Submission Summary:

• Submission details:
• Submission received: 10 November 2009, 13:25:12
• Processing time: 5 min 38 sec
• Submitted sample:
• File MD5: 0xB429180B7C690E372B3AB921A8FA538E
• File SHA-1: 0xA561BCE59774D9B9A52225A9E27FBA3EA700DAE9
• Filesize: 92,672 bytes
• Alias:
• Backdoor.Trojan [PCTools]
• Backdoor.Trojan [Symantec]
• Worm.Win32.AutoDoor.t [Kaspersky Lab]
• Mal/MassMail-A, Mal/Behav-010, Mal/Emogen-Y [Sophos]
• Backdoor:Win32/Ursap!rts [Microsoft]
• Worm.Win32.AutoDoor [Ikarus]
• Win32/Autodoor.worm.92672 [AhnLab]

• Summary of the findings:

What's been found	Severity Level
Produces outbound traffic.
Registers a Winlogon notification package so that the installed module is loaded into the address space of winlogon.exe.
Contains characteristics of an identified security risk.

Technical Details:

Possible Security Risk

• Attention! The following threat categories were identified:

Threat Category	Description
	A network-aware worm that attempts to replicate across the existing network(s)
	A malicious backdoor trojan that runs in the background and allows remote access to the compromised system

File System Modifications

• The following files were created in the system:

#	Filename(s)	File Size	File Hash	Alias
1	%AppData%\Microsoft\Crypto\RSA\S-1-5-21-606747145-764733703-839522115-1003\912f8dda299032b06cd724bdadb5f2a4_a7bcc1a4-f7a4-4502-8650-8579e607f7f7	63 bytes	MD5: 0x650F0518BD597AADE9D85B787D123F2B SHA-1: 0xE08C86C1A6F12E9F8E9D787241687342E8E0176F	(not available)
2	%ProgramFiles%\NetMeeting\netservice765.dll [file and pathname of the sample #1]	92,672 bytes	MD5: 0xB429180B7C690E372B3AB921A8FA538E SHA-1: 0xA561BCE59774D9B9A52225A9E27FBA3EA700DAE9	Backdoor.Trojan [PCTools] Backdoor.Trojan [Symantec] Worm.Win32.AutoDoor.t [Kaspersky Lab] Mal/MassMail-A, Mal/Behav-010, Mal/Emogen-Y [Sophos] Backdoor:Win32/Ursap!rts [Microsoft] Worm.Win32.AutoDoor [Ikarus] Win32/Autodoor.worm.92672 [AhnLab]

• Notes:
• %AppData% is a variable that refers to the file system directory that serves as a common repository for application-specific data. A typical path is C:\Documents and Settings\[UserName]\Application Data.
• %ProgramFiles% is a variable that refers to the Program Files folder. A typical path is C:\Program Files.

Memory Modifications

• There was a new process created in the system:

• Notes:
• [generic host process filename] is a full path filename of [generic host process].

• The following modules were loaded into the address space of other process(es):

Module Name	Module Filename	Address Space Details
netservice765.dll	%ProgramFiles%\netmeeting\netservice765.dll	Process name: explorer.exe Process filename: %Windir%\explorer.exe Address space: 0x1EE0000 - 0x1EFB000
[filename of the sample #1]	[file and pathname of the sample #1]	Process name: [generic host process] Process filename: [generic host process filename] Address space: 0x10000000 - 0x1001B000
netservice765.dll	%ProgramFiles%\netmeeting\netservice765.dll	Process name: IEXPLORE.EXE Process filename: %ProgramFiles%\internet explorer\iexplore.exe Address space: 0x1990000 - 0x19AB000

• Notes:
• %Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows or C:\Winnt.

• The following system services were modified:

Service Name	Display Name	New Status	Service Filename
ALG	Application Layer Gateway Service	"Stopped"	%System%\alg.exe
SharedAccess	Windows Firewall/Internet Connection Sharing (ICS)	"Stopped"	%System%\svchost.exe -k netsvcs

• Notes:
• %System% is a variable that refers to the System folder. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

Registry Modifications

• The following Registry Keys were created:
• HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ed2k
• HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ed2k\shell
• HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ed2k\shell\open
• HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ed2k\shell\open\command
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\netservice765
• HKEY_LOCAL_MACHINE\SOFTWARE\Simple
• HKEY_LOCAL_MACHINE\SOFTWARE\Simple\active
• HKEY_LOCAL_MACHINE\SOFTWARE\Simple\update

• The newly created Registry Values are:
• [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\netservice765]
• DllName = "%ProgramFiles%\netmeeting\netservice765.dll"
• Startup = "Startup"
• Lock = "Lock"
• UnLock = "UnLock"

so that netservice765.dll is installed as a Winlogon notification package

• [HKEY_LOCAL_MACHINE\SOFTWARE\Simple\active]
• ver = 0x01328EA2
• path = "%ProgramFiles%\netmeeting\netservice765.dll"

Other details

• There was registered attempt to establish connection with the remote host. The connection details are:

• The following GET request was made:
• /

Outbound traffic (potentially malicious)

• There was an outbound traffic produced on port 80: