ThreatExpert Report: Trojan.DL.CKSPost.Gen, Backdoor.Trojan, Backdoor.Win32.Poison.pg..

Visit ThreatExpert web site

Close Report

Submission Summary:

Submission details:

Submission received: 2 February 2009, 19:27:46
Processing time: 6 min 18 sec
Submitted sample:

File MD5: 0xA4E50F3E814D46C5D90BA26E370BBC14
File SHA-1: 0x5B25FFD3355CB13814367B4FE76EF4EAB36A2CC8
Filesize: 7,680 bytes
Alias:

Trojan.DL.CKSPost.Gen [PCTools]
Backdoor.Trojan [Symantec]
Backdoor.Win32.Poison.pg [Kaspersky Lab]
BackDoor-DKI.gen.a [McAfee]
Troj/Keylog-JV [Sophos]
Backdoor:Win32/Poisonivy.E [Microsoft]
Virus.Win32.Poison [Ikarus]

Summary of the findings:

What's been found	Severity Level
Produces outbound traffic.
Creates a startup registry entry.
Contains characteristics of an identified security risk.

Technical Details:

Possible Security Risk

Attention! Characteristics of the following security risk was identified in the system:

Security Risk	Description
Trojan-PWS.QQRob.U	Trojan-PWS.QQRob.U installs itself in the system folder. It downloads malicious code from the internet and attempts to turn off any running anti-virus application. It then steals passwords and sends them to predefined servers on the internet.

Attention! The following threat category was identified:

Threat Category	Description
	A malicious backdoor trojan that runs in the background and allows remote access to the compromised system

File System Modifications

The following file was created in the system:

#	Filename(s)	File Size	File Hash	Alias
1	[file and pathname of the sample #1] %System%\svchot.exe	7,680 bytes	MD5: 0xA4E50F3E814D46C5D90BA26E370BBC14 SHA-1: 0x5B25FFD3355CB13814367B4FE76EF4EAB36A2CC8	Trojan.DL.CKSPost.Gen [PCTools] Backdoor.Trojan [Symantec] Backdoor.Win32.Poison.pg [Kaspersky Lab] BackDoor-DKI.gen.a [McAfee] Troj/Keylog-JV [Sophos] Backdoor:Win32/Poisonivy.E [Microsoft] Virus.Win32.Poison [Ikarus]

Note:

%System% is a variable that refers to the System folder. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

Memory Modifications

There were new processes created in the system:

Process Name	Process Filename	Main Module Size
[filename of the sample #1]	[file and pathname of the sample #1]	7,680 bytes
svchot.exe	%System%\svchot.exe	7,680 bytes

Registry Modifications

The following Registry Key was created:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{EBAF26A6-5791-F60F-FACD-279D857DD737}

The newly created Registry Values are:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{EBAF26A6-5791-F60F-FACD-279D857DD737}]

StubPath = "%System%\svchot.exe"

so that svchot.exe runs every time Windows starts

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

a = "%System%\svchot.exe"

so that svchot.exe runs every time Windows starts

Other details

To mark the presence in the system, the following Mutex object was created:

)!VoqA.I4

The following ports were open in the system:

Port	Protocol	Process
1033	TCP	[file and pathname of the sample #1]
1034	TCP	svchot.exe (%System%\svchot.exe)
1035	TCP	svchot.exe (%System%\svchot.exe)

The following Host Name was requested from a host database:

9x9.no-ip.info

There was registered attempt to establish connection with the remote host. The connection details are:

Remote Host	Port Number
9x9.no-ip.info	3460

Outbound traffic (potentially malicious)

There was an outbound traffic produced on port 3460:

00000000 | 1D36 8F9A E6EB CFED 2249 DE89 E7EF 04FE | .6......"I......
00000010 | 91C0 F749 09AF 6EB8 9467 58B4 6BC6 8D5D | ...I..n..gX.k..]
00000020 | FE5D 3625 0DE1 5EF9 941D 2A86 BC84 ADC5 | .]6%..^...*.....
00000030 | D224 C2B9 1BCD EE8A 6741 AEC6 83B5 2818 | .$......gA....(.
00000040 | 0C03 14FD AFB8 C92A 2B03 DCCD E540 E0D8 | .......*+....@..
00000050 | 39EF 4FA8 9DD0 305F 7C6E 6316 082E 1C19 | 9.O...0_|nc.....
00000060 | 122D D5B8 6B23 592A 3702 4861 F908 5929 | .-..k#Y*7.Ha..Y)
00000070 | 93A2 1ACC 4123 CE3C 05F4 DF8B A056 5569 | ....A#.<.....VUi
00000080 | 8F69 B0C9 8A15 854F E234 974F E015 9B77 | .i.....O.4.O...w
00000090 | 2EE0 B96A FE51 2846 5DB6 A326 E952 66D2 | ...j.Q(F]..&.Rf.
000000A0 | D03E 1DBA FC91 F5E4 1025 E788 2E98 5406 | .>.......%....T.
000000B0 | 908F 8610 625E 79A5 617F B005 48D0 DD87 | ....b^y.a...H...
000000C0 | ED68 8F55 05D8 58D7 65A4 ABE2 A5DC 47A4 | .h.U..X.e.....G.
000000D0 | 9117 4C7E 6FD8 0EE3 649C 9462 6177 64C9 | ..L~o...d..bawd.
000000E0 | 6E33 F186 4993 9ADE 041C B92B 067D 398F | n3..I......+.}9.
000000F0 | 435A 40AE 1049 D8CB 4809 3B10 E585 859D | CZ@..I..H.;.....
00000000 | F698 7847 AA89 4F0C D0CA 3282 3DE5 DAE9 | ..xG..O...2.=...
00000010 | E19E 219B BCB9 DE4A 1EDD 059A FEA5 6A1F | ..!....J......j.
00000020 | 128D 5EE6 3672 F679 D964 E198 BEF9 1999 | ..^.6r.y.d......
00000030 | C271 7A7C 065F 9F0B 6044 FBCB A213 0073 | .qz|._..`D.....s
00000040 | 2735 AF8D 313C 6985 E56B D737 A9DA 51D6 | '5..1<i..k.7..Q.
00000050 | C35D 8BBF A84B 32AB FD0E C699 9FDD C94C | .]...K2........L
00000060 | 2CD7 E85F D147 33E7 6B9F 263C 1B69 1496 | ,.._.G3.k.&<.i..
00000070 | 49A5 4C1A 0C87 1BF5 842C 46EA C520 13A2 | I.L......,F.. ..
00000080 | B15D C5D0 1667 C474 EF8F 62C3 2480 AD93 | .]...g.t..b.$...
00000090 | 5A13 B874 BD46 33E4 76D0 A8B8 F144 E42E | Z..t.F3.v....D..
000000A0 | D7A0 2D9C F12D 80A8 3091 9900 F141 5D02 | ..-..-..0....A].
000000B0 | 9E17 FCDB 379E B586 1364 71C6 3E83 3ACA | ....7....dq.>.:.
000000C0 | A987 B308 2305 533D A66A 3E2E FD99 8293 | ....#.S=.j>.....
000000D0 | EBF5 76C3 6C1C EF2F 8112 07D9 498C 80B1 | ..v.l../....I...
000000E0 | A995 99DE 8AE1 A4EC 2FDF 1DBE BCCF 0B72 | ......../......r
000000F0 | 39D1 3085 0B82 8797 291E 066A 9563 E22A | 9.0.....)..j.c.*
00000000 | DCB1 E4FE DAC8 5973 0B4B E0AA B9F0 0745 | ......Ys.K.....E
00000010 | 24E7 0520 348C B6C1 4D45 0687 6521 88DF | $.. 4...ME..e!..
00000020 | 5911 0A94 AD9E BB2A 1E5D 2E51 2928 682F | Y......*.].Q)(h/
00000030 | 1F3A 5A59 638B 392E B180 5575 C1A8 894B | .:ZYc.9...Uu...K
00000040 | 37F9 CA8F 97EA 9AFD 7899 19BB 49D8 F214 | 7.......x...I...
00000050 | DF13 BE01 BFCE FC0C 83F7 1C13 6FBD C7B1 | ............o...
00000060 | 56BD 824C BCBE 3B27 D405 DEBB 40EA 1456 | V..L..;'....@..V
00000070 | 58A5 0985 A204 8C0D 5529 966E B97E BC3B | X.......U).n.~.;
00000080 | CF4D B18D F423 7FDF 0777 241F D677 3D04 | .M...#...w$..w=.
00000090 | 1C2A C3C7 3950 28E8 AA8C 00BB A799 3AF4 | .*..9P(.......:.
000000A0 | CA0F F93B 114C 2A2C 649A 1D1B D397 E99D | ...;.L*,d.......
000000B0 | FDFF B670 C846 7535 9BB6 866F A5D0 D88C | ...p.Fu5...o....
000000C0 | E851 E817 0450 958A 0D56 A9FB ACA7 5238 | .Q...P...V....R8
000000D0 | B6BA 2628 9B26 7759 4B5E A5FC F784 1CBE | ..&(.&wYK^......
000000E0 | 248E B665 03C3 DB83 9C77 74D5 BFF0 B2A5 | $..e.....wt.....
000000F0 | 63F3 DA2E BAEE 9E6A F8F7 55AE B1C2 E145 | c......j..U....E

All content ("Information") contained in this report is the copyrighted work of Threat Expert Ltd and its associated companies ("ThreatExpert") and may not be copied without the express permission of ThreatExpert.

The Information is provided on an "as is" basis. ThreatExpert disclaims all warranties, whether express or implied, to the maximum extent permitted by law, including the implied warranties that the Information is merchantable, of satisfactory quality, accurate, fit for a particular purpose or need, or non-infringing, unless such implied warranties are legally incapable of exclusion. Further, ThreatExpert does not warrant or make any representations regarding the use or the results of the use of the Information in terms of their correctness, accuracy, reliability, or otherwise.