software\adv]

console = "0"
path = "%System%\advhost.exe"

The following Registry Value was modified:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]

AppInit_DLLs =

Other details

To mark the presence in the system, the following Mutex object was created:

Local\95E862D8-14A0-4d2a-ABA3-C629D4A62D3E

The following Host Name was requested from a host database:

live.com

All content ("Information") contained in this report is the copyrighted work of Threat Expert Ltd and its associated companies ("ThreatExpert") and may not be copied without the express permission of ThreatExpert.

The Information is provided on an "as is" basis. ThreatExpert disclaims all warranties, whether express or implied, to the maximum extent permitted by law, including the implied warranties that the Information is merchantable, of satisfactory quality, accurate, fit for a particular purpose or need, or non-infringing, unless such implied warranties are legally incapable of exclusion. Further, ThreatExpert does not warrant or make any representations regarding the use or the results of the use of the Information in terms of their correctness, accuracy, reliability, or otherwise.