ThreatExpert Report: Trojan.Gen.2, Trojan.Win32.Genome.afiqq, not-a-virus.Keygen.Flashback..

Visit ThreatExpert web site

Close Report

Submission Summary:

Submission details:

Submission received: 14 September 2012, 05:02:50
Processing time: 12 min 21 sec
Submitted sample:

File MD5: 0xA24C7C48ECAEDA1E88DDB16491751195
File SHA-1: 0x55449D60D42B410185A79BDCFD997A31CDE2D679
Filesize: 4,384,952 bytes
Alias:

Trojan.Gen.2 [Symantec]
Trojan.Win32.Genome.afiqq [Kaspersky Lab]
not-a-virus.Keygen.Flashback [Ikarus]

Summary of the findings:

What's been found	Severity Level
Contains characteristics of an identified security risk.

Technical Details:

The new window was created, as shown below:

NOTICE: The content shown in the above window is captured automatically and is not controlled or endorsed by ThreatExpert.
Please contact us on this link should any material be offensive or inappropriate and we will ensure any such content is blocked from future viewers of the report.

Possible Security Risk

Attention! The following threat category was identified:

Threat Category	Description
	A malicious trojan horse or bot that may represent security risk for the compromised system and/or its network environment

File System Modifications

The following files were created in the system:

#	Filename(s)	File Size	File Hash	Alias
1	%AppData%\SkinSoft\VisualStyler\2.3.3.7\x86\ssapihook.dll	58,368 bytes	MD5: 0xD7F644C06B4CDE60651D02AED6B4174D SHA-1: 0xAE1C05821DCCCB3280C7A9CBF4CE8D00D1EB680F	(not available)
2	%Temp%\1.exe	24,064 bytes	MD5: 0xAD306A85E26F46946C7D0262666ADDB8 SHA-1: 0x0B921151BB1367E2200D42F2676478A6C58649F4	Trojan.Gen.2 [Symantec] Generic.dx!b2sv [McAfee] Mal/Generic-L [Sophos] not-a-virus.Keygen.FolderLock [Ikarus] packed with MPRESS [Kaspersky Lab]
3	%Temp%\2.exe	76,800 bytes	MD5: 0x2C3D5BCEBDD8814B33DC0AA4648B2C9C SHA-1: 0xF2345D924268306FB75D190FB7B5B194D56A201E	Trojan.Gen.2 [Symantec] not-a-virus:RiskTool.Win32.Patcher.dk [Kaspersky Lab] Troj/Agent-WFN [Sophos] Trojan.Win32.Spy [Ikarus]
4	%Temp%\3.exe	57,344 bytes	MD5: 0x89B9BDBFD7531AAAEEAF6DA759A5F681 SHA-1: 0x4772E5D67FF6259AF3B5940D8B746C733FEB5903	Generic PUP.x!yu [McAfee] Mal/KeyGen-M, Mal/KeyGen-M [Sophos] not-a-virus.Keygen.Flashback [Ikarus] packed with UPX [Kaspersky Lab]
5	%Temp%\4.exe	66,048 bytes	MD5: 0xF9C52DDAAA88DEE2E898A66C0D924CBC SHA-1: 0x758A9473D46C9954B3546F8DF387C748841B43F9	Trojan.Gen.2 [Symantec] Trojan.Win32.Genome.afiqq [Kaspersky Lab] Mal/Agent-ACR [Sophos] Trojan.Backdoor.Agent [Ikarus]
6	%Temp%\5.exe	66,048 bytes	MD5: 0x3AC8D99D3AC8330963CB07EE2921D4A3 SHA-1: 0x7D8910C4DA3BDD31776B489DA4C6621D7D7E8F34	Mal/Agent-ACR [Sophos] Trojan.Backdoor.Agent [Ikarus]
7	%Temp%\6.exe	52,224 bytes	MD5: 0x7369D0DC2740DA0C9718F0D179F8BB80 SHA-1: 0xEB3C8DD07DEA18E96933B0EC6CB7FB3B62D4974C	Mal/KeyGen-M, Mal/KeyGen-M [Sophos] not-a-virus.Keygen.Bitsum [Ikarus]
8	%Temp%\7.exe	393,728 bytes	MD5: 0x073BA11CA04E693C27968FF91B30AB8D SHA-1: 0xB46BE7A2E3EAE7E9E5F82EDCE4B7EB0A76F7E2ED	Packed.Vmpbad!gen4 [Symantec] Mal/KeyGen-M [Sophos] Virus.Win32.NSAnti [Ikarus]
9	%Temp%\8.exe	3,927,040 bytes	MD5: 0x268C46E4A87D660D85546B0E979375A9 SHA-1: 0x44D92219B5DD60D438EE413A78ED9137834CD2DB	(not available)
10	%Temp%\BouncyCastle.Crypto.dll	1,503,233 bytes	MD5: 0x757DA080FDBA39F133E07F489E716520 SHA-1: 0xD3AF7B82ADE6E6DA66FF8860835AC8BAAF46720F	(not available)
11	%Temp%\dup2patcher.dll	56,832 bytes	MD5: 0x43BCD632E19AC3FDC43E7958465CE835 SHA-1: 0x30454241E95B78DDB125A4C784F160609589EE5F	(not available)
12	%Temp%\SkinSoft.VisualStyler.dll	976,385 bytes	MD5: 0x8F531A62E57A8964A65B8262DA5611C4 SHA-1: 0x2E5B1593ABA0FF3DDE678B31734955BC19050AA4	(not available)
13	%Temp%\Temp_Skin.vssf	215,526 bytes	MD5: 0xF3390BCC7835C2DEB64F87642D72D3BF SHA-1: 0x43F6FA885A8C19558B3E97FE4E6D2AC9DF108F9E	(not available)
14	[file and pathname of the sample #1]	4,384,952 bytes	MD5: 0xA24C7C48ECAEDA1E88DDB16491751195 SHA-1: 0x55449D60D42B410185A79BDCFD997A31CDE2D679	Trojan.Gen.2 [Symantec] not-a-virus:RiskTool.Win32.Patcher.dk, Trojan.Win32.Genome.afiqq [Kaspersky Lab] not-a-virus.Keygen.Flashback [Ikarus]

Notes:

%AppData% is a variable that refers to the file system directory that serves as a common repository for application-specific data. A typical path is C:\Documents and Settings\[UserName]\Application Data.
%Temp% is a variable that refers to the temporary folder in the short path form. By default, this is C:\Documents and Settings\[UserName]\Local Settings\Temp\ (Windows NT/2000/XP).

The following directories were created:

%AppData%\SkinSoft
%AppData%\SkinSoft\VisualStyler
%AppData%\SkinSoft\VisualStyler\2.3.3.7
%AppData%\SkinSoft\VisualStyler\2.3.3.7\x86

Memory Modifications

There were new processes created in the system:

Process Name	Process Filename	Main Module Size
5.exe	%Temp%\5.exe	815,104 bytes
6.exe	%Temp%\6.exe	356,352 bytes
7.exe	%Temp%\7.exe	819,200 bytes
8.exe	%Temp%\8.exe	3,944,448 bytes
1.exe	%Temp%\1.exe	61,440 bytes
2.exe	%Temp%\2.exe	94,208 bytes
3.exe	%Temp%\3.exe	376,832 bytes
4.exe	%Temp%\4.exe	815,104 bytes

The following modules were loaded into the address space of other process(es):

Module Name	Module Filename	Address Space Details
BouncyCastle.Crypto.dll	%Temp%\BouncyCastle.Crypto.dll	Process name: 8.exe Process filename: %Temp%\8.exe Address space: 0x57C0000 - 0x5932000
SkinSoft.VisualStyler.dll	%Temp%\SkinSoft.VisualStyler.dll	Process name: 8.exe Process filename: %Temp%\8.exe Address space: 0x5C40000 - 0x5D34000

Other details

Analysis of the file resources indicate the following possible countries of origin:

	United Kingdom
	China

All content ("Information") contained in this report is the copyrighted work of Threat Expert Ltd and its associated companies ("ThreatExpert") and may not be copied without the express permission of ThreatExpert.

The Information is provided on an "as is" basis. ThreatExpert disclaims all warranties, whether express or implied, to the maximum extent permitted by law, including the implied warranties that the Information is merchantable, of satisfactory quality, accurate, fit for a particular purpose or need, or non-infringing, unless such implied warranties are legally incapable of exclusion. Further, ThreatExpert does not warrant or make any representations regarding the use or the results of the use of the Information in terms of their correctness, accuracy, reliability, or otherwise.