ThreatExpert Report

Submission Summary:

Submission details:

Submission received: 13 September 2009, 23:14:37
Processing time: 5 min 20 sec
Submitted sample:

File MD5: 0xAD88A2982393D541F77E628C012F6174
File SHA-1: 0xB9C23B5DA33E8D30FCB0B38711982060045C7EAC
Filesize: 81,920 bytes

Summary of the findings:

What's been found	Severity Level
Communication with a remote IRC server.
Creates a startup registry entry.
Contains characteristics of an identified security risk.

Technical Details:

Possible Security Risk

Attention! Characteristics of the following security risk was identified in the system:

Security Risk	Description
Trojan-Clicker.Small.KJ	Trojan.Clicker.Small.KJ contacts a remote server in order to download additional malware onto a users computer without their knowledge.

File System Modifications

The following file was created in the system:

#	Filename(s)	File Size	File Hash
1	%Windir%\csrs.exe [file and pathname of the sample #1]	81,920 bytes	MD5: 0xAD88A2982393D541F77E628C012F6174 SHA-1: 0xB9C23B5DA33E8D30FCB0B38711982060045C7EAC

Note:

%Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows or C:\Winnt.

Memory Modifications

There was a new process created in the system:

Process Name	Process Filename	Main Module Size
csrs.exe	%Windir%\csrs.exe	331,776 bytes

Registry Modifications

The newly created Registry Values are:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

Windows Services = "csrs.exe"

so that csrs.exe runs every time Windows starts

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Run]

Windows Services = "csrs.exe"

so that csrs.exe runs every time Windows starts

Other details

To mark the presence in the system, the following Mutex objects were created:

.NET CLR Data_Perf_Library_Lock_PID_788
.NET CLR Networking_Perf_Library_Lock_PID_788
.NET Data Provider for Oracle_Perf_Library_Lock_PID_788
.NET Data Provider for SqlServer_Perf_Library_Lock_PID_788
.NETFramework_Perf_Library_Lock_PID_788
ASP.NET_Perf_Library_Lock_PID_788
ASP.NET_2.0.50727_Perf_Library_Lock_PID_788
aspnet_state_Perf_Library_Lock_PID_788
ContentFilter_Perf_Library_Lock_PID_788
ContentIndex_Perf_Library_Lock_PID_788
ISAPISearch_Perf_Library_Lock_PID_788
PerfDisk_Perf_Library_Lock_PID_788
PerfNet_Perf_Library_Lock_PID_788
PerfOS_Perf_Library_Lock_PID_788
PerfProc_Perf_Library_Lock_PID_788
PSched_Perf_Library_Lock_PID_788
RemoteAccess_Perf_Library_Lock_PID_788
RSVP_Perf_Library_Lock_PID_788
Spooler_Perf_Library_Lock_PID_788
TapiSrv_Perf_Library_Lock_PID_788
Tcpip_Perf_Library_Lock_PID_788
TermService_Perf_Library_Lock_PID_788
WmiApRpl_Perf_Library_Lock_PID_788

All content ("Information") contained in this report is the copyrighted work of Threat Expert Ltd and its associated companies ("ThreatExpert") and may not be copied without the express permission of ThreatExpert.

The Information is provided on an "as is" basis. ThreatExpert disclaims all warranties, whether express or implied, to the maximum extent permitted by law, including the implied warranties that the Information is merchantable, of satisfactory quality, accurate, fit for a particular purpose or need, or non-infringing, unless such implied warranties are legally incapable of exclusion. Further, ThreatExpert does not warrant or make any representations regarding the use or the results of the use of the Information in terms of their correctness, accuracy, reliability, or otherwise.