ThreatExpert Report: TrojanDownloader:Win32/FakeRean, Virus.Win32.Protector.c, Trojan.Fakeavalert..

Submission Summary:

Submission details:

Submission received: 6 October 2009, 14:17:30
Processing time: 8 min 39 sec
Submitted sample:

File MD5: 0x9A2D38F2850F8E75ED81B84344FCE09A
File SHA-1: 0xF86572CA526D1203D62BF1D7F51651E532299F66
Filesize: 43,520 bytes

Summary of the findings:

What's been found	Severity Level
Produces outbound traffic.
Communication with a remote SMTP server and sending out email.
Downloads/requests other files from Internet.
Creates a startup registry entry.
Contains characteristics of an identified security risk.

Technical Details:

Possible Security Risk

Attention! Characteristics of the following security risks were identified in the system:

Security Risk	Description
RogueAntiSpyware.HomeAntiVirus2010	RogueAntiSpyware.HomeAntiVirus2010 displays fake alerts and scan results in malware payloads in order to persuade users into buying the rogue antispyware products.
Rootkit.Protector	Rootkit.Protector is a threat that relies on rootkit-specific techniques in order to hide its presence in the system.

Attention! The following threat categories were identified:

Threat Category	Description
	A virus capable to modify other files by infecting, prepending, or overwriting them them with its own body
	A malicious trojan horse or bot that may represent security risk for the compromised system and/or its network environment

File System Modifications

The following files were created in the system:

#	Filename(s)	File Size	File Hash	Alias
1	%AppData%\lizkavd.exe	157,296 bytes	MD5: 0xA08836E272CF551A0FD63E766412C645 SHA-1: 0x56015DB85F64FFF0086DE856A5AD7B615FA5CE43	TrojanDownloader:Win32/FakeRean [Microsoft]
2	%AppData%\seres.exe %AppData%\svcst.exe %Temp%\BN1.tmp %Temp%\BN3.tmp %Temp%\BN4.tmp %Temp%\BN5.tmp	16,896 bytes	MD5: 0x9A4BE830F92F48CDC7FD40A75DB0C7C6 SHA-1: 0x280CF595F0050496E1DA4C7669BACFF3E64B417A	TrojanDownloader:Win32/FakeRean [Microsoft]
3	%Temp%\tmpwr2	563,716 bytes	MD5: 0xA630838ECBE0F5B66229BDF87A480D38 SHA-1: 0xED540890B7A9708E3816FFE5A3C9230477C316C8	(not available)
4	%Temp%\tmpwr3	263,780 bytes	MD5: 0xEA42596C61F6DB0C633DA0AEC2F96025 SHA-1: 0x82767F0E609635CB7816FBE1410A66C30AEDD6A1	(not available)
5	%Temp%\tmpwr4	452,100 bytes	MD5: 0x62CCA99D2DC23F29A2CEAE780B4C92D0 SHA-1: 0x50F9F82ECE8A0360CAFC570E4A8006D5D77F2E3B	(not available)
6	%Temp%\tmpwr5	730,724 bytes	MD5: 0x9215361F82970266462ACC2F31306C91 SHA-1: 0xDD89E13F03DDD341D15395E10FFBBE1CC3BC564C	(not available)
7	%Temp%\tmpwr6	150,212 bytes	MD5: 0x083DB0B3F9D5509B2DD2C34D36D3CED0 SHA-1: 0x11C9F987B89C1D832F8E6CCB036A7A3D98EBDB5B	(not available)
8	%Temp%\tmpwr7	1,088,644 bytes	MD5: 0x6C73AB4C610611887E42707902F1319D SHA-1: 0x97DDA778E066B1A0D9D5E07EF2472E8D5C464F05	(not available)
9	%UserProfile%\restorer32_a.exe %System%\restorer32_a.exe [file and pathname of the sample #1]	43,520 bytes	MD5: 0x9A2D38F2850F8E75ED81B84344FCE09A SHA-1: 0xF86572CA526D1203D62BF1D7F51651E532299F66	(not available)
10	%System%\dllcache\agp440.sys	94,432 bytes	MD5: 0x57D261CE83FDC07AC75BD03C1A91A92F SHA-1: 0xA8AAFCD5E4817A9A512117DA3D3479CDA15CC615	Trojan.Fakeavalert [Symantec] Virus.Win32.Protector.c [Kaspersky Lab] Generic.dx!fhv [McAfee] Mal/Generic-A [Sophos] Virus:Win32/Cutwail.H [Microsoft] Virus.Win32.Cutwail [Ikarus] Win32/Ntfs.B [AhnLab]

Notes:

%AppData% is a variable that refers to the file system directory that serves as a common repository for application-specific data. A typical path is C:\Documents and Settings\[UserName]\Application Data.
%Temp% is a variable that refers to the temporary folder in the short path form. By default, this is C:\Documents and Settings\[UserName]\Local Settings\Temp\ (Windows NT/2000/XP).
%UserProfile% is a variable that specifies the current user's profile folder. By default, this is C:\Documents and Settings\[UserName] (Windows NT/2000/XP).
%System% is a variable that refers to the System folder. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

The following file was modified:

%System%\drivers\AGP440.SYS

Memory Modifications

There were new processes created in the system:

Process Name	Process Filename	Main Module Size
seres.exe	%AppData%\seres.exe	49,152 bytes
svcst.exe	%AppData%\svcst.exe	49,152 bytes
restorer32_a.exe	%System%\restorer32_a.exe	N/A
restorer32_a.exe	%UserProfile%\restorer32_a.exe	N/A

There was a new memory page created in the address space of the system process(es):

Process Name	Process Filename	Allocated Size
svchost.exe	%System%\svchost.exe	22,380,544 bytes

Registry Modifications

The following Registry Key was created:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Associations

The newly created Registry Values are:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

restorer32_a = "%System%\restorer32_a.exe"
Regedit32 = "%System%\regedit.exe"

so that restorer32_a.exe runs every time Windows starts

[HKEY_CURRENT_USER\Software\Microsoft]

OSVersion = "3154113"

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download]

RunInvalidSignatures = 0x00000001

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Associations]

LowRiskFileTypes = "zip;.rar;.cab;.txt;.exe;.reg;.msi;.htm;.html;.gif;.bmp;.jpg;.avi;.mov;.mp3;.wav"
SaveZoneInformation = 0x00000001

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]

restorer32_a = "%UserProfile%\restorer32_a.exe"
mserv = "%AppData%\seres.exe"
svchost = "%AppData%\svcst.exe"

so that restorer32_a.exe runs every time Windows starts

so that seres.exe runs every time Windows starts

so that svcst.exe runs every time Windows starts

The following Registry Value was modified:

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download]

CheckExeSignatures =

Other details

The following port was open in the system:

Port	Protocol	Process
1055	UDP	svcst.exe (%AppData%\svcst.exe)

There were registered attempts to establish connection with the remote hosts. The connection details are:

Remote Host	Port Number
206.161.193.131	25
xowdiotaflqwdintaflqwdiotaflqwci	25
xygmsxejpubgmrxdjpubhmsxejpubgmr	25
xelrwdiotaglrwdiotaflqwcintyekpv	25
xajoubgmrxdjouagmrxdjouaglrwdiou	25
217.112.42.216	25
56.59.85ae.static.theplanet.com	25
67.195.168.31	25
88.214.192.192	25
xaiouaglrwdiotaflqwdiotyfkqwcint	25
67.228.60.154	80
69.162.127.90	80
72.233.29.123	80

The data identified by the following URLs was then requested from the remote web server:

http://orav4abustorabe.com/files/avp21_d_/_1_._d_
http://orav4abustorabe.com/files/_AVE_._d_
http://orav4abustorabe.com/files/_Add_._d_
http://orav4abustorabe.com/files/_GUI_._d_
http://orav4abustorabe.com/files/_SC_._d_
http://xio41hm063l.com/40E8001430303030303030303030303030303030303031306C0000001266000000007600000642EB000530E1EBF0F6
http://kta42rx285v.com/40E8001430303030303030303030303030303030303031306C0000001266000000007600000642EB0005307B848A8F
http://xgn28gm427k.com/40E8001430303030303030303030303030303030303031306C0000001266000000007600000642EB000530AAB3B9BF
http://yio17hn740l.com/40E8001430303030303030303030303030303030303031306C0000001266000000007600000642EB000530333D4248
http://abumaso3tkamid.com/d1woM0SiY5s4fI0qY4pzW7yTQ

Outbound traffic (potentially malicious)

There was an outbound traffic produced on port 25:

Generated SMTP traffic

Email Senders:

xdlrwdiouaglrwdjouaglrwdiotaflqv
<jjochpcwexn@56.59.85ae.static.theplanet.com>
<frbwsakymgyn@56.59.85ae.static.theplanet.com>
<tfarooqi@56.59.85ae.static.theplanet.com>
xfntaflrcjpubgmrxejpubgmrxejpubg
xjrxdjouagmrxejpubgmrxdjpuaglrxd

Email Recipients:

<chrisdlee_89@yahoo.com>
<chrisette18@yahoo.com>
<chrishodge@yahoo.com>
<j_bullard@yahoo.com>
<chrisjennboegler@yahoo.com>
<chrisgaitwood@yahoo.com>
<chrisfestino@yahoo.com>
<chrishana_9@yahoo.com>
<chrisgmoore1@yahoo.com>
<chriscschultz@yahoo.com>
<chrisfiggatt@yahoo.com>
<chrisedgeman@yahoo.com>
<chrisitearnold5@yahoo.com>
<chrisden93@yahoo.com>
<chriseli172002@yahoo.com>
<chrisjrtoolman@yahoo.com>
<chrisf162000@yahoo.com>
<chrisjdon@yahoo.com>
<chrisjones2152@yahoo.com>
<chrisfam702@yahoo.com>
<iduays@yahoo.com>
<ie_21@yahoo.com>
<idyobong@yahoo.com>
<woodseric81@yahoo.com>
<taycemorgan@yahoo.com>
<taylor22592002@yahoo.com>
<tayloa14@yahoo.com>
<taylor1634@yahoo.com>
<ednamorales8@yahoo.com>
<edna530@yahoo.com>
<taylorarjuna@yahoo.com>
<taylorasmom894@yahoo.com>
<taycy8@yahoo.com>
<taye53224@yahoo.com>
<tayloramarrio@yahoo.com>
<klymariessk@yahoo.com>
<kmann728@yahoo.com>
<klynnmart@yahoo.com>
<kmagri41184@yahoo.com>
<kma966@yahoo.com>
<roziepozie15@yahoo.com>
<yozdzynz1@yahoo.com>
<babaksadeghi@yahoo.com>
<benyards21@yahoo.com>
<babejane@yahoo.com>
<bensoufia@yahoo.com>
<babblingbrooksus@yahoo.com>
<babbles0@yahoo.com>
<bensontraci@yahoo.com>
<bentan80@yahoo.com>
<benssi@yahoo.com>
<benyard@yahoo.com>
<babak_y2k2000@yahoo.com>
<babamjak@yahoo.com>
<babaydoll888@yahoo.com>
<babeblueridge@yahoo.com>
<babaysofly@yahoo.com>
<babeeray@yahoo.com>
<babeboop67@yahoo.com>
<babegunz325@yahoo.com>
<lashanapeer@yahoo.com>
<lashawn.white@yahoo.com>
xqyfkqvchnsyfkpvbhmsxejpvbhmsxej
xbjoubgmsxejpubgmrxdjoubgmrxdjpu

All content ("Information") contained in this report is the copyrighted work of Threat Expert Ltd and its associated companies ("ThreatExpert") and may not be copied without the express permission of ThreatExpert.

The Information is provided on an "as is" basis. ThreatExpert disclaims all warranties, whether express or implied, to the maximum extent permitted by law, including the implied warranties that the Information is merchantable, of satisfactory quality, accurate, fit for a particular purpose or need, or non-infringing, unless such implied warranties are legally incapable of exclusion. Further, ThreatExpert does not warrant or make any representations regarding the use or the results of the use of the Information in terms of their correctness, accuracy, reliability, or otherwise.