ThreatExpert Report: Packed.Win32.Krap.ag, Win-Trojan/Malware.122880.D, Downloader-BWS..

Visit ThreatExpert web site

Close Report

Submission Summary:

Submission details:

Submission received: 28 November 2009, 19:54:24
Processing time: 7 min 31 sec
Submitted sample:

File MD5: 0xB9705887989F4D098EA9C892BBA67EA6
File SHA-1: 0xBE54E3CEA36EED967739113BFF81014591C1F965
Filesize: 122,880 bytes
Alias:

Packed.Win32.Krap.ag [Kaspersky Lab]
Win-Trojan/Malware.122880.D [AhnLab]

Summary of the findings:

What's been found	Severity Level
Downloads/requests other files from Internet.
Creates a startup registry entry.
Contains characteristics of an identified security risk.

Technical Details:

Possible Security Risk

Attention! The following threat category was identified:

Threat Category	Description
	A malicious trojan horse or bot that may represent security risk for the compromised system and/or its network environment

File System Modifications

The following files were created in the system:

#	Filename(s)	File Size	File Hash	Alias
1	%Temp%\a.dat	25,996 bytes	MD5: 0x47A0F40D6FFF1C10DEDC0A5E334E4181 SHA-1: 0x21ECABE3F381648F433E738E79A3BBBC3E876E26	(not available)
2	%Temp%\a.exe	355,840 bytes	MD5: 0x963FA521C8B675F649F17B5D427C9275 SHA-1: 0xCB0F31E1F120771414B8A41DB44AFBF0B6C711F9	Packed.Win32.Krap.ag [Kaspersky Lab]
3	%Temp%\b.exe %Windir%\msa.exe	184,832 bytes	MD5: 0xE36D6AF4845EF3548F80F2FA547A8501 SHA-1: 0x76FA7A0B1E119562670774E4BF452BC1F4105C1F	Packed.Win32.Krap.ag [Kaspersky Lab]
4	%Temp%\c.exe	181,248 bytes	MD5: 0x9EB376DD5408288E0534470E5CC40ECC SHA-1: 0x6D38EE29D3128FBDF3BB6B40BB2BFFF4E1E41FD9	Packed.Win32.Krap.ag [Kaspersky Lab] Downloader-BWS [McAfee]
5	%System%\sshnas.dll	224,256 bytes	MD5: 0x4A883A4E46910E2F74555EB575E3BBE5 SHA-1: 0x523489F558DECCD95CFA651186B88EDBA4E0E6C8	Trojan.Win32.FraudPack.abov [Kaspersky Lab] Downloader-BWS [McAfee]
6	%Windir%\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job	246 bytes	MD5: 0x3E8866D2A5AFB25B71EDE252C427672B SHA-1: 0x20A882B3C573F08D5AD04C9541C2316C23D18CC0	(not available)
7	%Windir%\Tasks\{66BA574B-1E11-49b8-909C-8CC9E0E8E015}.job	290 bytes	MD5: 0xDF65BBB4CCB606928E49FA658A58D5E0 SHA-1: 0xDEBE051C8DC71E6875B963879AC4E29907B43E7F	(not available)

Notes:

%Temp% is a variable that refers to the temporary folder in the short path form. By default, this is C:\Documents and Settings\[UserName]\Local Settings\Temp\ (Windows NT/2000/XP).
%Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows or C:\Winnt.
%System% is a variable that refers to the System folder. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

Memory Modifications

There were new processes created in the system:

Process Name	Process Filename	Main Module Size
c.exe	%Temp%\c.exe	548,864 bytes
msa.exe	%Windir%\msa.exe	479,232 bytes

There was a new service created in the system:

Service Name	Display Name	Status	Service Filename
SSHNAS	SSHNAS	"Stopped"	%System%\svchost.exe -k netsvcs

Registry Modifications

The following Registry Keys were created:

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SSHNAS
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SSHNAS\Parameters
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SSHNAS\Security
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SSHNAS
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SSHNAS\Parameters
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SSHNAS\Security
HKEY_CURRENT_USER\Software\Microsoft\Handle
HKEY_CURRENT_USER\Software\Avilel
HKEY_CURRENT_USER\Software\Videohost
HKEY_CURRENT_USER\Software\XML

The newly created Registry Values are:

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SSHNAS\Security]

Security = 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 0

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SSHNAS\Parameters]

ServiceDll = "%System%\sshnas.dll"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SSHNAS]

Type = 0x00000020
Start = 0x00000002
ErrorControl = 0x00000000
ImagePath = "%System%\svchost.exe -k netsvcs"
DisplayName = "SSHNAS"
ObjectName = "LocalSystem"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SSHNAS\Security]

Security = 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SSHNAS\Parameters]

ServiceDll = "%System%\sshnas.dll"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SSHNAS]

Type = 0x00000020
Start = 0x00000002
ErrorControl = 0x00000000
ImagePath = "%System%\svchost.exe -k netsvcs"
DisplayName = "SSHNAS"
ObjectName = "LocalSystem"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]

Videohost = "%Temp%\c.exe"

so that c.exe runs every time Windows starts

[HKEY_CURRENT_USER\Software\Avilel]

Az3 = "FOqkXNXNRBbc8g=="
Az0 = "Gbv+C4eSExjnyIpWf4+pYXAo/2QGxA/X94OiMMEM3fg20bvg2lIH4I0SSBgUTuqf3fYxYYGgq646p4fQ0BKrrEqQmaTQyIWqoOGOMOR4MoH3sbitDgpFNd6HxZeCxMZEGF6iVtfwyKQ0agFQ1SzbUq43Q7Tpdhtm4U0ZRBNS6KYvkV2YzEwrOYxvFG4Qb8nrZPgjFnZJlNiNMc7X3BcE8gHKumxx8LYriVQTDzdu3czzeElaBVyMVp60T
Av2 = 0x00000011
Av5 = 0x00000E10
Av3 = 0x000000FA
Av4 = 0x00000064
Av6 = 0x00000006
Av14 = 0x00000000
Av0 = 0x01CA7170
Av1 = 0xE7370920
Az1 = ""
Az2 = "ZuLNIa64IWuvvLI2X46gM04m4XVnqi/6lPGZOoQgs7J0x4Dgk1NI9w=="
Av6 = 0x00000007

[HKEY_CURRENT_USER\Software\Videohost]

Azy2 = "xC7aKZ+O6wyPlq1krRM4sG7m2LFGsYtHjHOagBf10Uk/n4gL8s8xs9LeD5KQVh3/j+XFa0mnr175UElKKyciA2gn6tUEA721Fj4P"
Azy0 = "tSLPLpWL7R22spR48AI743bz2Kge8sER1Vj7sD2gyQRgyYcu/tI6sNDZRrOqWFi5zuLKTW36qnPdFzBreQhQOTxhtN8FGeDjXGBLsDEcMbWAXu2H0qZ61FYX5n9D2QXxqbEnBnzwpjYL9yRfp/EQSAbsyAraONgJB3/6OPp3GyHDTYChr8PguY4j4pJthYfaRms7fPCm0Mlqtrjsf+OJeoep7vUvxofslXBQmsIhlArgQ5PN"
Azy1 = "tSbFNJuL/h22spR48AI743bz2Kge8sEPyV+7qjr4iAljzcY5ttYwvovOQLHrFEej2ruXSzHm/A7rMXlsZ1pjW0EpsZdGCOX2UHkc/HIHOrvUXPGDibExxFYWvGlFxA+6q6p5Sjv16HVAiEJolo5rGFP91lPJPpxbHCz6afwhUTmNFt/644/8qZQl8pttmZ3bCXw9frH61tVo9a/3ZOiCJoTv7qFwj9r12RFkq+d+1APjXpyaamg="
Avi4 = 0x00015180
Avi5 = 0x00000002
Avi2 = 0x01CA7170
Avi3 = 0xDF47C920
Avi6 = 0x00000001
Avi0 = 0x01CA70A9
Avi1 = 0xFEFEB610

The following Registry Value was modified:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost]

netsvcs =

Other details

The following ports were open in the system:

Port	Protocol	Process
1062	UDP	msa.exe (%Windir%\msa.exe)
1086	TCP	msa.exe (%Windir%\msa.exe)
1098	TCP	msa.exe (%Windir%\msa.exe)

There were registered attempts to establish connection with the remote hosts. The connection details are:

Remote Host	Port Number
174.37.204.176	80
216.108.240.20	80
217.212.240.177	80
217.212.240.189	80
64.120.164.41	80
64.191.90.182	80
64.211.162.112	80
64.211.162.122	80
66.197.207.41	80
69.10.35.253	80

The data identified by the following URLs was then requested from the remote web server:

http://fgage.com/ad_type.php
http://hstus.tradedoubler.com/file-1/20649/flash/flash_embed4.js
http://search-online-web.com/borders.php
http://myf2you.com/resolution.php
http://content.yieldmanager.com/ak/q.gif
http://mauihomearts.com/werber/e498b266973/217.gif
http://west-arts-studio.com/perce/90804ccd917a64e074b0ce1bf44b385d5ed2ea4c7697ae18d6a89182e6a4af822ce44bb96cbe9cd06/64e852b617a/qwerce.gif
http://static.2mdn.net/879366/flashwrite_1_2.js
http://static.2mdn.net/2251518/4-YB_Moment_Kitchen_468x60.swf
http://ad.reduxmedia.com/st?ad_type=iframe&ad_size=160x600&section=758229
http://ad.reduxmedia.com/imp?Z=160x600&s=758229&_salt=3247458431&B=10&u=http%3A%2F%2Fwww.infoplease.com%2F&r=0
http://ad.103092804.com/st?ad_type=iframe&ad_size=728x90&section=742407
http://ad.103092804.com/imp?Z=728x90&s=742407&_salt=41932501&B=10&u=http%3A%2F%2Fplaylist.com%2F&r=0
http://ad.103092804.com/st?ad_type=iframe&ad_size=300x250&section=738224
http://ad.103092804.com/imp?Z=300x250&s=738224&_salt=4170445487&B=10&u=http%3A%2F%2Fsouthasianews.com%2F&r=0
http://ad.103092804.com/st?ad_type=iframe&ad_size=468x60&section=740776
http://ad.103092804.com/imp?Z=468x60&s=740776&_salt=440581430&B=10&u=http%3A%2F%2Fad.103092804.com%2F&r=0
http://ad.yieldmanager.com/imp?Z=468x60&s=740776&_salt=440581430&B=10&u=http%3A%2F%2Fad.103092804.com%2F&r=0&SIG=10vkv1627;x-cookie=7nrh56g5nnqyv&o=4&f=x9
http://ad.yieldmanager.com/imp?Z=160x600&s=758229&_salt=3247458431&B=10&u=http%3A%2F%2Fwww.infoplease.com%2F&r=0
http://ad.yieldmanager.com/null
http://ad.yieldmanager.com/imp?Z=728x90&s=742407&_salt=41932501&B=10&u=http%3A%2F%2Fplaylist.com%2F&r=0
http://ad.yieldmanager.com/imp?Z=300x250&s=738224&_salt=4170445487&B=10&u=http%3A%2F%2Fsouthasianews.com%2F&r=0
http://ad.yieldmanager.com/imp?Z=468x60&s=740776&_salt=440581430&B=10&u=http%3A%2F%2Fad.103092804.com%2F&r=0
http://cookex.amp.yahoo.com/v2/cexposer/SIG=13g9nm7i2/*http%3A//ad.yieldmanager.com/imp?Z=468x60&s=740776&_salt=440581430&B=10&u=http%3A%2F%2Fad.103092804.com%2F&r=0

All content ("Information") contained in this report is the copyrighted work of Threat Expert Ltd and its associated companies ("ThreatExpert") and may not be copied without the express permission of ThreatExpert.

The Information is provided on an "as is" basis. ThreatExpert disclaims all warranties, whether express or implied, to the maximum extent permitted by law, including the implied warranties that the Information is merchantable, of satisfactory quality, accurate, fit for a particular purpose or need, or non-infringing, unless such implied warranties are legally incapable of exclusion. Further, ThreatExpert does not warrant or make any representations regarding the use or the results of the use of the Information in terms of their correctness, accuracy, reliability, or otherwise.