ThreatExpert Report: Trojan.Win32.SMSSend

Visit ThreatExpert web site

Close Report

Submission Summary:

Submission details:

Submission received: 2 October 2012, 10:01:54
Processing time: 9 min 18 sec
Submitted sample:

File MD5: 0x9C9B34A258756809B7EC6DBBB120DE8D
File SHA-1: 0x4DD4966283CF114DD5E2EEC47CF42BB84591C51D
Filesize: 1,576,655 bytes
Alias: Trojan.Win32.SMSSend [Ikarus]

Technical Details:

File System Modifications

The following files were created in the system:

#	Filename(s)	File Size	File Hash	Alias
1	%Temp%\7z.dll	914,432 bytes	MD5: 0x04AD4B80880B32C94BE8D0886482C774 SHA-1: 0x344FAF61C3EB76F4A2FB6452E83ED16C9CCE73E0	(not available)
2	%Temp%\archdata.zip	122,903 bytes	MD5: 0x77B943A7F0231569B605BE23ABD041A4 SHA-1: 0x4F785196A58C0B50C3F39851AC3D69C347CB92B3	(not available)
3	%Temp%\archive.xml	9,400 bytes	MD5: 0x21AAFA601616F9535AD6866E4D9D48C3 SHA-1: 0xA0CCEB2F7401ED87A79D325D09783B1E29ADB727	(not available)
4	%Temp%\dw.log	76 bytes	MD5: 0xF3F34D14D79E562DE0DEAF53D8C27B2B SHA-1: 0xC5469FEA7935EF72DC72E71E91CF063B89F575F5	(not available)
5	%Temp%\icon	25,214 bytes	MD5: 0xE8201D6DD359C84694029F91442E512F SHA-1: 0x74759C60AB5FCDB37072F9742CA385D5702D6956	(not available)
6	%Temp%\image	122,386 bytes	MD5: 0x94EE13CEE82B5F4B5D4B00370A07B755 SHA-1: 0xFD63F8A6ED8906BE7C20F72C3119A9468FFB99A2	(not available)
7	%Temp%\main.xml	10,641 bytes	MD5: 0xDC06BD25F09A94A709987E26A14B625D SHA-1: 0xB979A99E1C6E695B6E27A7954D65A10337E5CD43	(not available)
8	%Temp%\[filename of the sample #1]	1,429,577 bytes	MD5: 0x568B6EFE54F6151C2217C88C67EBFF7C SHA-1: 0x02ED2B38867F9EE1F58744EDC5F9E9A63BCEEB5F	Trojan.Win32.SMSSend [Ikarus]
9	[file and pathname of the sample #1]	1,576,655 bytes	MD5: 0x9C9B34A258756809B7EC6DBBB120DE8D SHA-1: 0x4DD4966283CF114DD5E2EEC47CF42BB84591C51D	Trojan.Win32.SMSSend [Ikarus]

Note:

%Temp% is a variable that refers to the temporary folder in the short path form. By default, this is C:\Documents and Settings\[UserName]\Local Settings\Temp\ (Windows NT/2000/XP).

Memory Modifications

There was a new process created in the system:

Process Name	Process Filename	Main Module Size
[filename of the sample #1]	%Temp%\[filename of the sample #1]	638,976 bytes

There was a new memory page created in the address space of the system process(es):

Process Name	Process Filename	Allocated Size
DW20.EXE	[pathname with a string SHARE]\dw20.exe	20,480 bytes

Other details

The following Host Names were requested from a host database:

0x558fbf3a
wpad.mrc.pctools.com.
xsp.zip-archive.com

The following GET request was made:

wpad.dat

All content ("Information") contained in this report is the copyrighted work of Threat Expert Ltd and its associated companies ("ThreatExpert") and may not be copied without the express permission of ThreatExpert.

The Information is provided on an "as is" basis. ThreatExpert disclaims all warranties, whether express or implied, to the maximum extent permitted by law, including the implied warranties that the Information is merchantable, of satisfactory quality, accurate, fit for a particular purpose or need, or non-infringing, unless such implied warranties are legally incapable of exclusion. Further, ThreatExpert does not warrant or make any representations regarding the use or the results of the use of the Information in terms of their correctness, accuracy, reliability, or otherwise.