ThreatExpert Report: Win-Trojan/Banload.403968.D

Submission Summary:

Submission details:

Submission received: 16 June 2009, 16:30:58
Processing time: 7 min 16 sec
Submitted sample:

File MD5: 0x95733153E5EA0D8767F855E9975AA8CB
File SHA-1: 0x420986973EF484BEEA8865F0DCD8BC6907C27B94
Filesize: 577,536 bytes

Summary of the findings:

What's been found	Severity Level
Downloads/requests other files from Internet.

Technical Details:

File System Modifications

The following files were created in the system:

#	Filename(s)	File Size	File Hash
1	%Temp%\99III667.dpd	138 bytes	MD5: 0x55CE55C10C0CB60721763D56D952FC3A SHA-1: 0x908C5BFF10FDF26C736A8ED20D488D3808C38CD9
2	%UserProfile%\port32.log	3 bytes	MD5: 0xDADAFE066983AB646E8550013FB7DA13 SHA-1: 0x4EC54D6C550E64A7837989CC437BC57803966B50
3	[file and pathname of the sample #1]	577,536 bytes	MD5: 0x95733153E5EA0D8767F855E9975AA8CB SHA-1: 0x420986973EF484BEEA8865F0DCD8BC6907C27B94

Notes:

%Temp% is a variable that refers to the temporary folder in the short path form. By default, this is C:\Documents and Settings\[UserName]\Local Settings\Temp\ (Windows NT/2000/XP).
%UserProfile% is a variable that specifies the current user's profile folder. By default, this is C:\Documents and Settings\[UserName] (Windows NT/2000/XP).

Memory Modifications

There was a new process created in the system:

Process Name	Process Filename	Main Module Size
[filename of the sample #1]	[file and pathname of the sample #1]	933,888 bytes

Other details

Analysis of the file resources indicate the following possible country of origin:

Brazil

The following Host Name was requested from a host database:

www.fribourg-gotteron.ch

The data identified by the following URLs was then requested from the remote web server:

http://www.nek-vb.net/cgi-bin/vb/t1/img006.jpg
http://www.nek-vb.net/cgi-bin/vb/t1/img007.jpg
http://www.nek-vb.net/cgi-bin/vb/t1/img005.jpg

Downloaded File Summary:

Download details:

Download retrieved: 16 June 2009 16:38:18
Processing time: 7 min 30 sec
Downloaded sample #1:

File MD5: 0x26C0631C07CC94EAD95B295AE3CE1ABB
File SHA-1: 0x5DD56426813671072F72748DD16E65445D9ADCFC
Filesize: 1,230,848 bytes
Packer info: packed with: PE_Patch.UPX [Kaspersky Lab]

Downloaded sample #2:

File MD5: 0xCC27EA252EFDE0C3C8B620430A89D6E2
File SHA-1: 0xAAF0CC3A94B625FB4C7221844470C37B361189CE
Filesize: 686,592 bytes
Packer info: packed with: PE_Patch.UPX [Kaspersky Lab]

Downloaded sample #3:

File MD5: 0x16B0E0E683B3C2D198F5D6B5378543E9
File SHA-1: 0xC2FB74A60EDAEDD47700EE981E115EFBB12F6AFB
Filesize: 403,968 bytes
Alias: Win-Trojan/Banload.403968.D [AhnLab]

Technical Details:

The new window was created, as shown below:

NOTICE: The content shown in the above window is captured automatically and is not controlled or endorsed by ThreatExpert.
Please contact us on this link should any material be offensive or inappropriate and we will ensure any such content is blocked from future viewers of the report.

File System Modifications

The following files were created in the system:

#	Filename(s)	File Size	File Hash	Alias
1	%UserProfile%\lb32.log %UserProfile%\lnt.log	6 bytes	MD5: 0x76D1E5B87AC4A83083E6724520F307F0 SHA-1: 0x3A9961ED91B8F3760C51E080D2FC01C04333049C	(not available)
2	[file and pathname of the sample #1]	1,230,848 bytes	MD5: 0x26C0631C07CC94EAD95B295AE3CE1ABB SHA-1: 0x5DD56426813671072F72748DD16E65445D9ADCFC	packed with PE_Patch.UPX [Kaspersky Lab]
3	[file and pathname of the sample #2]	686,592 bytes	MD5: 0xCC27EA252EFDE0C3C8B620430A89D6E2 SHA-1: 0xAAF0CC3A94B625FB4C7221844470C37B361189CE	packed with PE_Patch.UPX [Kaspersky Lab]
4	[file and pathname of the sample #3]	403,968 bytes	MD5: 0x16B0E0E683B3C2D198F5D6B5378543E9 SHA-1: 0xC2FB74A60EDAEDD47700EE981E115EFBB12F6AFB	Win-Trojan/Banload.403968.D [AhnLab]

Note:

%UserProfile% is a variable that specifies the current user's profile folder. By default, this is C:\Documents and Settings\[UserName] (Windows NT/2000/XP).

Memory Modifications

There were new processes created in the system:

Process Name	Process Filename	Main Module Size
[generic host process]	[generic host process filename]	20,480 bytes
[filename of the sample #3]	[file and pathname of the sample #3]	446,464 bytes
IEXPLORE.EXE	%ProgramFiles%\Internet Explorer\IEXPLORE.EXE	102,400 bytes

Notes:

[generic host process filename] is a full path filename of [generic host process].
%ProgramFiles% is a variable that refers to the Program Files folder. A typical path is C:\Program Files.

The following modules were loaded into the address space of other process(es):

Module Name	Module Filename	Address Space Details
[filename of the sample #1]	[file and pathname of the sample #1]	Process name: [generic host process] Process filename: [generic host process filename] Address space: 0xB10000 - 0xD11000
[filename of the sample #2]	[file and pathname of the sample #2]	Process name: [generic host process] Process filename: [generic host process filename] Address space: 0xB10000 - 0xD0E000

Registry Modifications

The newly created Registry Value is:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

spools = "%UserProfile%\spools.exe"

Other details

Analysis of the file resources indicate the following possible country of origin:

Brazil

To mark the presence in the system, the following Mutex object was created:

_SHuassist.mtx

The following Host Name was requested from a host database:

www.fribourg-gotteron.ch

All content ("Information") contained in this report is the copyrighted work of Threat Expert Ltd and its associated companies ("ThreatExpert") and may not be copied without the express permission of ThreatExpert.

The Information is provided on an "as is" basis. ThreatExpert disclaims all warranties, whether express or implied, to the maximum extent permitted by law, including the implied warranties that the Information is merchantable, of satisfactory quality, accurate, fit for a particular purpose or need, or non-infringing, unless such implied warranties are legally incapable of exclusion. Further, ThreatExpert does not warrant or make any representations regarding the use or the results of the use of the Information in terms of their correctness, accuracy, reliability, or otherwise.