ThreatExpert Report: Trojan.Msil

Submission Summary:

Submission details:

Submission received: 22 October 2012, 18:06:44
Processing time: 9 min 16 sec
Submitted sample:

File MD5: 0x9EE5F7A2B384618981C03E9623DB5774
File SHA-1: 0xE7A2A4D8B9941746DBAAD7D7FC9E603014DB68DA
Filesize: 1,978,367 bytes
Packer info: packed with: UPX [Kaspersky Lab]

Summary of the findings:

What's been found	Severity Level
Creates a startup registry entry.
Contains characteristics of an identified security risk.

Technical Details:

Possible Security Risk

Attention! Characteristics of the following security risk was identified in the system:

Security Risk	Description
Backdoor.ProRAT.K	ProRAT.K is a remote administrative trojan. It allows an attacker to take full control of a compromised computer. It also logs all keystrokes to a text file which can be accessed by the attacker. It also hides itself from task manager and process monitors.

File System Modifications

The following files were created in the system:

#	Filename(s)	File Size	File Hash	Alias
1	c:\! My Picutre.SCR %Temp%\server.exe %Temp%\Trojan.exe %Programs%\Startup\5cd8f17f4086744065eb0992a09e05a2.exe	297,472 bytes	MD5: 0x557607877F644331D9366365E584CC56 SHA-1: 0x63D92209F6E63F8142F45E46233048E1F3C31CC3	Trojan.Msil [Ikarus]
2	%Temp%\procexp.exe	2,674,800 bytes	MD5: 0x39D5F7A6ED4A155BE7D72B673BEE6585 SHA-1: 0x660082E54A3698B45C395264B18466344E012693	(not available)
3	%Temp%\Trojan.exe.tmp	0 bytes	MD5: 0xD41D8CD98F00B204E9800998ECF8427E SHA-1: 0xDA39A3EE5E6B4B0D3255BFEF95601890AFD80709	(not available)
4	[file and pathname of the sample #1]	1,978,367 bytes	MD5: 0x9EE5F7A2B384618981C03E9623DB5774 SHA-1: 0xE7A2A4D8B9941746DBAAD7D7FC9E603014DB68DA	packed with UPX [Kaspersky Lab]

Notes:

%Temp% is a variable that refers to the temporary folder in the short path form. By default, this is C:\Documents and Settings\[UserName]\Local Settings\Temp\ (Windows NT/2000/XP).
%Programs% is a variable that refers to the file system directory that contains the user's program groups. A typical path is C:\Documents and Settings\[UserName]\Start Menu\Programs.

Memory Modifications

There were new processes created in the system:

Process Name	Process Filename	Main Module Size
procexp.exe	%Temp%\procexp.exe	2,826,240 bytes
[filename of the sample #1]	[file and pathname of the sample #1]	1,228,800 bytes
Trojan.exe	%Temp%\trojan.exe	N/A

Registry Modifications

The following Registry Keys were created:

HKEY_CURRENT_USER\Software\Sysinternals\Process Explorer
HKEY_CURRENT_USER\Software\5cd8f17f4086744065eb0992a09e05a2

The newly created Registry Values are:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

5cd8f17f4086744065eb0992a09e05a2 = ""%Temp%\Trojan.exe" .."

so that Trojan.exe runs every time Windows starts

[HKEY_CURRENT_USER\Environment]

SEE_MASK_NOZONECHECKS = "1"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]

5cd8f17f4086744065eb0992a09e05a2 = ""%Temp%\Trojan.exe" .."

so that Trojan.exe runs every time Windows starts

[HKEY_CURRENT_USER\Software\5cd8f17f4086744065eb0992a09e05a2]

US = "@"

Other details

Analysis of the file resources indicate the following possible country of origin:

United Kingdom

To mark the presence in the system, the following Mutex objects were created:

.NET CLR Data_Perf_Library_Lock_PID_78c
.NET CLR Networking_Perf_Library_Lock_PID_78c
.NET Data Provider for Oracle_Perf_Library_Lock_PID_78c
.NET Data Provider for SqlServer_Perf_Library_Lock_PID_78c
.NETFramework_Perf_Library_Lock_PID_78c
ASP.NET_Perf_Library_Lock_PID_78c
ASP.NET_2.0.50727_Perf_Library_Lock_PID_78c
aspnet_state_Perf_Library_Lock_PID_78c
ContentFilter_Perf_Library_Lock_PID_78c
ContentIndex_Perf_Library_Lock_PID_78c
ISAPISearch_Perf_Library_Lock_PID_78c
PerfDisk_Perf_Library_Lock_PID_78c
PerfNet_Perf_Library_Lock_PID_78c
PerfOS_Perf_Library_Lock_PID_78c
PerfProc_Perf_Library_Lock_PID_78c
PSched_Perf_Library_Lock_PID_78c
RemoteAccess_Perf_Library_Lock_PID_78c
RSVP_Perf_Library_Lock_PID_78c
Spooler_Perf_Library_Lock_PID_78c
TapiSrv_Perf_Library_Lock_PID_78c
Tcpip_Perf_Library_Lock_PID_78c
TermService_Perf_Library_Lock_PID_78c
WmiApRpl_Perf_Library_Lock_PID_78c
5cd8f17f4086744065eb0992a09e05a2

All content ("Information") contained in this report is the copyrighted work of Threat Expert Ltd and its associated companies ("ThreatExpert") and may not be copied without the express permission of ThreatExpert.

The Information is provided on an "as is" basis. ThreatExpert disclaims all warranties, whether express or implied, to the maximum extent permitted by law, including the implied warranties that the Information is merchantable, of satisfactory quality, accurate, fit for a particular purpose or need, or non-infringing, unless such implied warranties are legally incapable of exclusion. Further, ThreatExpert does not warrant or make any representations regarding the use or the results of the use of the Information in terms of their correctness, accuracy, reliability, or otherwise.