ThreatExpert Report

Submission Summary:

Submission details:

Submission received: 24 October 2011, 13:02:11
Processing time: 14 min 7 sec
Submitted sample:

File MD5: 0x97ED344DBA3E73C81B27A70A979E1365
File SHA-1: 0x89B7A2E0BBA84C2B2AF5076AA8340E744F7D97AB
Filesize: 3,329,866 bytes

Summary of the findings:

What's been found	Severity Level
Contains characteristics of an identified security risk.

Technical Details:

The new window was created, as shown below:

NOTICE: The content shown in the above window is captured automatically and is not controlled or endorsed by ThreatExpert.
Please contact us on this link should any material be offensive or inappropriate and we will ensure any such content is blocked from future viewers of the report.

Possible Security Risk

Attention! Characteristics of the following security risks were identified in the system:

Security Risk	Description
Application.Ardamax_Keylogger	Ardamax Keylogger is a keystroke recorder that captures user's activity and saves it to an encrypted log file. The log file can be viewed with the powerful Log Viewer.
Trojan-Dropper.Agent	Trojan-Dropper.Agent attempts to drop a malicious file and run it on the compromised computer.

File System Modifications

The following files were created in the system:

#	Filename(s)	File Size	File Hash
1	%Temp%\@2.tmp %Temp%\@7.tmp	906,332 bytes	MD5: 0xC0C291E5BECA3C0A0928D58EE66C9E66 SHA-1: 0x8BB002EAC4F6CE45C1B0B81FB4B8FD0630BEB586
2	%Temp%\nsp4.tmp\InstallOptions.dll	14,848 bytes	MD5: 0x325B008AEC81E5AAA57096F05D4212B5 SHA-1: 0x27A2D89747A20305B6518438EFF5B9F57F7DF5C3
3	%Temp%\nsp4.tmp\installPageTibiaClient.ini	193 bytes	MD5: 0x9B4D46105797189C600B77229E692DDE SHA-1: 0x4B8F7F1C2E1D8B4A4A5730BAB8E2EBFBA6873761
4	%Temp%\nsp4.tmp\ioSpecial.ini	748 bytes	MD5: 0x7B993F0F72F2ACBC17C55185DF157D7E SHA-1: 0x1B285A5ACA8B3AB5C4A771078954B4CED8939175
5	%Temp%\nsp4.tmp\modern-wizard.bmp	26,494 bytes	MD5: 0xCBE40FD2B1EC96DAEDC65DA172D90022 SHA-1: 0x366C216220AA4329DFF6C485FD0E9B0F4F0A7944
6	%Temp%\nsp9.tmp\installPageTibiaClient.ini	157 bytes	MD5: 0xF4E933EA08B8E82C99B6B91D1F9532B9 SHA-1: 0x16CE79052FC283ADCC2A8E608575F0C2DE614BAD
7	%Temp%\nsp9.tmp\UserInfo.dll	4,096 bytes	MD5: 0x7579ADE7AE1747A31960A228CE02E666 SHA-1: 0x8EC8571A296737E819DCF86353A43FCF8EC63351
8	%ProgramFiles%\Tibia Auto\uninstall.log	0 bytes	MD5: 0xD41D8CD98F00B204E9800998ECF8427E SHA-1: 0xDA39A3EE5E6B4B0D3255BFEF95601890AFD80709
9	%Windir%\system\hmpt.exe	492,092 bytes	MD5: 0xDB6501628C684F7F7D6DB3759CAF41C4 SHA-1: 0x537175ECAA0378B879574DD1B3E9EFA841ECF624
10	%Windir%\system\TibiaAutoSetup.exe	2,761,984 bytes	MD5: 0x7A9514C28929BF337138B806F208EAD1 SHA-1: 0xC6DE15C92CE6548C1CFAD5980473D0E4C3285D5F
11	%System%\28463\AKV.exe	404,480 bytes	MD5: 0xB8FA30233794772B8B76B4B1D91C7321 SHA-1: 0x0CF9561BE2528944285E536F41D502BE24C3AA87
12	%System%\28463\NULR.001	520 bytes	MD5: 0x963D1BD9B64A178B0D2540D5A75532BE SHA-1: 0x390D7A35D6132E74D292A2C249C12E1473604B38
13	%System%\28463\NULR.002	16,004 bytes	MD5: 0xD765F92FD92F44DABA954D168997E45C SHA-1: 0x01D2410148E390F7388F2C74F218C41357AB556A
14	%System%\28463\NULR.006	8,192 bytes	MD5: 0x43F02E9974B1477C1E6388882F233DB0 SHA-1: 0xF3E27B231193F8D5B2E1B09D05AE3A62795CF339
15	%System%\28463\NULR.007	5,632 bytes	MD5: 0xB5A87D630436F958C6E1D82D15F98F96 SHA-1: 0xD3FF5E92198D4DF0F98A918071ACA53550BF1CFF
16	%System%\28463\NULR.exe	484,864 bytes	MD5: 0x17535DDDECF8CB1EFDBA1F1952126547 SHA-1: 0xA862A9A3EB6C201751BE1038537522A5281EA6CB
17	[file and pathname of the sample #1]	3,329,866 bytes	MD5: 0x97ED344DBA3E73C81B27A70A979E1365 SHA-1: 0x89B7A2E0BBA84C2B2AF5076AA8340E744F7D97AB

Notes:

%Temp% is a variable that refers to the temporary folder in the short path form. By default, this is C:\Documents and Settings\[UserName]\Local Settings\Temp\ (Windows NT/2000/XP).
%ProgramFiles% is a variable that refers to the Program Files folder. A typical path is C:\Program Files.
%Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows or C:\Winnt.
%System% is a variable that refers to the System folder. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

The following directories were created:

%Temp%\nsp9.tmp
%ProgramFiles%\Tibia Auto
%Temp%\nsp4.tmp
%System%\28463

Memory Modifications

There was a new process created in the system:

Process Name	Process Filename	Main Module Size
TibiaAutoSetup.exe	%Windir%\system\tibiaautosetup.exe	208,896 bytes

Other details

Analysis of the file resources indicate the following possible countries of origin:

	Russian Federation
	Poland

All content ("Information") contained in this report is the copyrighted work of Threat Expert Ltd and its associated companies ("ThreatExpert") and may not be copied without the express permission of ThreatExpert.

The Information is provided on an "as is" basis. ThreatExpert disclaims all warranties, whether express or implied, to the maximum extent permitted by law, including the implied warranties that the Information is merchantable, of satisfactory quality, accurate, fit for a particular purpose or need, or non-infringing, unless such implied warranties are legally incapable of exclusion. Further, ThreatExpert does not warrant or make any representations regarding the use or the results of the use of the Information in terms of their correctness, accuracy, reliability, or otherwise.