Submission Summary:

• Submission details:
• Submission received: 1 September 2009, 17:20:25
• Processing time: 7 min 10 sec
• Submitted sample:
• File MD5: 0xA960B54E7FF0C07D560493EAF5897CC0
• File SHA-1: 0xE1FFFDA7445F1D0F5AD738C2B8AB31A0379AF78B
• Filesize: 29,796 bytes
• Alias & packer info:
• Mal/Generic-A [Sophos]
• VirTool.Win32.VBInject [Ikarus]
• packed with: PE_Patch.UPX [Kaspersky Lab]

• Summary of the findings:

What's been found	Severity Level
Creates desktop.ini system file in the fake Recycle Bin folder in order to register it in Windows as a valid Recycle Bin.
Creates an executable file in the fake Recycle Bin folder with the purpose of concealing its presence in the system.
Creates fake Recycle Bin folder.
Creates a startup registry entry.
Contains characteristics of an identified security risk.

Technical Details:

Possible Security Risk

• Attention! Characteristics of the following security risk was identified in the system:

Security Risk	Description
Worm.Autorun.DHA	Worm.AutoRun.DHA is a network-aware worm that attempts to replicate across the existing network(s).

• Attention! The following threat category was identified:

Threat Category	Description
	A network-aware worm that attempts to replicate across the existing network(s)

File System Modifications

• The following files were created in the system:

#	Filename(s)	File Size	File Hash	Alias
1	c:\RECYCLER\S-51-9-25-3434476501-1644491961-601003312-1214\Desktop.ini	63 bytes	MD5: 0xE783BDD20A976EAEAAE1FF4624487420 SHA-1: 0xC2A44FAB9DF00B3E11582546B16612333C2F9286	(not available)
2	c:\RECYCLER\S-51-9-25-3434476501-1644491961-601003312-1214\hjec.exe %Windir%\crypted.exe	14,336 bytes	MD5: 0x18CBB9C2563B850D33417EFD8ECF49F1 SHA-1: 0x32945A8366E7D6066B85ECB5DBB0A0B13F6B0E35	Worm.Win32.AutoRun.gmf [Kaspersky Lab] W32/Autoham-Fam [Sophos] Worm:Win32/Hamweq.A [Microsoft] Worm.Win32.Hamweq [Ikarus] Win-Trojan/Agent.13824.FE [AhnLab]
3	[file and pathname of the sample #1]	29,796 bytes	MD5: 0xA960B54E7FF0C07D560493EAF5897CC0 SHA-1: 0xE1FFFDA7445F1D0F5AD738C2B8AB31A0379AF78B	Mal/Generic-A [Sophos] VirTool.Win32.VBInject [Ikarus] packed with PE_Patch.UPX [Kaspersky Lab]

• Note:
• %Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows or C:\Winnt.

• The following directory was created:
• c:\RECYCLER\S-51-9-25-3434476501-1644491961-601003312-1214

Memory Modifications

• There were new processes created in the system:

Process Name	Process Filename	Main Module Size
crypted.exe	%Windir%\crypted.exe	24,576 bytes
[filename of the sample #1]	[file and pathname of the sample #1]	20,480 bytes
hjec.exe	c:\recycler\s-51-9-25-3434476501-1644491961-601003312-1214\hjec.exe	24,576 bytes

Registry Modifications

• The following Registry Key was created:
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{28ABC5C0-4FCB-11CF-AAX5-81CX1C635612}

• The newly created Registry Value is:
• [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{28ABC5C0-4FCB-11CF-AAX5-81CX1C635612}]
• StubPath = "c:\RECYCLER\S-51-9-25-3434476501-1644491961-601003312-1214\hjec.exe"

so that hjec.exe runs every time Windows starts

Other details

• The following Host Name was requested from a host database:
• www.BALDMANPOWER.COM