ThreatExpert Report: Trojan-Downloader.Win32.PrivacyCenter, Win-Trojan/Fraudload.4660

Visit ThreatExpert web site

Close Report

Submission Summary:

Submission details:

Submission received: 8 October 2009, 11:26:48
Processing time: 8 min 19 sec
Submitted sample:

File MD5: 0xB9BA7AF9CE0FB149A4D14B664ECDAFFE
File SHA-1: 0x14AECDFCFF368086E107252B942A348547F0CB69
Filesize: 33,280 bytes
Alias & packer info:

Trojan-Downloader.Win32.PrivacyCenter [Ikarus]
packed with: PE_Patch.UPX [Kaspersky Lab]

Summary of the findings:

What's been found	Severity Level
Downloads/requests other files from Internet.

Technical Details:

File System Modifications

The following files were created in the system:

#	Filename(s)	File Size	File Hash	Alias
1	%Temp%\d.bat	160 bytes	MD5: 0xA8D49FA4E467DBC49A4654C9286423BA SHA-1: 0xE65D52731D57315227B221406DC5EE61F6139AFA	(not available)
2	%Temp%\dm.exe %Temp%\sys.dll %Temp%\tnp.exe	125 bytes	MD5: 0x7C5F5A68051F6B0C0E9A2AD33C40D415 SHA-1: 0x120865765927A61AF83F02B83DC297EEDE61EC41	(not available)
3	%Temp%\syst.exe	4,640 bytes	MD5: 0xAF40555F69DA106ABD8544C015D6616C SHA-1: 0xDAB2BBE6BDFAD2D659A54F074985B9C47FE082B8	Win-Trojan/Fraudload.4660 [AhnLab]
4	%Temp%\temp.bat	346 bytes	MD5: 0x6512E0DE81C68E8DF6768B85DD027929 SHA-1: 0xC24AC33073D00E51297EE5CCE277F14B4B193CE2	(not available)
5	[file and pathname of the sample #1]	33,280 bytes	MD5: 0xB9BA7AF9CE0FB149A4D14B664ECDAFFE SHA-1: 0x14AECDFCFF368086E107252B942A348547F0CB69	Trojan-Downloader.Win32.PrivacyCenter [Ikarus] packed with PE_Patch.UPX [Kaspersky Lab]

Note:

%Temp% is a variable that refers to the temporary folder in the short path form. By default, this is C:\Documents and Settings\[UserName]\Local Settings\Temp\ (Windows NT/2000/XP).

Memory Modifications

There were new processes created in the system:

Process Name	Process Filename	Main Module Size
[filename of the sample #1]	[file and pathname of the sample #1]	102,400 bytes
syst.exe	%Temp%\syst.exe	16,384 bytes
[generic host process]	[generic host process filename]	20,480 bytes

Notes:

[generic host process filename] is a full path filename of [generic host process].

There was a new memory page created in the address space of the system process(es):

Process Name	Process Filename	Allocated Size
ntvdm.exe	%System%\ntvdm.exe	987,136 bytes

Notes:

%System% is a variable that refers to the System folder. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

Other details

Analysis of the file resources indicate the following possible country of origin:

Russian Federation

There were registered attempts to establish connection with the remote hosts. The connection details are:

Remote Host	Port Number
122.224.9.67	80
91.207.116.44	80

The following Internet Connections were established:

Server Name	Server Port	Connect as User	Connection Password
95.211.27.154	80	(null)	(null)
urodinam.net	80	(null)	(null)

The following GET requests were made:

install.php?id=02979
index.jpg
8732489273.php

The following HTTP URLs were started reading:

http://91.207.116.44/1.dll
http://122.224.9.67/dogma.exe
http://91.207.116.44/u5.exe

Downloaded File Summary:

Download details:

Download retrieved: 8 October 2009 11:35:07
Processing time: 7 min 49 sec
Downloaded sample #1:

File MD5: 0x87D155F6DF465004BBC92828D9909D4E
File SHA-1: 0xDEE45E44B3B8B5FAFAD071E42AC4C6F5857CA92E
Filesize: 218,624 bytes
Packer info: packed with: PE_Patch.UPX [Kaspersky Lab]

Downloaded sample #2:

File MD5: 0x098CDCE52553105682B07D49247C41E8
File SHA-1: 0x4B8DFE1D3269C21E01B79D13864C803E7C7D4064
Filesize: 94,208 bytes

Downloaded sample #3:

File MD5: 0x3EEC447AE132BF6676B63D1FFF8601BE
File SHA-1: 0x59C3B9494D7CEBAC9C1FD8F7122F2F038FAA7DE9
Filesize: 982,016 bytes
Packer info: packed with: PE_Patch.UPX [Kaspersky Lab]

Summary of the findings:

What's been found	Severity Level
Registers a 32-bit in-process server DLL.
Registers a Browser Helper Object (Microsoft's Internet Explorer plugin module).
Contains characteristics of an identified security risk.

Technical Details:

The new window was created, as shown below:

NOTICE: The content shown in the above window is captured automatically and is not controlled or endorsed by ThreatExpert.
Please contact us on this link should any material be offensive or inappropriate and we will ensure any such content is blocked from future viewers of the report.

Possible Security Risk

Attention! Characteristics of the following security risk was identified in the system:

Security Risk	Description
RogueAntiSpyware.PrivacyCenter.AJ	RogueAntiSpyware.PrivacyCenter.AJ displays fake alerts in malware payloads in order to persuade users into buying the rogue antispyware products.

File System Modifications

The following files were created in the system:

#	Filename(s)	File Size	File Hash	Alias
1	%Temp%\eomtixgewt.tmp	94,208 bytes	MD5: 0x098CDCE52553105682B07D49247C41E8 SHA-1: 0x4B8DFE1D3269C21E01B79D13864C803E7C7D4064	(not available)
2	[file and pathname of the sample #1]	218,624 bytes	MD5: 0x87D155F6DF465004BBC92828D9909D4E SHA-1: 0xDEE45E44B3B8B5FAFAD071E42AC4C6F5857CA92E	packed with PE_Patch.UPX [Kaspersky Lab]
3	[file and pathname of the sample #3]	982,016 bytes	MD5: 0x3EEC447AE132BF6676B63D1FFF8601BE SHA-1: 0x59C3B9494D7CEBAC9C1FD8F7122F2F038FAA7DE9	packed with PE_Patch.UPX [Kaspersky Lab]

Note:

%Temp% is a variable that refers to the temporary folder in the short path form. By default, this is C:\Documents and Settings\[UserName]\Local Settings\Temp\ (Windows NT/2000/XP).

Memory Modifications

There were new processes created in the system:

Process Name	Process Filename	Main Module Size
[generic host process]	[generic host process filename]	20,480 bytes
[filename of the sample #3]	[file and pathname of the sample #3]	2,179,072 bytes
[filename of the sample #2]	[file and pathname of the sample #2]	110,592 bytes

Notes:

[generic host process filename] is a full path filename of [generic host process].

The following modules were loaded into the address space of other process(es):

Module Name	Module Filename	Address Space Details
[filename of the sample #1]	[file and pathname of the sample #1]	Process name: [generic host process] Process filename: [generic host process filename] Address space: 0xAA0000 - 0xB36000
[filename of the sample #1]	[file and pathname of the sample #1]	Process name: [generic host process] Process filename: [generic host process filename] Address space: 0xB10000 - 0xBA6000
[filename of the sample #1]	[file and pathname of the sample #1]	Process name: IEXPLORE.EXE Process filename: %ProgramFiles%\internet explorer\iexplore.exe Address space: 0xF80000 - 0x1016000

Notes:

%ProgramFiles% is a variable that refers to the Program Files folder. A typical path is C:\Program Files.

Registry Modifications

The following Registry Keys were created:

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{AAE2CCFB-71FC-4F98-93AB-5197A2E74446}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{AAE2CCFB-71FC-4F98-93AB-5197A2E74446}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AAE2CCFB-71FC-4F98-93AB-5197A2E74446}
HKEY_LOCAL_MACHINE\SOFTWARE\SafetyCenter

The newly created Registry Values are:

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{AAE2CCFB-71FC-4F98-93AB-5197A2E74446}\InprocServer32]

(Default) = "[file and pathname of the sample #1]"
ThreadingModel = "Apartment"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{AAE2CCFB-71FC-4F98-93AB-5197A2E74446}]

(Default) = ""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

SafetyCenter = ""

[HKEY_LOCAL_MACHINE\SOFTWARE\SafetyCenter]

boot = "1"

Other details

Analysis of the file resources indicate the following possible country of origin:

Russian Federation

All content ("Information") contained in this report is the copyrighted work of Threat Expert Ltd and its associated companies ("ThreatExpert") and may not be copied without the express permission of ThreatExpert.

The Information is provided on an "as is" basis. ThreatExpert disclaims all warranties, whether express or implied, to the maximum extent permitted by law, including the implied warranties that the Information is merchantable, of satisfactory quality, accurate, fit for a particular purpose or need, or non-infringing, unless such implied warranties are legally incapable of exclusion. Further, ThreatExpert does not warrant or make any representations regarding the use or the results of the use of the Information in terms of their correctness, accuracy, reliability, or otherwise.