Submission Summary:

• Submission details:
• Submission received: 31 January 2009, 05:12:36
• Processing time: 6 min 55 sec
• Submitted sample:
• File MD5: 0x98955DA3CE4BE1CAD36C2BEA9DDAE701
• File SHA-1: 0xB916C157EF6424E43012D367C1F1A72C9265BAF7
• Filesize: 40,960 bytes
• Alias:
• Mal/Pushdo-A [Sophos]
• TrojanDropper:Win32/Cutwail.AL [Microsoft]

• Summary of the findings:

What's been found	Severity Level
Contains characteristics of an identified security risk.

Technical Details:

Possible Security Risk

• Attention! Characteristics of the following security risk was identified in the system:

Security Risk	Description
Rootkit.Protector	Rootkit.Protector is a threat that relies on rootkit-specific techniques in order to hide its presence in the system.

• Attention! The following threat categories were identified:

Threat Category	Description
	A code with the rootkit-specific techniques designed to hide the software presence in the system
	A malicious trojan horse or bot that may represent security risk for the compromised system and/or its network environment

File System Modifications

• The following files were created in the system:

#	Filename(s)	File Size	File Hash	Alias
1	%Temp%\WERf757.dir00\appcompat.txt	16,296 bytes	MD5: 0xF560A82E9385739415E085B4553CBA8F SHA-1: 0x958B55E9517896C07D689F6BDDED4EF10D0718A9	(not available)
2	%Temp%\WERf757.dir00\manifest.txt	1,742 bytes	MD5: 0x8B26D008FC95624621BD4BD20A2A6BC8 SHA-1: 0xFE3777DB272CE078D9354100553856397B93750B	(not available)
3	%Temp%\WERf757.dir00\services.exe.hdmp	6,273,748 bytes	MD5: 0x40FB5C50729EB4F5A08D7DEF88B26BBB SHA-1: 0xEBD0683F507C35832B1649B3C22CA9941DF2F6A1	(not available)
4	%Temp%\WERf757.dir00\services.exe.mdmp	59,713 bytes	MD5: 0xC2A5EA5444FAF293938D888AA47D2118 SHA-1: 0x48FAB490A24F068B8E77957C22D41DC1A623502E	(not available)
5	%System%\drivers\ati7tfxx.sys	32,768 bytes	MD5: 0x193A94DF3AF2E31D784040A76D5FCE5A SHA-1: 0x2CD6DBC8681E01028B01788731A28A1A45F9F687	Rootkit.Protector [PCTools] Trojan.Pandex [Symantec] Rootkit.Win32.Protector.bd [Kaspersky Lab] Cutwail.gen.a [McAfee] TROJ_PANDEX.ROY [Trend Micro] Troj/Pushu-Gen [Sophos] VirTool:WinNT/Cutwail.K [Microsoft] VirTool.WinNT.Cutwail.K [Ikarus]
6	[file and pathname of the sample #1]	40,960 bytes	MD5: 0x98955DA3CE4BE1CAD36C2BEA9DDAE701 SHA-1: 0xB916C157EF6424E43012D367C1F1A72C9265BAF7	Mal/Pushdo-A [Sophos] TrojanDropper:Win32/Cutwail.AL [Microsoft]

• Notes:
• %Temp% is a variable that refers to the temporary folder in the short path form. By default, this is C:\Documents and Settings\[UserName]\Local Settings\Temp\ (Windows NT/2000/XP).
• %System% is a variable that refers to the System folder. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

• The following directory was created:
• %Temp%\WERf757.dir00

Memory Modifications

• There was a new process created in the system:

• There was a new kernel-mode driver installed in the system:

Driver Name	Driver Filename
ati7tfxx.sys	%System%\drivers\ati7tfxx.sys

• Attention! The following Major I/O Request Packet (IRP) function was hooked in the kernel-mode driver:
• IRP_MJ_CREATE

Registry Modifications

• The following Registry Keys were created:
• HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ati7tfxx.sys
• HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\ati7tfxx.sys
• HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_ATI7TFXX
• HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_ATI7TFXX\0000
• HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_ATI7TFXX\0000\Control
• HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ati7tfxx
• HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ati7tfxx\Security
• HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ati7tfxx\Enum
• HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\ati7tfxx
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ati7tfxx.sys
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\ati7tfxx.sys
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_ATI7TFXX
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_ATI7TFXX\0000
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_ATI7TFXX\0000\Control
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ati7tfxx
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ati7tfxx\Security
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ati7tfxx\Enum

• The newly created Registry Values are:
• [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ati7tfxx.sys]
• (Default) = "Driver"
• [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\ati7tfxx.sys]
• (Default) = "Driver"
• [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_ATI7TFXX\0000\Control]
• *NewlyCreated* = 0x00000000
• ActiveService = "ati7tfxx"
• [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_ATI7TFXX\0000]
• Service = "ati7tfxx"
• Legacy = 0x00000001
• ConfigFlags = 0x00000000
• Class = "LegacyDriver"
• ClassGUID = "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
• DeviceDesc = "ati7tfxx"
• [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_ATI7TFXX]
• NextInstance = 0x00000001
• [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ati7tfxx\Enum]
• 0 = "Root\LEGACY_ATI7TFXX\0000"
• Count = 0x00000001
• NextInstance = 0x00000001
• [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ati7tfxx\Security]
• Security = 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 0
• [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ati7tfxx]
• Type = 0x00000001
• Start = 0x00000000
• ErrorControl = 0x00000000
• ImagePath = "%System%\Drivers\ati7tfxx.sys"
• Group = "SCSI Class"
• [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\ati7tfxx]
• Type = 0x00000001
• Start = 0x00000000
• ImagePath = "%System%\Drivers\ati7tfxx.sys"
• Group = "SCSI Class"
• [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ati7tfxx.sys]
• (Default) = "Driver"
• [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\ati7tfxx.sys]
• (Default) = "Driver"
• [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_ATI7TFXX\0000\Control]
• *NewlyCreated* = 0x00000000
• ActiveService = "ati7tfxx"
• [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_ATI7TFXX\0000]
• Service = "ati7tfxx"
• Legacy = 0x00000001
• ConfigFlags = 0x00000000
• Class = "LegacyDriver"
• ClassGUID = "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
• DeviceDesc = "ati7tfxx"
• [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_ATI7TFXX]
• NextInstance = 0x00000001
• [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ati7tfxx\Enum]
• 0 = "Root\LEGACY_ATI7TFXX\0000"
• Count = 0x00000001
• NextInstance = 0x00000001
• [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ati7tfxx\Security]
• Security = 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 0
• [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ati7tfxx]
• Type = 0x00000001
• Start = 0x00000000
• ErrorControl = 0x00000000
• ImagePath = "%System%\Drivers\ati7tfxx.sys"
• Group = "SCSI Class"

Other details

• There was registered attempt to establish connection with the remote host. The connection details are: