ThreatExpert Report

Submission Summary:

Submission details:

Submission received: 13 July 2010, 15:40:50
Processing time: 11 min 18 sec
Submitted sample:

File MD5: 0x9CD9918489E7457C23C4AD404B073A82
File SHA-1: 0x046EA589C117C2B3E88619C5B0B062715145F38A
Filesize: 483,328 bytes

Summary of the findings:

What's been found	Severity Level
Capability to send out email message(s) with the built-in SMTP client engine.
Communication with a remote IRC server.
Produces outbound traffic.
Downloads/requests other files from Internet.
Creates a startup registry entry.
Contains characteristics of an identified security risk.

Technical Details:

Possible Security Risk

Attention! The following threat category was identified:

Threat Category	Description
	A malicious trojan horse or bot that may represent security risk for the compromised system and/or its network environment

File System Modifications

The following files were created in the system:

#	Filename(s)	File Size	File Hash
1	%Windir%\Help\Hexa.dll	3,280,896 bytes	MD5: 0x2AA0C3C94841CDBAC9DAAA1B7DBED3C4 SHA-1: 0xFEEC259A2D06F02509D2961C09889310DC5FC0B3
2	%Windir%\Help\Hexa.hlp	3 bytes	MD5: 0x9FC08C4F2E97894E4665BCED565424CB SHA-1: 0x099462ED691484224638E092912DF9545939441A
3	%Windir%\system\iTunesHelper.exe	3,820,032 bytes	MD5: 0x6BB2FE0DBDAEB24DB732178DC0F90FE0 SHA-1: 0xEF5B397505E71FE6E0238374C5E2DA6D93A7D680
4	%Windir%\system\library.exe	254,464 bytes	MD5: 0x961413F0CA9B56AF8D4BC3F98B449B5E SHA-1: 0xD8C91A88CC39F99C90C51D89045003AC32D67DD2
5	[file and pathname of the sample #1]	483,328 bytes	MD5: 0x9CD9918489E7457C23C4AD404B073A82 SHA-1: 0x046EA589C117C2B3E88619C5B0B062715145F38A

Note:

%Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows or C:\Winnt.

Memory Modifications

There were new processes created in the system:

Process Name	Process Filename	Main Module Size
[filename of the sample #1]	[file and pathname of the sample #1]	819,200 bytes
iTunesHelper.exe	%Windir%\system\ituneshelper.exe	4,157,440 bytes
library.exe	%Windir%\system\library.exe	737,280 bytes

The following modules were loaded into the address space of other process(es):

Module Name	Module Filename	Address Space Details
Hexa.dll	%Windir%\Help\Hexa.dll	Process name: telnet.exe Process filename: %System%\telnet.exe Address space: 0x9B0000 - 0xE7F000
Hexa.dll	%Windir%\Help\Hexa.dll	Process name: telnet.exe Process filename: %System%\telnet.exe Address space: 0x930000 - 0xDFF000

Notes:

%System% is a variable that refers to the System folder. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

The following system services were modified:

Service Name	Display Name	New Status	Service Filename
ALG	Application Layer Gateway Service	"Stopped"	%System%\alg.exe
SharedAccess	Windows Firewall/Internet Connection Sharing (ICS)	"Stopped"	%System%\svchost.exe -k netsvcs

Registry Modifications

The following Registry Keys were created:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
HKEY_CURRENT_USER\Software\Microsoft\Telnet

The newly created Registry Value is:

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run]

Firewall = "%Windir%\SYSTEM\iTunesHelper.exe"

so that iTunesHelper.exe runs every time Windows starts

Other details

Analysis of the file resources indicate the following possible country of origin:

Brazil

The following port was open in the system:

Port	Protocol	Process
1051	UDP	[file and pathname of the sample #1]

There were registered attempts to establish connection with the remote hosts. The connection details are:

Remote Host	Port Number
199.7.48.190	80
204.0.5.59	80
213.186.33.19	80
66.230.187.98	80
68.142.122.70	80
68.142.123.254	80
69.55.59.148	80
69.55.62.66	80
72.247.83.191	80
74.125.159.138	80
222.165.255.240	20
222.165.255.240	21

The data identified by the following URLs was then requested from the remote web server:

http://crl.verisign.com/pca3.crl
http://csc3-2009-2-crl.verisign.com/CSC3-2009-2.crl
http://crl.verisign.com/Class3CodeSigning2001.crl
http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
http://agisa.ad/docs/license.htIm
http://agisa.ad/docs/license.htI
http://static.xvideos.com/css/comments_xvideos.css
http://static.xvideos.com/swf/xv-player.swf
http://static.xvideos.com/xv-style.css
http://static.xvideos.com/swf/vote.swf
http://static.xvideos.com/vote/displayFlash.js
http://static.xvideos.com/js/display_comments.js
http://img100.xvideos.com/videos/thumbs/4/9/2/492fdde7019e8a179101fe3822b01f88.25.jpg
http://img100.xvideos.com/videos/thumbs/e/e/a/eea884608c97582c7d29aec34344e780.30.jpg
http://img100.xvideos.com/videos/thumbs/0/5/c/05cea6d9cb696ac259d76502e615287b.13.jpg
http://img100.xvideos.com/videos/thumbs/5/b/0/5b09749cf8cec0df618419dd38a22bc1.13.jpg
http://img100.xvideos.com/videos/thumbs/a/6/1/a6117741c2160fc545ce7abbc3fbf6f2.26.jpg
http://img100.xvideos.com/videos/thumbs/d/6/4/d644359fff876c67486ad78e4abb593a.10.jpg
http://img100.xvideos.com/videos/thumbs/a/0/b/a0b03f17b4a696c028e8fd2889ac576f.23.jpg
http://img100.xvideos.com/videos/thumbs/0/4/4/044dbb9714cbff0d0b8e7c02c525d2ed.8.jpg
http://img100.xvideos.com/videos/thumbs/a/2/b/a2b573877c9c3e4cd41476d0feff02ea.27.jpg
http://img100.xvideos.com/videos/thumbs/8/0/a/80a260b735d2a1e25a668d3445232017.11.jpg
http://img100.xvideos.com/videos/thumbs/f/b/9/fb97cf3485735ce193e0d70f7483d9cc.14.jpg
http://img100.xvideos.com/videos/thumbs/xvideos.gif
http://cdn.loading321.com/images/57c2a351bb614892f4f2433f540b1465.jpg
http://cdn.loading321.com/images/08e2b3ecc223b26bab6263b9ecffe622.jpg
http://cdn.loading321.com/images/052131431513e9d99030c5ff70c744be.jpg
http://www.xvideos.com/video509215/fernanda_faria_eliza_samudio_ex_do_goleiro_bruno_do_flamengo
http://loading321.com/delivery/afr.php?zoneid=6&target=_blank&cb=154120365
http://loading321.com/delivery/ajs.php?zoneid=3&target=_blank&block=1&blockcampaign=1&cb=16177879906&charset=iso-8859-1&loc=http%3A//s.xvideos.com/right-ad-white.php%3F&referer=http%3A//www.xvideos.com/video509215/fernanda_faria_eliza_samudio_ex_do_goleiro_bruno_do_flamengo
http://loading321.com/delivery/lg.php?bannerid=120&campaignid=22&zoneid=6&loc=http%3A%2F%2Fs.xvideos.com%2Ffooter-blanc.php&cb=a98450b56c
http://loading321.com/delivery/lg.php?bannerid=303&campaignid=30&zoneid=3&loc=http%3A%2F%2Fs.xvideos.com%2Fright-ad-white.php%3F&referer=http%3A%2F%2Fwww.xvideos.com%2Fvideo509215%2Ffernanda_faria_eliza_samudio_ex_do_goleiro_bruno_do_flamengo&cb=fee4317fd4
http://loading321.com/delivery/lg.php?bannerid=401&campaignid=37&zoneid=3&loc=http%3A%2F%2Fs.xvideos.com%2Fright-ad-white.php%3F&referer=http%3A%2F%2Fwww.xvideos.com%2Fvideo509215%2Ffernanda_faria_eliza_samudio_ex_do_goleiro_bruno_do_flamengo&cb=8a90299e14
http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
http://www.google-analytics.com/ga.js
http://s.xvideos.com/footer-blanc.php
http://s.xvideos.com/right-ad-white.php?
http://in33d.co.cc/config.php
http://l.addthiscdn.com/live/t00/250lo.gif?12yjr1g&uid=4c3cebc2aea45b33&CXNID=2000001.5215456080540439072NXC&pub=addxvideos&rev=78805&si=4c3cebbbc8cb08f5&ln=en&uf=1&pi=1&dp=www.xvideos.com&fp=video509215%2Ffernanda_faria_eliza_samudio_ex_do_goleiro_bruno_do_flamengo&pc=men
http://s7.addthis.com/static/r07/sh20.html
http://s7.addthis.com/static/btn/v2/lg-bookmark-en.gif
http://s7.addthis.com/js/250/addthis_widget.js
http://s7.addthis.com/static/r07/widget40.css

Outbound traffic (potentially malicious)

Attention! There was a new connection established with a remote IRC Server. The generated outbound IRC traffic is provided below:

There was an outbound traffic produced on port 20:

There was an outbound traffic produced on port 21:

There was an outbound traffic produced on port 80:

All content ("Information") contained in this report is the copyrighted work of Threat Expert Ltd and its associated companies ("ThreatExpert") and may not be copied without the express permission of ThreatExpert.

The Information is provided on an "as is" basis. ThreatExpert disclaims all warranties, whether express or implied, to the maximum extent permitted by law, including the implied warranties that the Information is merchantable, of satisfactory quality, accurate, fit for a particular purpose or need, or non-infringing, unless such implied warranties are legally incapable of exclusion. Further, ThreatExpert does not warrant or make any representations regarding the use or the results of the use of the Information in terms of their correctness, accuracy, reliability, or otherwise.