Submission Summary:

• Submission details:
• Submission received: 10 June 2011, 16:20:39
• Processing time: 12 min 24 sec
• Submitted sample:
• File MD5: 0xBB4330922380177D417933A700D85C63
• File SHA-1: 0x7DE60092DC427372264110668A8DF92F180E8C62
• Filesize: 778,240 bytes
• Alias:
• Generic.dx!upb [McAfee]
• Trojan.SuspectCRC [Ikarus]

• Summary of the findings:

What's been found	Severity Level
Produces outbound traffic.

Technical Details:

File System Modifications

• The following files were created in the system:

#	Filename(s)	File Size	File Hash	Alias
1	%UserProfile%\PUTTY.RND	600 bytes	MD5: 0xFADA40881F1084345DB1D5F93498D21E SHA-1: 0x7434C174BCF01F1CF6C1B04EB741E558537F3241	(not available)
2	[file and pathname of the sample #1]	778,240 bytes	MD5: 0xBB4330922380177D417933A700D85C63 SHA-1: 0x7DE60092DC427372264110668A8DF92F180E8C62	Generic.dx!upb [McAfee] Trojan.SuspectCRC [Ikarus]
3	%System%\U1013.exe	1,105,920 bytes	MD5: 0xAB5DF308F5586D30F3CA287B139B861A SHA-1: 0x014DEDA1700F66168FF02E005DBF33538988FE9C	(not available)
4	%System%\utmp\Bfxuvxcmqxme3w5s	48 bytes	MD5: 0x3F8B10CF65294555C3603DA4F367541C SHA-1: 0x66B00A5E889D3C0281B403DC8CF83E3316BE7B0E	(not available)
5	%System%\utmp\Booiczptcrtx2r5v	28 bytes	MD5: 0x654662D6A3E66FAA35378D947E5D3A2B SHA-1: 0x88FF76DFC71B33C36B0A390B8A07E470B93C2B47	(not available)
6	%System%\utmp\Flbkumxjbkjc2w5j	40 bytes	MD5: 0xBBA402CBC2F6D43E34CA60E31D9C9DFF SHA-1: 0x33514397BE9602E32C03BC990CEA46DDBF083E4E	(not available)
7	%System%\utmp\Hbnphjbczecf3l1z	95 bytes	MD5: 0x2C8214FAF94ADB6DA8388A1173A5D3BF SHA-1: 0x7D19CDAA3738D1B5794299239C65F15EF906B56B	(not available)
8	%System%\utmp\Hkemxebrlyry2o1c	36 bytes	MD5: 0x9D75933FA2718A8E1AED91433288EDDB SHA-1: 0x019954353F974770F09720DA7CDFF5B7915AAB39	(not available)
9	%System%\utmp\Lqtcwtwswlsx3o3a	16 bytes	MD5: 0xD1667A71FFFFAAD767982011EBAAEFDB SHA-1: 0x39A7F29DF6B19ED04A085BA7EB62DF02AADBA226	(not available)
10	%System%\utmp\Pngvfgriveic3l3o	30 bytes	MD5: 0xFFC52D102A80EB670E7767ECB719CB2E SHA-1: 0x947D5A9187D75BAD4D81C228219844FB57E0512F	(not available)

• Notes:
• %UserProfile% is a variable that specifies the current user's profile folder. By default, this is C:\Documents and Settings\[UserName] (Windows NT/2000/XP).
• %System% is a variable that refers to the System folder. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

• The following directory was created:
• %System%\utmp

Memory Modifications

• There was a new process created in the system:

Registry Modifications

• The newly created Registry Values are:
• [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
• ProxyServer = "127.0.0.1:9666"
• ProxyOverride = "127.0.0.1"
• [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3]
• CurrentLevel = 00 00 00 00
• 1C00 = 00 00 00 00

• The following Registry Value was deleted:
• [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3]
• CurrentLevel = 0x00000000
• 1C00 = 0x00010000

• The following Registry Values were modified:
• [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
• ProxyEnable =
• [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Hardware Profiles\Current\Software\Microsoft\windows\CurrentVersion\Internet Settings]
• ProxyEnable =
• [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
• ProxyEnable =
• [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Hardware Profiles\Current\Software\Microsoft\windows\CurrentVersion\Internet Settings]
• ProxyEnable =
• [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
• ProxyEnable =

Other details

• Analysis of the file resources indicate the following possible countries of origin:

	Taiwan
	China

• The following ports were open in the system:

• There were registered attempts to establish connection with the remote hosts. The connection details are:

Outbound traffic (potentially malicious)

• There was an outbound traffic produced on port 23620:

• There was an outbound traffic produced on port 443: