ThreatExpert Report: Trojan:Win32/Delflob.I, Trojan.Win32.BHO.fby

Submission Summary:

Submission details:

Submission received: 31 July 2008, 15:32:39
Processing time: 4 min 50 sec
Submitted sample:

File MD5: 0xB321E342E7DC5740D4A128E02F0226A9
File SHA-1: 0x092C2BAACF8C4A37C8CA34E0CAD1C9EE7904D8D4
Filesize: 50,189 bytes
Alias: Trojan:Win32/Delflob.I [Microsoft]

Summary of the findings:

What's been found	Severity Level
Downloads/requests other files from Internet.
Registers a 32-bit in-process server DLL.
Registers a Browser Helper Object (Microsoft's Internet Explorer plugin module).
Contains characteristics of an identified security risk.

Technical Details:

Possible Security Risk

Attention! Characteristics of the following security risks were identified in the system:

Security Risk	Description
Trojan.FakeAlert	Trojan.FakeAlert will hijack the desktop background with an image alerting the user that their computer system has been infected with spyware. It also changes some settings of windows which include:- disabling permissions for the user to change the background image and setting the active desktop to 'show web content'. It is usually installed in conjunction with a rogue anti-spyware application.
Trojan-Downloader.Delf	Trojan-Downloader.Delf will contact a remote server to download additional malware onto a users computer without their knowledge.

Attention! The following threat category was identified:

Threat Category	Description
	A malicious trojan horse or bot that may represent security risk for the compromised system and/or its network environment

File System Modifications

The following files were created in the system:

#	Filename(s)	File Size	File Hash	Alias
1	%System%\aol2toolbar.dll	18,944 bytes	MD5: 0xA09B02FDFF95F968ABE094DE47CBD882 SHA-1: 0xCD19C9B7673B6C59584D0A681B618D4A32899439	Trojan.Win32.BHO.fby [Kaspersky Lab]
2	[file and pathname of the sample #1]	50,189 bytes	MD5: 0xB321E342E7DC5740D4A128E02F0226A9 SHA-1: 0x092C2BAACF8C4A37C8CA34E0CAD1C9EE7904D8D4	Trojan:Win32/Delflob.I [Microsoft]

Note:

%System% is a variable that refers to the System folder. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

Memory Modifications

There was a new process created in the system:

Process Name	Process Filename	Main Module Size
[filename of the sample #1]	[file and pathname of the sample #1]	73,728 bytes

Registry Modifications

The following Registry Keys were created:

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{FB0E529A-3D2C-473E-83FE-9E56AC6CC0EB}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{FB0E529A-3D2C-473E-83FE-9E56AC6CC0EB}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{FB0E529A-3D2C-473E-83FE-9E56AC6CC0EB}\ProgID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{FB0E529A-3D2C-473E-83FE-9E56AC6CC0EB}\Programmable
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{FB0E529A-3D2C-473E-83FE-9E56AC6CC0EB}\TypeLib
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{FB0E529A-3D2C-473E-83FE-9E56AC6CC0EB}\VersionIndependentProgID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{4937D5D1-2039-409A-BD83-FEC9B39B2356}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{4937D5D1-2039-409A-BD83-FEC9B39B2356}\ProxyStubClsid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{4937D5D1-2039-409A-BD83-FEC9B39B2356}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{4937D5D1-2039-409A-BD83-FEC9B39B2356}\TypeLib
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{CAF9D798-C659-4B9B-8E19-EE27C3D04EE7}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{CAF9D798-C659-4B9B-8E19-EE27C3D04EE7}\ProxyStubClsid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{CAF9D798-C659-4B9B-8E19-EE27C3D04EE7}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{CAF9D798-C659-4B9B-8E19-EE27C3D04EE7}\TypeLib
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{15C7D7AD-A87A-4C0D-9D8B-637FCD3488EF}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{15C7D7AD-A87A-4C0D-9D8B-637FCD3488EF}\1.0
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{15C7D7AD-A87A-4C0D-9D8B-637FCD3488EF}\1.0\0
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{15C7D7AD-A87A-4C0D-9D8B-637FCD3488EF}\1.0\0\win32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{15C7D7AD-A87A-4C0D-9D8B-637FCD3488EF}\1.0\FLAGS
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{15C7D7AD-A87A-4C0D-9D8B-637FCD3488EF}\1.0\HELPDIR
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\BhoNew.Bho
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\BhoNew.Bho\CLSID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\BhoNew.Bho\CurVer
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\BhoNew.Bho.1
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\BhoNew.Bho.1\CLSID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FB0E529A-3D2C-473E-83FE-9E56AC6CC0EB}
HKEY_CURRENT_USER\Software\Microsoft\Bind

The newly created Registry Values are:

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{FB0E529A-3D2C-473E-83FE-9E56AC6CC0EB}\VersionIndependentProgID]

(Default) = "BhoNew.Bho"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{FB0E529A-3D2C-473E-83FE-9E56AC6CC0EB}\TypeLib]

(Default) = "{15C7D7AD-A87A-4C0D-9D8B-637FCD3488EF}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{FB0E529A-3D2C-473E-83FE-9E56AC6CC0EB}\ProgID]

(Default) = "BhoNew.Bho.1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{FB0E529A-3D2C-473E-83FE-9E56AC6CC0EB}\InprocServer32]

(Default) = "%System%\AOL2TO~1.DLL"
ThreadingModel = "Apartment"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{FB0E529A-3D2C-473E-83FE-9E56AC6CC0EB}]

(Default) = "AOL Toolbar"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{4937D5D1-2039-409A-BD83-FEC9B39B2356}\TypeLib]

(Default) = "{15C7D7AD-A87A-4C0D-9D8B-637FCD3488EF}"
Version = "1.0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{4937D5D1-2039-409A-BD83-FEC9B39B2356}\ProxyStubClsid32]

(Default) = "{00020420-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{4937D5D1-2039-409A-BD83-FEC9B39B2356}\ProxyStubClsid]

(Default) = "{00020420-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{4937D5D1-2039-409A-BD83-FEC9B39B2356}]

(Default) = "_IBhoEvents"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{CAF9D798-C659-4B9B-8E19-EE27C3D04EE7}\TypeLib]

(Default) = "{15C7D7AD-A87A-4C0D-9D8B-637FCD3488EF}"
Version = "1.0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{CAF9D798-C659-4B9B-8E19-EE27C3D04EE7}\ProxyStubClsid32]

(Default) = "{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{CAF9D798-C659-4B9B-8E19-EE27C3D04EE7}\ProxyStubClsid]

(Default) = "{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{CAF9D798-C659-4B9B-8E19-EE27C3D04EE7}]

(Default) = "IBho"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{15C7D7AD-A87A-4C0D-9D8B-637FCD3488EF}\1.0\0\win32]

(Default) = "%System%\aol2toolbar.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{15C7D7AD-A87A-4C0D-9D8B-637FCD3488EF}\1.0\HELPDIR]

(Default) = "%System%\"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{15C7D7AD-A87A-4C0D-9D8B-637FCD3488EF}\1.0\FLAGS]

(Default) = "0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{15C7D7AD-A87A-4C0D-9D8B-637FCD3488EF}\1.0]

(Default) = "Type Library"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\BhoNew.Bho\CurVer]

(Default) = "BhoNew.Bho.1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\BhoNew.Bho\CLSID]

(Default) = "{FB0E529A-3D2C-473E-83FE-9E56AC6CC0EB}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\BhoNew.Bho]

(Default) = "AOL Toolbar"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\BhoNew.Bho.1\CLSID]

(Default) = "{FB0E529A-3D2C-473E-83FE-9E56AC6CC0EB}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\BhoNew.Bho.1]

(Default) = "AOL Toolbar"

[HKEY_CURRENT_USER\Software\Microsoft\Bind]

comment = "213xxx3913540"

Other details

The following Internet Connection was established:

Server Name	Server Port	Connect as User	Connection Password
hotvid44.com	80	(null)	(null)

The following GET requests were made:

bind2.php?id=213xxx3913540
index.jpg

All content ("Information") contained in this report is the copyrighted work of Threat Expert Ltd and its associated companies ("ThreatExpert") and may not be copied without the express permission of ThreatExpert.

The Information is provided on an "as is" basis. ThreatExpert disclaims all warranties, whether express or implied, to the maximum extent permitted by law, including the implied warranties that the Information is merchantable, of satisfactory quality, accurate, fit for a particular purpose or need, or non-infringing, unless such implied warranties are legally incapable of exclusion. Further, ThreatExpert does not warrant or make any representations regarding the use or the results of the use of the Information in terms of their correctness, accuracy, reliability, or otherwise.