ThreatExpert Report: Downloader, Trojan-Downloader.Win32.Banload.ajfk, Mal/Generic-A..

Visit ThreatExpert web site

Close Report

Submission Summary:

Submission details:

Submission received: 22 September 2009, 17:25:43
Processing time: 8 min 15 sec
Submitted sample:

File MD5: 0x919B30DFA05EE16822417266360B3D34
File SHA-1: 0x97B42EC349D2CEBAA19B0C46CE3F8369739A359A
Filesize: 28,672 bytes
Alias:

Downloader [Symantec]
Trojan-Downloader.Win32.Banload.ajfk [Kaspersky Lab]
Mal/Generic-A [Sophos]
TrojanDownloader:Win32/Small.gen!AP [Microsoft]
Trojan-Downloader.Win32.Small [Ikarus]

Summary of the findings:

What's been found	Severity Level
Downloads/requests other files from Internet.
Contains characteristics of an identified security risk.

Technical Details:

Possible Security Risk

Attention! The following threat category was identified:

Threat Category	Description
	A program that downloads files to the local computer that may represent security risk

File System Modifications

The following file was created in the system:

#	Filename(s)	File Size	File Hash	Alias
1	[file and pathname of the sample #1]	28,672 bytes	MD5: 0x919B30DFA05EE16822417266360B3D34 SHA-1: 0x97B42EC349D2CEBAA19B0C46CE3F8369739A359A	Downloader [Symantec] Trojan-Downloader.Win32.Banload.ajfk [Kaspersky Lab] Mal/Generic-A [Sophos] TrojanDownloader:Win32/Small.gen!AP [Microsoft] Trojan-Downloader.Win32.Small [Ikarus]

Memory Modifications

There were new processes created in the system:

Process Name	Process Filename	Main Module Size
[filename of the sample #1]	[file and pathname of the sample #1]	28,672 bytes
[generic host process]	[generic host process filename]	20,480 bytes

Note:

[generic host process filename] is a full path filename of [generic host process].

Other details

The data identified by the following URLs was then requested from the remote web server:

http://www.rvmmusic.com/img/primavera.gif
http://www.rvmmusic.com/img/perecamsn.gif
http://www.rvmmusic.com/img/perecagb.gif
http://www.rvmmusic.com/img/suina.emial.gif
http://www.rvmmusic.com/img/bibi.gif

Downloaded File Summary:

Download details:

Download retrieved: 22 September 2009 17:33:59
Processing time: 8 min 26 sec
Downloaded sample #1:

File MD5: 0x56FF5D5E519E4C1F9D9709263894BD74
File SHA-1: 0xE28AE20763B5AC69518FE2BD165891996C1DDF8A
Filesize: 564,736 bytes
Alias: Trojan.Win32.Agent.cwyo [Kaspersky Lab]

Downloaded sample #2:

File MD5: 0x6CE547B65C2E0872096291A211C88FA2
File SHA-1: 0x3A38E3125DD1180E004AB033B6D7FC1F172CFC05
Filesize: 520,192 bytes
Alias:

Trojan Horse [Symantec]
Trojan-Downloader.Win32.Agent.cqch [Kaspersky Lab]
PWS-Banker!bvn [McAfee]
Mal/Banspy-F [Sophos]
TrojanDownloader:Win32/Banload.gen!N [Microsoft]
BehavesLikeWin32.SMTP-Mailer [Ikarus]

Downloaded sample #3:

File MD5: 0x5A88CAA6B74C4E96322EE431A92E6833
File SHA-1: 0xD3EEBFD2DF0E5FF281A0EE436AE06ABD5772732B
Filesize: 192,512 bytes
Alias:

W32.Spybot.Worm [Symantec]
Backdoor.Win32.Poison.aqqf [Kaspersky Lab]
Mal/Generic-A [Sophos]
VirTool:Win32/VBInject.gen!BP [Microsoft]
Trojan.Win32.Zbot [Ikarus]

Summary of the findings:

What's been found	Severity Level
Capability to send out email message(s) with the built-in SMTP client engine.
Communication with a remote SMTP server and sending out email.
Downloads/requests other files from Internet.
Registers a 32-bit in-process server DLL.
Registers a Browser Helper Object (Microsoft's Internet Explorer plugin module).
Contains characteristics of an identified security risk.

Technical Details:

The new window was created, as shown below:

NOTICE: The content shown in the above window is captured automatically and is not controlled or endorsed by ThreatExpert.
Please contact us on this link should any material be offensive or inappropriate and we will ensure any such content is blocked from future viewers of the report.

Possible Security Risk

Attention! Characteristics of the following security risk was identified in the system:

Security Risk	Description
Trojan.ClientMan	Common Components for ClientMan and Trojan.Downloader.Delf.VT

Attention! The following threat categories were identified:

Threat Category	Description
	A malicious trojan horse or bot that may represent security risk for the compromised system and/or its network environment
	A program that downloads files to the local computer that may represent security risk
	A malicious backdoor trojan that runs in the background and allows remote access to the compromised system
	A network-aware worm that attempts to replicate across the existing network(s)

File System Modifications

The following files were created in the system:

#	Filename(s)	File Size	File Hash	Alias
1	[file and pathname of the sample #1]	564,736 bytes	MD5: 0x56FF5D5E519E4C1F9D9709263894BD74 SHA-1: 0xE28AE20763B5AC69518FE2BD165891996C1DDF8A	Trojan.Win32.Agent.cwyo [Kaspersky Lab]
2	[file and pathname of the sample #2]	520,192 bytes	MD5: 0x6CE547B65C2E0872096291A211C88FA2 SHA-1: 0x3A38E3125DD1180E004AB033B6D7FC1F172CFC05	Trojan Horse [Symantec] Trojan-Downloader.Win32.Agent.cqch [Kaspersky Lab] PWS-Banker!bvn [McAfee] Mal/Banspy-F [Sophos] TrojanDownloader:Win32/Banload.gen!N [Microsoft] BehavesLikeWin32.SMTP-Mailer [Ikarus]
3	[file and pathname of the sample #3]	192,512 bytes	MD5: 0x5A88CAA6B74C4E96322EE431A92E6833 SHA-1: 0xD3EEBFD2DF0E5FF281A0EE436AE06ABD5772732B	W32.Spybot.Worm [Symantec] Backdoor.Win32.Poison.aqqf [Kaspersky Lab] Mal/Generic-A [Sophos] VirTool:Win32/VBInject.gen!BP [Microsoft] Trojan.Win32.Zbot [Ikarus]
4	%System%\windows32.ini	11 bytes	MD5: 0x409C1A271DC05CAADF255DC05A235AFA SHA-1: 0x7BF36A5D6F9F52F196A9ADF30CEDBB0F948A0BE1	(not available)

Note:

%System% is a variable that refers to the System folder. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

Memory Modifications

There were new processes created in the system:

Process Name	Process Filename	Main Module Size
[generic host process]	[generic host process filename]	20,480 bytes
[filename of the sample #2]	[file and pathname of the sample #2]	544,768 bytes
[filename of the sample #3]	[file and pathname of the sample #3]	53,248 bytes

Notes:

[generic host process filename] is a full path filename of [generic host process].

The following modules were loaded into the address space of other process(es):

Module Name	Module Filename	Address Space Details
[filename of the sample #1]	[file and pathname of the sample #1]	Process name: [generic host process] Process filename: [generic host process filename] Address space: 0xAA0000 - 0xB2E000
[filename of the sample #1]	[file and pathname of the sample #1]	Process name: [generic host process] Process filename: [generic host process filename] Address space: 0xB10000 - 0xB9E000
[filename of the sample #1]	[file and pathname of the sample #1]	Process name: IEXPLORE.EXE Process filename: %ProgramFiles%\internet explorer\iexplore.exe Address space: 0xF80000 - 0x100E000

Notes:

%ProgramFiles% is a variable that refers to the Program Files folder. A typical path is C:\Program Files.

Registry Modifications

The following Registry Keys were created:

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{FCADDC14-BD46-408A-9842-CDBE1C6D37EB}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{FCADDC14-BD46-408A-9842-CDBE1C6D37EB}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FCADDC14-BD46-408A-9842-CDBE1C6D37EB}

The newly created Registry Values are:

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{FCADDC14-BD46-408A-9842-CDBE1C6D37EB}\InprocServer32]

(Default) = "[file and pathname of the sample #1]"
ThreadingModel = "Apartment"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{FCADDC14-BD46-408A-9842-CDBE1C6D37EB}]

(Default) = ""

Other details

Analysis of the file resources indicate the following possible countries of origin:

	Brazil
	Germany

To mark the presence in the system, the following Mutex object was created:

_!SHMSFTHISTORY!_

The following Host Name was requested from a host database:

smtp.pinho.com.br

There was registered attempt to establish connection with the remote host. The connection details are:

Remote Host	Port Number
smtp.pinho.com.br	1034

The following Internet Connection was established:

Server Name	Server Port	Connect as User	Connection Password
www.pereca2009.com	80	(null)	(null)

The following GET requests were made:

img/log.txt
img/index.jpg

The following HTTP URLs were started reading:

http://www.segurancaonlinez.net/seg/azul
http://www.segurancaonlinez.net/seg/bb
http://www.segurancaonlinez.net/seg/laranja
http://www.segurancaonlinez.net/seg/prime/www.bradescoprime.com.br
http://www.segurancaonlinez.net/seg/vermelha
http://www.segurancaonlinez.net/seg/real
http://www.credicardcitinovo.com.br/
http://www.segurancaonlinez.net/seg/creditau
http://www.segurancaonlinez.net/seg/abc
http://www.segurancaonlinez.net/seg/american
http://www.segurancaonlinez.net/seg/sicredi
http://www.segurancaonlinez.net/seg/cetelem
http://www.segurancaonlinez.net/seg/checktudo
http://www.segurancaonlinez.net/seg/digital
http://www.segurancaonlinez.net/seg/f2b/pt_BR/f2b/index/
http://www.segurancaonlinez.net/seg/hiper
http://www.hotmail.com
http://www.ig.com.br
http://www.segurancaonlinez.net/seg/nestes
http://www.nossacaixa.com.br

Generated SMTP traffic

Email Sender:

COMPUTERNAME@submarino.com.br

Email Recipient:

ecko.aviso@gmail.com

Email Subject:

AVISO INVESTIDOR SUINA EMAIL

Email Body:

=-=-SISTEMA INFECTADO (Xx$$ h4x0r $$xX)-=-= =-=-=-=-=-$$$$$$$$$$$$$$$$$$$$$$$$$-=-=-=-= Nome PC............: COMPUTERNAME Nome User..........: Serial HD Fisico...: 00000000 Serial HD Firmware.: 00CD1A40 Mac Adress.........: Diretorio WIN......: C:\WINDOWS Pag. Inicial.......: about:blank Pag. Inicial.......: about:blank Prog Instalado.....: Falha na instalacao. =-=-=-=-=-$$$$$$$$$$$$$$$$$$$$$$$$$-=-=-=-= =-=-=-=-RELATORIO SITES DO INFECTADO=-=-=-= http://www.microsoft.com/ =-=-=-=-RELATORIO SITES DO INFECTADO=-=-=-= .

For example, the generated email message may look similar to the one shown below:

All content ("Information") contained in this report is the copyrighted work of Threat Expert Ltd and its associated companies ("ThreatExpert") and may not be copied without the express permission of ThreatExpert.

The Information is provided on an "as is" basis. ThreatExpert disclaims all warranties, whether express or implied, to the maximum extent permitted by law, including the implied warranties that the Information is merchantable, of satisfactory quality, accurate, fit for a particular purpose or need, or non-infringing, unless such implied warranties are legally incapable of exclusion. Further, ThreatExpert does not warrant or make any representations regarding the use or the results of the use of the Information in terms of their correctness, accuracy, reliability, or otherwise.