ThreatExpert Report: VirTool:Win32/VBInject.KR, Trojan-Dropper.Delf.V, Downloader..

Submission Summary:

Submission details:

Submission received: 1 November 2010, 15:01:12
Processing time: 7 min 2 sec
Submitted sample:

File MD5: 0xAF50834B5F46303AC26F218B4031AEDF
File SHA-1: 0x51347BBC195801BB127E5CAC49B3571E065D9A44
Filesize: 155,648 bytes
Alias: VirTool:Win32/VBInject.KR [Microsoft]

Summary of the findings:

What's been found	Severity Level
Communication with a remote IRC server.
Produces outbound traffic.
Downloads/requests other files from Internet.
Registers a Winlogon notification package so that the installed module is loaded into the address space of winlogon.exe.
Contains characteristics of an identified security risk.

Technical Details:

Possible Security Risk

Attention! The following threat categories were identified:

Threat Category	Description
	A malicious trojan horse or bot that may represent security risk for the compromised system and/or its network environment
	A program that downloads files to the local computer that may represent security risk

File System Modifications

The following files were created in the system:

#	Filename(s)	File Size	File Hash	Alias
1	%UserProfile%\irpz.exe	364,544 bytes	MD5: 0xD4A52CD8F76EF97F0B2913D797C78368 SHA-1: 0x15A477DA6F69BCA3C5FA49A3F2D232BD4A85AB17	Trojan-Dropper.Delf.V [PCTools] Downloader [Symantec] Trojan.Win32.Delf.ahcb [Kaspersky Lab] Generic.dx!ukd [McAfee] Mal/Generic-L [Sophos] Trojan:Win32/Meredrop [Microsoft] Trojan-Dropper.Delf [Ikarus] Dropper/Malware.364544.AU [AhnLab]
2	%System%\crt.dat	12 bytes	MD5: 0x477EB275173789FE2F03C2A2B69B6663 SHA-1: 0x49C318C736682F6253CAA20AF48D47BDA79F1108	(not available)
3	%System%\cryptnet32.dll	46,592 bytes	MD5: 0x6BF89F21E40016AE9002512143B69055 SHA-1: 0xE77C8D2B90B84CD72BCEFBB703FB24CC5AF421B3	Trojan-Dropper.Delf.V [PCTools] Trojan.Gen [Symantec] Trojan.Win32.Delf.ahif [Kaspersky Lab] Generic.dx!ukc [McAfee] Trojan:Win32/Lukicsel.G [Microsoft]
4	%System%\shimg.dll	295,554 bytes	MD5: 0x1ADD3051C3C78101633623BF306ECC78 SHA-1: 0x069480E0CBCBD72AC131623CF577AA2D8D8E3700	(not available)

Notes:

%UserProfile% is a variable that specifies the current user's profile folder. By default, this is C:\Documents and Settings\[UserName] (Windows NT/2000/XP).
%System% is a variable that refers to the System folder. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

Memory Modifications

There were new memory pages created in the address space of the system process(es):

Process Name	Process Filename	Allocated Size
svchost.exe	%System%\svchost.exe	98,304 bytes
svchost.exe	%System%\svchost.exe	118,784 bytes
svchost.exe	%System%\svchost.exe	200,704 bytes
svchost.exe	%System%\svchost.exe	217,088 bytes
svchost.exe	%System%\svchost.exe	24,576 bytes
svchost.exe	%System%\svchost.exe	45,056 bytes

Registry Modifications

The following Registry Keys were created:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Data
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet32

The newly created Registry Values are:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Data]

data5 = 48 52 37 36 2C 11 58 93 F6 70 E8 43 85 E9 5F 91 F0 72 F2 41 DE 35 D4 BE A8 8F F4 77 E2 64 C6 33 2F 30 36 3E 33 17 5A 8B CA 43 8B 02 C5 AD 5B 82 F9 73 F5 78 D9 76 D4 E3 E7 CA F1 79 F4 65 CE 34 0C 08

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet32]

DllName = "cryptnet32.dll"
Startup = "WinlogonStartupEv"
Logoff = "WinlogonLogoffEv"
Shutdown = "WinlogonLogoffEv"
Asynchronous = 0x00000001
Impersonate = 0x00000000

so that cryptnet32.dll is installed as a Winlogon notification package

Other details

There were registered attempts to establish connection with the remote hosts. The connection details are:

Remote Host	Port Number
173.193.205.116	8014
174.57.9.202	6346
187.126.14.138	6346
41.207.24.209	6346
68.82.236.203	6346
82.127.10.84	6346
87.67.121.103	6346
88.160.177.54	6346
90.60.96.83	6346
92.144.27.57	6346
193.143.121.198	80
74.125.227.20	80
91.211.117.76	80
69.42.218.75	8878

The data identified by the following URLs was then requested from the remote web server:

http://cache.wru.pl/skulls.php?net=gnutella2&get=1&client=RAZA2.5.0.0
http://www.google.com/

Outbound traffic (potentially malicious)

Attention! There was a new connection established with a remote IRC Server. The generated outbound IRC traffic is provided below:

There was an outbound traffic produced on port 8014:

There was an outbound traffic produced on port 6346:

There was an outbound traffic produced on port 80:

All content ("Information") contained in this report is the copyrighted work of Threat Expert Ltd and its associated companies ("ThreatExpert") and may not be copied without the express permission of ThreatExpert.

The Information is provided on an "as is" basis. ThreatExpert disclaims all warranties, whether express or implied, to the maximum extent permitted by law, including the implied warranties that the Information is merchantable, of satisfactory quality, accurate, fit for a particular purpose or need, or non-infringing, unless such implied warranties are legally incapable of exclusion. Further, ThreatExpert does not warrant or make any representations regarding the use or the results of the use of the Information in terms of their correctness, accuracy, reliability, or otherwise.