Submission Summary:

• Submission details:
• Submission received: 11 August 2012, 13:46:37
• Processing time: 10 min 19 sec
• Submitted sample:
• File MD5: 0x93C03498D9194FD345BFF0A7F1215617
• File SHA-1: 0x8DA81117FE2D6468406DF5CBCE40EF6567447541
• Filesize: 131,072 bytes
• Alias:
• Trojan.Win32.Scar.glgc [Kaspersky Lab]
• Trojan:Win32/ServStart.gen!A [Microsoft]
• Trojan.Win32.Spy [Ikarus]

• Summary of the findings:

What's been found	Severity Level
Produces outbound traffic.
Downloads/requests other files from Internet.
Contains characteristics of an identified security risk.

Technical Details:

Possible Security Risk

• Attention! The following threat category was identified:

Threat Category	Description
	A malicious trojan horse or bot that may represent security risk for the compromised system and/or its network environment

File System Modifications

• The following files were created in the system:

#	Filename(s)	File Size	File Hash	Alias
1	%System%\pchjco.exe [file and pathname of the sample #1]	131,072 bytes	MD5: 0x93C03498D9194FD345BFF0A7F1215617 SHA-1: 0x8DA81117FE2D6468406DF5CBCE40EF6567447541	Trojan.Win32.Scar.glgc [Kaspersky Lab] Trojan:Win32/ServStart.gen!A [Microsoft] Trojan.Win32.Spy [Ikarus]
2	%Windir%\Temp\Server.dll	81,920 bytes	MD5: 0x43947131A4D46DDC5F1CA4C1ADCAAFEE SHA-1: 0x469B867C621F5643DCBBDDD7DEAD17C7E256C560	(not available)

• Notes:
• %System% is a variable that refers to the System folder. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
• %Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows or C:\Winnt.

Memory Modifications

• There were new processes created in the system:

Process Name	Process Filename	Main Module Size
pchjco.exe	%System%\pchjco.exe	139,264 bytes
[filename of the sample #1]	[file and pathname of the sample #1]	139,264 bytes

• There was a new service created in the system:

Service Name	Display Name	Status	Service Filename
360???????????	360???????????	"Running"	%System%\pchjco.exe

Registry Modifications

• The following Registry Keys were created:
• HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_360*00B0*00B2*00C8*00AB*00CE*00C0*00CA*00BF*00BF*00CD*00BB*00A7*00B6*00CB
• HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_360*00B0*00B2*00C8*00AB*00CE*00C0*00CA*00BF*00BF*00CD*00BB*00A7*00B6*00CB\0000
• HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_360*00B0*00B2*00C8*00AB*00CE*00C0*00CA*00BF*00BF*00CD*00BB*00A7*00B6*00CB\0000\Control
• HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\360???????????
• HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\360???????????\Security
• HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\360???????????\Enum
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_360*00B0*00B2*00C8*00AB*00CE*00C0*00CA*00BF*00BF*00CD*00BB*00A7*00B6*00CB
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_360*00B0*00B2*00C8*00AB*00CE*00C0*00CA*00BF*00BF*00CD*00BB*00A7*00B6*00CB\0000
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_360*00B0*00B2*00C8*00AB*00CE*00C0*00CA*00BF*00BF*00CD*00BB*00A7*00B6*00CB\0000\Control
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\360???????????
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\360???????????\Security
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\360???????????\Enum

• The newly created Registry Values are:
• [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_360*00B0*00B2*00C8*00AB*00CE*00C0*00CA*00BF*00BF*00CD*00BB*00A7*00B6*00CB\0000\Control]
• *NewlyCreated* = 0x00000000
• ActiveService = "360???????????"
• [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_360*00B0*00B2*00C8*00AB*00CE*00C0*00CA*00BF*00BF*00CD*00BB*00A7*00B6*00CB\0000]
• Service = "360???????????"
• Legacy = 0x00000001
• ConfigFlags = 0x00000000
• Class = "LegacyDriver"
• ClassGUID = "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
• DeviceDesc = "360???????????"
• [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_360*00B0*00B2*00C8*00AB*00CE*00C0*00CA*00BF*00BF*00CD*00BB*00A7*00B6*00CB]
• NextInstance = 0x00000001
• [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\360???????????\Enum]
• 0 = "Root\LEGACY_360*00B0*00B2*00C8*00AB*00CE*00C0*00CA*00BF*00BF*00CD*00BB*00A7*00B6*00CB\0000"
• Count = 0x00000001
• NextInstance = 0x00000001
• [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\360???????????\Security]
• Security = 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 0
• [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\360???????????]
• Type = 0x00000010
• Start = 0x00000002
• ErrorControl = 0x00000000
• ImagePath = "%System%\pchjco.exe"
• DisplayName = "360???????????"
• ObjectName = "LocalSystem"
• Description = "360??????"
• [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_360*00B0*00B2*00C8*00AB*00CE*00C0*00CA*00BF*00BF*00CD*00BB*00A7*00B6*00CB\0000\Control]
• *NewlyCreated* = 0x00000000
• ActiveService = "360???????????"
• [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_360*00B0*00B2*00C8*00AB*00CE*00C0*00CA*00BF*00BF*00CD*00BB*00A7*00B6*00CB\0000]
• Service = "360???????????"
• Legacy = 0x00000001
• ConfigFlags = 0x00000000
• Class = "LegacyDriver"
• ClassGUID = "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
• DeviceDesc = "360???????????"
• [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_360*00B0*00B2*00C8*00AB*00CE*00C0*00CA*00BF*00BF*00CD*00BB*00A7*00B6*00CB]
• NextInstance = 0x00000001
• [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\360???????????\Enum]
• 0 = "Root\LEGACY_360*00B0*00B2*00C8*00AB*00CE*00C0*00CA*00BF*00BF*00CD*00BB*00A7*00B6*00CB\0000"
• Count = 0x00000001
• NextInstance = 0x00000001
• [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\360???????????\Security]
• Security = 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 0
• [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\360???????????]
• Type = 0x00000010
• Start = 0x00000002
• ErrorControl = 0x00000000
• ImagePath = "%System%\pchjco.exe"
• DisplayName = "360???????????"
• ObjectName = "LocalSystem"
• Description = "360??????"
• [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
• ProxyEnable = 0x00000000

• The following Registry Values were modified:
• [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\ServiceCurrent]
• (Default) =
• [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ServiceCurrent]
• (Default) =

Other details

• The following ports were open in the system:

• The following Host Names were requested from a host database:
• ddos.jqddos.in
• pushddosdoor.3322.org

• There were registered attempts to establish connection with the remote hosts. The connection details are:

• The following Internet Connections were established:

Outbound traffic (potentially malicious)

• There was an outbound traffic produced on port 8899:

• There was an outbound traffic produced on port 8889: