Submission Summary:

• Submission details:
• Submission received: 11 November 2009, 23:06:58
• Processing time: 5 min 56 sec
• Submitted sample:
• File MD5: 0xA44CFCF97045E606714BDFE7E18CECBA
• File SHA-1: 0xB896F2465E72D95E11FF8B9105E90856B3EAE162
• Filesize: 125,302 bytes
• Alias:
• Trojan.Generic [PCTools]
• Trojan Horse [Symantec]
• Mal/Autorun-K [Sophos]
• Worm:Win32/Taterf.B [Microsoft]
• Worm.Win32.Taterf [Ikarus]

• Summary of the findings:

What's been found	Severity Level
Sets the drive to autoplay by creating autorun.inf file in its root directory. If the drive is shared across the network then other remote computers can be infected any time they try to access this share.
Downloads/requests other files from Internet.
Creates a startup registry entry.
Contains characteristics of an identified security risk.

Technical Details:

Possible Security Risk

• Attention! Characteristics of the following security risk was identified in the system:

Security Risk	Description
Rootkit.Agent.YYF	Rootkit.Agent.YYF injects rootkit components into Windows processes and attempts to hides itself from detection. It also made changes to Windows Explorer settings and download other malicious files from external servers.

• Attention! The following threat category was identified:

Threat Category	Description
	A malicious trojan horse or bot that may represent security risk for the compromised system and/or its network environment

File System Modifications

• The following files were created in the system:

#	Filename(s)	File Size	File Hash	Alias
1	c:\autorun.inf	63 bytes	MD5: 0xDB1276F147B4EA481F5E24D8441FA797 SHA-1: 0x9C282B3CC73D80EFFD09065E6E73C27AAF7C7ABD	(not available)
2	c:\k9cuos2q.exe %System%\aqoeerw.exe [file and pathname of the sample #1]	125,302 bytes	MD5: 0xA44CFCF97045E606714BDFE7E18CECBA SHA-1: 0xB896F2465E72D95E11FF8B9105E90856B3EAE162	Trojan.Generic [PCTools] Trojan Horse [Symantec] Mal/Autorun-K [Sophos] Worm:Win32/Taterf.B [Microsoft] Worm.Win32.Taterf [Ikarus]
3	%System%\bnmkue0.dll %System%\bnmkue1.dll	84,528 bytes	MD5: 0x21CFD02CF66FF027C0A9AA723F139F75 SHA-1: 0x30C7D3E20C3740B116FF61ADEB04182E17733FB0	Mal/Generic-A [Sophos] TrojanDownloader:Win32/Injector.gen!W [Microsoft] Worm.Win32.Taterf [Ikarus]

• Note:
• %System% is a variable that refers to the System folder. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

Memory Modifications

• The following module was loaded into the address space of other process(es):

Module Name	Module Filename	Address Space Details
bnmkue0.dll	%System%\bnmkue0.dll	Process name: explorer.exe Process filename: %Windir%\explorer.exe Address space: 0x2060000 - 0x20AB000

• Notes:
• %Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows or C:\Winnt.

Registry Modifications

• The following Registry Key was created:
• HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\MADOWN

• The newly created Registry Values are:
• [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\MADOWN]
• urlinfo = "awsser.h"
• [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
• coolsos = "%System%\aqoeerw.exe"

so that aqoeerw.exe runs every time Windows starts

• The following Registry Value was modified:
• [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL]
• CheckedValue =

Other details

• Analysis of the file resources indicate the following possible country of origin:

	China

• There were registered attempts to establish connection with the remote hosts. The connection details are:

• The data identified by the following URLs was then requested from the remote web server:
• http://www.sina90f.com/1tw/at1.rar
• http://www.sina6ho.com/1tw/at.rar