ThreatExpert Report: Virus.Parite.B, Trojan.Win32.Genome.cssz, W32.Pinfi, PE

Submission Summary:

Submission details:

Submission received: 10 November 2009, 13:19:24
Processing time: 12 min 4 sec
Submitted sample:

File MD5: 0x96560A82F13FC456A066C79AC86A7865
File SHA-1: 0x37F90315ECC556873961BC5D406DE45862D389AE
Filesize: 219,136 bytes

Summary of the findings:

What's been found	Severity Level
Produces outbound traffic.
Downloads/requests other files from Internet.
Creates a startup registry entry.
Registers a Winlogon notification package so that the installed module is loaded into the address space of winlogon.exe.
Contains characteristics of an identified security risk.

Technical Details:

The new window was created, as shown below:

NOTICE: The content shown in the above window is captured automatically and is not controlled or endorsed by ThreatExpert.
Please contact us on this link should any material be offensive or inappropriate and we will ensure any such content is blocked from future viewers of the report.

Possible Security Risk

Attention! Characteristics of the following security risks were identified in the system:

Security Risk	Description
Virus.Parite.B	Virus Parite.B will remain in memory after executed, and infecting every SCR and PE file on every drive and network share.
Trojan.Nuklus	Trojan.Nuklus is keylogger that can contact a remote server in order to download additional components onto infected computer, and will attempt to steal user's passwords in order to take control of infected computer.
Trojan-PWS.WOW.DCC	Trojan-PWS.WOW.DCC attempts to steal sensitive information such as usernames and passwords. It may also download additional malware components from the Internet.

Attention! The following threat categories were identified:

Threat Category	Description
	A malicious trojan horse or bot that may represent security risk for the compromised system and/or its network environment
	A virus capable to modify other files by infecting, prepending, or overwriting them them with its own body
	A malicious backdoor trojan that runs in the background and allows remote access to the compromised system
	A keylogger program that can capture all user keystrokes (including confidential details such username, password, credit card number, etc.)

File System Modifications

The following files were created in the system:

#	Filename(s)	File Size	File Hash	Alias
1	%Temp%\yiaC.tmp %Windir%\Temp\tiaB.tmp	176,128 bytes	MD5: 0x685F1CBD4AF30A1D0C25F252D399A666 SHA-1: 0x6A1B978F5E6150B88C8634146F1406ED97D2F134	Virus.Parite.B [PCTools] W32.Pinfi [Symantec] Trojan.Win32.Genome.cssz [Kaspersky Lab] PE_PARITE.A-O [Trend Micro] W32/Parite-B [Sophos] Virus:Win32/Parite.B.dll [Microsoft] Virus.Win32.Parite [Ikarus] Win32/Parite [AhnLab]
2	%Templates%\data.tmp	40,448 bytes	MD5: 0x93BCA465417D62AE9114BCB596834747 SHA-1: 0x8C17B74DC904E739B6EEF5A28FDD0FE56D9A9C0B	(not available)
3	%Windir%\Install.txt %System%\Install.txt	264 bytes	MD5: 0x591C67CF56E147A521B0080C62E4ECED SHA-1: 0xF4ADB92B81D11FABF67CA008DEE2FABBB900EE98	(not available)
4	%Windir%\isvchost.exe	601,050 bytes	MD5: 0xDB8B1AD1B74B32A4E79AAA7D4E7E1123 SHA-1: 0x16A819510032114517D8C80BF59480780C158209	Win32.Parite.B [PCTools] W32.Pinfi [Symantec] Virus.Win32.Parite.b [Kaspersky Lab] PE_PARITE.A [Trend Micro] W32/Parite-B [Sophos] Virus:Win32/Parite.B [Microsoft] Virus.Win32.Parite [Ikarus] Win32/Parite [AhnLab]
5	%System%\3132135.exe	868 bytes	MD5: 0x43279E66EA372B7712C42755AB4CA3DF SHA-1: 0x3C3812172B6E2091438AF4C25066841AA8403040	(not available)
6	%System%\7.tmp	132 bytes	MD5: 0xD4A552E9B6E3D13A036CC6BCF1755517 SHA-1: 0xA48D1BEA75B2814D9388855B5A0F6A6DCA404FF0	(not available)
7	%System%\9.tmp	1 bytes	MD5: 0x7215EE9C7D9DC229D2921A40E899EC5F SHA-1: 0xB858CB282617FB0956D960215C8E84D1CCF909C6	(not available)
8	%System%\A.tmp	88,576 bytes	MD5: 0x1C5E79F5F4CAAB5F5C9A69AB91D478B2 SHA-1: 0x428D52728C29EC557F1E4DF282AB76AF70230823	Trojan.Generic [PCTools] Trojan Horse [Symantec] Packed.Win32.Krap.af [Kaspersky Lab] WORM_PALEVO.SMI [Trend Micro] Mal/Generic-A [Sophos] Trojan:Win32/Sisproc [Microsoft] Trojan.Generic.CJ [Ikarus] Win-Trojan/Obfuscator.88576.B [AhnLab]
9	%System%\a9k.bin	0 bytes	MD5: 0xD41D8CD98F00B204E9800998ECF8427E SHA-1: 0xDA39A3EE5E6B4B0D3255BFEF95601890AFD80709	(not available)
10	%System%\BtwSrv.dll	45,568 bytes	MD5: 0x35108520873380EDD605633F63410641 SHA-1: 0xC3D742DA5FB292135C44BA6711A6E27F47F9BB0E	Trojan:Win32/Refpron.F [Microsoft]
11	%System%\FastNetSrv.exe	65,024 bytes	MD5: 0x6D70B01603D319203B2306D5CC76AA13 SHA-1: 0xDB2E328A7C5406A5FAA7768C68BD2F00F77566D7	packed with PE_Patch [Kaspersky Lab]
12	%System%\FInstall.sys	8 bytes	MD5: 0x3C9AEE2E5FDB475878280357C245B1B5 SHA-1: 0xD4813AA9BBAA632AC03A768666113EF6450B6C98	(not available)
13	%System%\kbdnet.dll	30,208 bytes	MD5: 0xB354C9439AC8A757032D3D70B7D42413 SHA-1: 0xBA8C56B9F73CF6EBF62556DD6A2491B67361EADE	Backdoor.Win32.Agent.amos [Kaspersky Lab]
14	%System%\lsm32.sys	36,864 bytes	MD5: 0x46C262B8DDFF7307FE9963AE2E4AC8A7 SHA-1: 0x7D81F51642ECC4272A73990EAABEB78783D4CF4B	Trojan.Win32.Clicker.a [Kaspersky Lab] Mal/Bimay-A [Sophos] Trojan.Win32.VB [Ikarus]
15	%System%\mscert.dll	35,840 bytes	MD5: 0xB7544852A574A2899F6BF4E284F198DA SHA-1: 0xEC8A06B4108A615A4938F7F82FC590A6C6FE5E22	(not available)
16	%System%\msxm192z.dll	61,440 bytes	MD5: 0x0481C1BFD2016166501D8EFAD116F558 SHA-1: 0x70674B8FBA2EF8AB99F7DC85F63A26C53E267B93	Mal/Behav-170 [Sophos] Trojan-GameThief.Win32.WOW [Ikarus]
17	%System%\opeia.exe	107,520 bytes	MD5: 0x2C7D024AE0DD8C5E206F9BC1219F8745 SHA-1: 0x3AF31FB28A53EBFA2A80D5551B5B778011EBFDC4	packed with PE_Patch [Kaspersky Lab]
18	%System%\saifx.dll	23,669 bytes	MD5: 0xF95582F4B5E702DBCC90ED1F24818490 SHA-1: 0xDD203FEB70A328BBEA36F82CBAE23D851D406D66	Trojan.Goldun [PCTools] Trojan.Goldun [Symantec] Mal/TinyDL-T [Sophos] Trojan-Spy.Win32.Goldun [Ikarus] Win-Trojan/Goldun.23667.B [AhnLab] packed with PE_Patch.UPX [Kaspersky Lab]
19	[file and pathname of the sample #1]	219,136 bytes	MD5: 0x96560A82F13FC456A066C79AC86A7865 SHA-1: 0x37F90315ECC556873961BC5D406DE45862D389AE	(not available)
20	%System%\sorrd.sys	8,688 bytes	MD5: 0x054523D0EC75404E65BAC9B95128BC5A SHA-1: 0xF5C225BCEC550B8D0FAE67262A56E4EB37230C90	Trojan.Goldun [PCTools] Trojan.Goldun [Symantec] Trojan-Spy.Win32.Goldun.cal [Kaspersky Lab] Mal/Behav-336 [Sophos] Backdoor:Win32/Haxdoor [Microsoft] Trojan-Spy.Win32.Goldun [Ikarus]
21	%System%\wmdtc.exe	107,520 bytes	MD5: 0x8AB552605E6CF838C43D183E4D54453D SHA-1: 0x19EF5713CE60BBB135FE9B23A79B29E2D7A96AF6	packed with PE_Patch [Kaspersky Lab]
22	%Windir%\Temp\mta13187.dll %Windir%\Temp\x1c53540.dll	612,352 bytes	MD5: 0x3F795D6FB4050C93CBBD0FF699A2635A SHA-1: 0xD6F6FF1E3809C980CA78710E842AC3F1C1697E92	(not available)
23	%Windir%\Temp\VRT3.tmp	133,632 bytes	MD5: 0xCCEF3C33FE7CB57CC9B975FAA161EFA3 SHA-1: 0xB1E1C13CBA2F578B848F539ABEE43BDC209DAC34	Trojan.Generic [PCTools] Trojan Horse [Symantec] Trojan.Win32.Pasta.dgz [Kaspersky Lab] Mal/Generic-A [Sophos]
24	%Windir%\Temp\VRT4.tmp	87,040 bytes	MD5: 0x0C74D9978441DBA44CCBDBEF5A5E9084 SHA-1: 0x29C473904F3715C9491F077E910EA78BB9A6B325	Mal/Refpron-B [Sophos] Backdoor:Win32/Refpron.P [Microsoft]
25	%Windir%\Temp\VRT5.tmp	49,152 bytes	MD5: 0x34C3A9BCA8DC2D38B51ADDEC3D9E1AB5 SHA-1: 0xF49B826DCAC7C37AFA657BC11D532CDDEBF4AB31	(not available)

Notes:

%Temp% is a variable that refers to the temporary folder in the short path form. By default, this is C:\Documents and Settings\[UserName]\Local Settings\Temp\ (Windows NT/2000/XP).
%Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows or C:\Winnt.
%Templates% is a variable that refers to the file system directory that serves as a common repository for document templates. A typical path is C:\Documents and Settings\[UserName]\Templates.
%System% is a variable that refers to the System folder. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

The following directories were created:

%Temp%\i_setup
%Windir%\Temp\i_setup

Memory Modifications

There was a new process created in the system:

Process Name	Process Filename	Main Module Size
[filename of the sample #1]	[file and pathname of the sample #1]	245,760 bytes

Registry Modifications

The following Registry Keys were created:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\saifx
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\AppCertDlls
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_BTWSRV
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_BTWSRV\0000
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_FASTNETSRV
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_FASTNETSRV\0000
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\BtwSrv
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\BtwSrv\Parameters
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\BtwSrv\Security
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\fastnetsrv
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\fastnetsrv\Security
HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\International

The newly created Registry Values are:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

ter8m = "RUNDLL32.EXE %System%\msxm192z.dll,w"
UserFaultCheck = "%System%\dumprep 0 -u"

so that msxm192z.dll runs every time Windows starts

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]

LoadAppInit_DLLs = 0x00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\saifx]

DllName = 73 61 69 66 78 2E 64 6C 6C 00 00 00
Startup = "saifx"
Impersonate = 0x00000001
Asynchronous = 0x00000001
MaxWait = 0x00000001
ngrvv = "[C6E793E9158BE907B]"

so that saifx.dll is installed as a Winlogon notification package

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\AppCertDlls]

AppSecDll = "%System%\mscert.dll"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_BTWSRV\0000]

Service = "BtwSrv"
Legacy = 0x00000001
ConfigFlags = 0x00000000
Class = "LegacyDriver"
ClassGUID = "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
DeviceDesc = "BtwSrv"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_BTWSRV]

NextInstance = 0x00000001

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_FASTNETSRV\0000]

Service = "fastnetsrv"
Legacy = 0x00000001
ConfigFlags = 0x00000000
Class = "LegacyDriver"
ClassGUID = "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
DeviceDesc = "fastnetsrv Service"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_FASTNETSRV]

NextInstance = 0x00000001

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\BtwSrv\Security]

Security = 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 0

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\BtwSrv\Parameters]

ServiceDll = 43 3A 5C 57 49 4E 44 4F 57 53 5C 73 79 73 74 65 6D 33 32 5C 42 74 77 53 72 76 2E 64 6C 6C 00 56 4E 49 4B 6C 67 68 70 47 6B 49 36 6C 44 73 7A 34 64 57 6F 7A 74 4A 79 39 63 79 42 4E 32 63 44 58 6C 44 75 4B 32 50 3B 74 68 72 65 61 64 73 3D 66 41 3B 73 6

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\BtwSrv]

Type = 0x00000010
Start = 0x00000002
ErrorControl = 0x00000001
ImagePath = "%System%\svchost.exe -k netsvcs"
ObjectName = "LocalSystem"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\fastnetsrv\Security]

Security = 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 0

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\fastnetsrv]

Type = 0x00000010
Start = 0x00000002
ErrorControl = 0x00000001
ImagePath = "%System%\FastNetSrv.exe"
DisplayName = "fastnetsrv Service"
ObjectName = "LocalSystem"

[HKEY_USERS\.DEFAULT\AppEvents\Schemes\Apps\.Default\SystemExclamation\.Current]

(Default) = ""

[HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\International]

W2KLpk = 0x00000000

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer]

UpdateHost = FF F0 DA 5D CD 1E

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]

ProxyEnable = 0x00000000

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Cache]

Persistent = 0x00000000

Other details

Analysis of the file resources indicate the following possible countries of origin:

	Russian Federation
	China

There were registered attempts to establish connection with the remote hosts. The connection details are:

Remote Host	Port Number
173.45.105.218	8392
204.27.57.154	8392
66.96.221.101	8392
193.169.194.251	80
204.27.57.154	80
204.27.57.210	80
208.43.250.167	80
218.93.205.19	80
64.191.44.5	80
91.206.201.39	80
93.174.92.220	80
202.97.184.196	81
218.93.205.30	65520
222.73.204.229	888
222.73.204.229	88

The data identified by the following URLs was then requested from the remote web server:

http://www.petdoso.com:81/svc.php?file=isvchost.exe
http://204.27.57.154/p1023/2.0/w.bin?543035
http://204.27.57.210/p1023/2.0/w.bin?35186
http://204.27.57.210/p1023/2.0/d.bin?bb1025383497
http://search.toptravellingtips.com/portal.php
http://www.brans.pl/10.exe
http://dl.guarddog2009.com/inst.php?id=32&sid=342
http://maillist.iwillhavesexygirls.com:888/mail/mailpub.exe?t=0.2411921
http://config1007.iwillhavesexygirls.com:88/er.txt?t=0.960426
http://64.191.44.5/p0905/2.0/ms.bin?bb1025653453
http://64.191.44.5/p0905/2.0/so.bin?bb102564658
http://colopin.cn/oc/box.txt
http://colopin.cn/op/lgate.php?n=39840325379C188F
http://colopin.cn/lib/us.txt
http://colopin.cn/bt5/fout.php
http://colopin.cn/lib/ssv.txt
http://komojoke.cn/txt/read2.txt
http://komojoke.cn/txt/read.txt

Outbound traffic (potentially malicious)

There was an outbound traffic produced on port 8392:

00000000 | 0000 4F95 0000 0004 6563 686F 0000 78E3 | ..O.....echo..x.
00000010 | 0000 4F95 0000 0004 6563 686F 0000 78E3 | ..O.....echo..x.
00000020 | 0000 27B3 0000 0013 322E 305F 6262 3130 | ..'.....2.0_bb10
00000030 | 3235 5F76 7274 342E 746D 7000 0078 E300 | 25_vrt4.tmp..x..
00000040 | 004F 9500 0000 0465 6368 6F00 0078 E300 | .O.....echo..x..
00000050 | 004F 9500 0000 0465 6368 6F00 0078 E3   | .O.....echo..x.
00000000 | 0000 78E3 0000 4F95 0000 0004 6563 686F | ..x...O.....echo
00000010 | 0000 78E3 0000 27B0 0000 0050 7378 3A31 | ..x...'....Psx:1
00000020 | 3939 5F31 3131 3030 3935 3678 2075 783A | 99_11100956x ux:
00000030 | 4D6F 7A69 6C6C 612F 342E 3020 2863 6F6D | Mozilla/4.0 (com
00000040 | 7061 7469 626C 653B 204D 5349 4520 362E | patible; MSIE 6.
00000050 | 303B 2057 696E 646F 7773 204E 5420 352E | 0; Windows NT 5.
00000060 | 3129 2075 783A 6262 3130 3235 0000 78E3 | 1) ux:bb1025..x.
00000070 | 0000 78E3 0000 4F95 0000 0004 6563 686F | ..x...O.....echo
00000080 | 0000 78E3 0000 4F95 0000 4F95 0000 0004 | ..x...O...O.....
00000090 | 6563 686F 0000 0004 6563 686F           | echo....echo
00000010 | 0000 78E3 0000 7887 0000 0006 6262 3130 | ..x...x.....bb10
00000020 | 3235 0000 78E3 0000 4F95 0000 0004 6563 | 25..x...O.....ec
00000030 | 686F 0000 78E3 0000 4F95 0000 0004 6563 | ho..x...O.....ec
00000040 | 686F                                    | ho

There was an outbound traffic produced on port 65520:

All content ("Information") contained in this report is the copyrighted work of Threat Expert Ltd and its associated companies ("ThreatExpert") and may not be copied without the express permission of ThreatExpert.

The Information is provided on an "as is" basis. ThreatExpert disclaims all warranties, whether express or implied, to the maximum extent permitted by law, including the implied warranties that the Information is merchantable, of satisfactory quality, accurate, fit for a particular purpose or need, or non-infringing, unless such implied warranties are legally incapable of exclusion. Further, ThreatExpert does not warrant or make any representations regarding the use or the results of the use of the Information in terms of their correctness, accuracy, reliability, or otherwise.