Submission Summary:

What's been foundSeverity Level
Downloads/requests other files from Internet.
Contains characteristics of an identified security risk.

 

Technical Details:

 

Possible Security Risk

Threat CategoryDescription
A malicious backdoor trojan that runs in the background and allows remote access to the compromised system
A malicious trojan horse or bot that may represent security risk for the compromised system and/or its network environment

 

File System Modifications

#Filename(s)File SizeFile HashAlias
1 %AllUsersProfile%\SxS\bug.log 2,442 bytes MD5: 0x4F965C050B5FFD59BA59117BD289457F
SHA-1: 0x66CC752A5AB484F805EC106E558859092F8E5AE5
(not available)
2 %AllUsersProfile%\Wins\NvSmart.chm 158,963 bytes MD5: 0xD26241931399BC51FF8F319E0DB341D4
SHA-1: 0xD56819D561875E78359D231C079D6BFB5D9BA867
(not available)
3 %AllUsersProfile%\Wins\NvSmart.exe 47,208 bytes MD5: 0x09B8B54F78A10C435CD319070AA13C28
SHA-1: 0x6474D0369F97E72E01E4971128D1062F5C2B3656
(not available)
4 %AllUsersProfile%\Wins\NvSmartMax.dll 4,608 bytes MD5: 0x0674A0929AEC3DB11383523B40FA36D1
SHA-1: 0x9F50AA213232690E06AA49B7E7B1640127429117
Backdoor.Korplug [Symantec]
Generic FakeAlert!bgf [McAfee]
Mal/FakeAV-CX [Sophos]
Trojan:Win32/Plugx.B [Microsoft]
Trojan.Win32.Plugx [Ikarus]
5 c:\ProgramData\2012?_????_????.rtf 0 bytes MD5: 0xD41D8CD98F00B204E9800998ECF8427E
SHA-1: 0xDA39A3EE5E6B4B0D3255BFEF95601890AFD80709
(not available)
6 c:\ProgramData\svchost.exe 349,696 bytes MD5: 0x875786034DFE182B997244266EAA3387
SHA-1: 0x8D89F99546C8D0B36A602881A033E8D2C4794C0F
Trojan.Win32.Genome.afzgq [Kaspersky Lab]
Backdoor:Win32/Plugx.A [Microsoft]
Backdoor.Win32.Plugx [Ikarus]
7 [file and pathname of the sample #1] 354,850 bytes MD5: 0xA384DF1DE538A2447A9B79327D283DDE
SHA-1: 0xEFC6957B94FFB268D4BBCD5A72B6EC17BB09E4D3
Trojan.Win32.Genome.afzgq [Kaspersky Lab]
Backdoor.Win32.Plugx [Ikarus]

 

Memory Modifications

Process NameProcess FilenameMain Module Size
svchost.exec:\programdata\svchost.exe376,832 bytes
[filename of the sample #1][file and pathname of the sample #1]180,224 bytes
NvSmart.exe%AllUsersProfile%\Wins\NvSmart.exe53,248 bytes

 

Registry Modifications

 

Other details

China

Server NameServer PortConnect as UserConnection Password
upa.realnetsupport.com80(null)(null)

 

 

All content ("Information") contained in this report is the copyrighted work of Threat Expert Ltd and its associated companies ("ThreatExpert") and may not be copied without the express permission of ThreatExpert.

The Information is provided on an "as is" basis. ThreatExpert disclaims all warranties, whether express or implied, to the maximum extent permitted by law, including the implied warranties that the Information is merchantable, of satisfactory quality, accurate, fit for a particular purpose or need, or non-infringing, unless such implied warranties are legally incapable of exclusion. Further, ThreatExpert does not warrant or make any representations regarding the use or the results of the use of the Information in terms of their correctness, accuracy, reliability, or otherwise.

Copyright © 2014 ThreatExpert. All rights reserved.