ThreatExpert Report: Trojan.mIRC-Based.AM, not-a-virus:Client-IRC.Win32.mIRC.603, Trojan.RunKeys..

Visit ThreatExpert web site

Close Report

Submission Summary:

Submission details:

Submission received: 9 July 2008, 16:17:58
Processing time: 4 min 20 sec
Submitted sample:

File MD5: 0xBEBEE170834723E4772D2F79D10B9CF0
File SHA-1: 0x66FF2EB3656AFDFFED9C809A0867B5047CE826B8
Filesize: 1,113,334 bytes
Alias:

Trojan.mIRC-Based.AM [PCTools]
not-a-virus:Client-IRC.Win32.mIRC.603 [Kaspersky Lab]

Summary of the findings:

What's been found	Severity Level
Communication with a remote IRC server.
Creates a startup registry entry.
Contains characteristics of an identified security risk.

Technical Details:

Possible Security Risk

Attention! Characteristics of the following security risks were identified in the system:

Security Risk	Description
Trojan.RunKeys	Trojan.RunKeys installs autorun registry entries for other malware. It is normally bundled with other malware and ensures that they are executed each time Windows starts.
Backdoor.IRCBot	Backdoor.IRCBot is a family of IRC backdoors allowing unauthorized access to an infected PC. It has the capability to spread over a network exploiting various Windows vulnerabilities.

Attention! The following threat categories were identified:

Threat Category	Description
	A malicious trojan horse or bot that may represent security risk for the compromised system and/or its network environment
	A malicious backdoor trojan that runs in the background and allows remote access to the compromised system

File System Modifications

The following files were created in the system:

#	Filename(s)	File Size	File Hash	Alias
1	[file and pathname of the sample #1]	1,113,334 bytes	MD5: 0xBEBEE170834723E4772D2F79D10B9CF0 SHA-1: 0x66FF2EB3656AFDFFED9C809A0867B5047CE826B8	Trojan.mIRC-Based.AM [PCTools] not-a-virus:Client-IRC.Win32.mIRC.603 [Kaspersky Lab]
2	%Windir%\Temp\spoolsv\a.reg	1,260 bytes	MD5: 0x3A6124B67B70CFC076115D6C03A46555 SHA-1: 0xFF32EA635FBC7E246EDB1EF30FD2146702137200	Trojan.RunKeys [PCTools] Reg/IRCSpoolsv [McAfee] REG_ZAPCHAST.ED [Trend Micro]
3	%Windir%\Temp\spoolsv\aliases.ini	11 bytes	MD5: 0x2218DF9CDFFC814A3DC25C81DD8619DD SHA-1: 0x0290F796218937F61331ADC8803788E7CD4C2299	(not available)
4	%Windir%\Temp\spoolsv\com.mrc	10,251 bytes	MD5: 0x4D677B26098655231C880D234D8D6719 SHA-1: 0xA4C7432181EFCC82CE71E9668634BDD7EFAB4BFE	(not available)
5	%Windir%\Temp\spoolsv\control.ini	174 bytes	MD5: 0xE74FCF9B0E35952818B103251B5A6FD3 SHA-1: 0xB86B6D37819AEC743D514439EAF4E5A2DCFBFE11	(not available)
6	%Windir%\Temp\spoolsv\fullname.txt	329 bytes	MD5: 0xE8FA4DC83F3D617C72DA559DFC8A64B3 SHA-1: 0x6F0126F6802C9DA95D762634EA5E878CFB4E04F4	(not available)
7	%Windir%\Temp\spoolsv\ident.txt	55,687 bytes	MD5: 0x530AF9AC85E153593939C82F2F655328 SHA-1: 0x7D36A8CB9B35830E754A5A13C2835C7A4BD93B18	(not available)
8	%Windir%\Temp\spoolsv\mirc.ico	5,694 bytes	MD5: 0xE09AA9787AF5CC53FD7525DD6693CF10 SHA-1: 0x57445D0779A66C61741822C0A7988573EFEE13D7	(not available)
9	%Windir%\Temp\spoolsv\mirc.ini	3,292 bytes	MD5: 0x37499E68C088783DE1C80234FFEB15A1 SHA-1: 0xD006DC379D030218F74DB9DA3D50B2090CC8015B	IRC/Flood.gen.b [McAfee]
10	%Windir%\Temp\spoolsv\remote.ini	5,109 bytes	MD5: 0xB08A6006E929ED4A35D31D58E87D7061 SHA-1: 0x2FD4413FCB4AEC4AA1AA1127A643198ADDD9A198	(not available)
11	%Windir%\Temp\spoolsv\run.bat	194 bytes	MD5: 0x08FD9592BFA14C19955FC760BE2BB98A SHA-1: 0x2CDC2FA19727DF675EEE0F8951B0333DBC6F4B81	Trojan.mIRC-Based.AM [PCTools] Backdoor.IRC.Flood [Symantec] Generic component [McAfee]
12	%Windir%\Temp\spoolsv\servers.ini	1,030 bytes	MD5: 0xCCD9BAF7710F3E889DF4CCF380C2F4E8 SHA-1: 0xF218FF6811BE6D7EF0B33DA7102E9C14BF9F37F0	(not available)
13	%Windir%\Temp\spoolsv\spoolsv.exe	1,790,464 bytes	MD5: 0xB766003F431CAD186BD115F5761592D1 SHA-1: 0x33CDFE6F7FA6B321F9A51CC051C32BA924164B10	Backdoor.IRCBot [PCTools] not-a-virus:Client-IRC.Win32.mIRC.603 [Kaspersky Lab] IRC/Client [McAfee]
14	%Windir%\Temp\spoolsv\users.ini	303 bytes	MD5: 0x41CF37BC3319F354E7F17B14A3B88C6A SHA-1: 0xC81278FE3C7C73F5A21786403EE2082C4DCAA2E4	(not available)
15	%Windir%\Temp\spoolsv\xmas.jpg	264,957 bytes	MD5: 0x6C43EC85F11F7F75D936B5DC24C22C68 SHA-1: 0x8E0696A3817ADE6DFB8449234051122D777E6878	(not available)

Note:

%Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows or C:\Winnt.

The following directories were created:

%Windir%\Temp\spoolsv
%Windir%\Temp\spoolsv\download
%Windir%\Temp\spoolsv\logs
%Windir%\Temp\spoolsv\sounds

Memory Modifications

There was a new process created in the system:

Process Name	Process Filename	Main Module Size
[filename of the sample #1]	[file and pathname of the sample #1]	225,280 bytes

Registry Modifications

The following Registry Keys were created:

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.cha
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.chat
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ChatFile
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ChatFile\DefaultIcon
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ChatFile\Shell
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ChatFile\Shell\open
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ChatFile\Shell\open\command
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ChatFile\Shell\open\ddeexec
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ChatFile\Shell\open\ddeexec\Application
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ChatFile\Shell\open\ddeexec\ifexec
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ChatFile\Shell\open\ddeexec\Topic
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\irc
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\irc\DefaultIcon
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\irc\Shell
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\irc\Shell\open
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\irc\Shell\open\command
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\irc\Shell\open\ddeexec
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\irc\Shell\open\ddeexec\Application
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\irc\Shell\open\ddeexec\ifexec
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\irc\Shell\open\ddeexec\Topic
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\mIRC
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\svchost
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\svchost\Parameters
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\svchost
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\svchost\Parameters
HKEY_CURRENT_USER\Software\Microsoft\Microsoft Agent
HKEY_CURRENT_USER\Software\mIRC
HKEY_CURRENT_USER\Software\mIRC\Channels
HKEY_CURRENT_USER\Software\mIRC\License
HKEY_CURRENT_USER\Software\mIRC\LockOptions
HKEY_CURRENT_USER\Software\mIRC\%UserName%
HKEY_CURRENT_USER\Software\WinRAR SFX

Notes:

%UserName% is a variable that refers to the current user name.

The newly created Registry Values are:

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.cha]

(Default) = "ChatFile"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.chat]

(Default) = "ChatFile"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ChatFile\Shell\open\ddeexec\Topic]

(Default) = "Connect"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ChatFile\Shell\open\ddeexec\ifexec]

(Default) = "%1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ChatFile\Shell\open\ddeexec\Application]

(Default) = "svchost"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ChatFile\Shell\open\ddeexec]

(Default) = "%1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ChatFile\Shell\open\command]

(Default) = ""%Windir%\temp\spoolsv\spoolsv.exe" -noconnect"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ChatFile\DefaultIcon]

(Default) = ""%Windir%\temp\spoolsv\spoolsv.exe""

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ChatFile]

(Default) = "Chat File"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\irc\Shell\open\ddeexec\Topic]

(Default) = "Connect"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\irc\Shell\open\ddeexec\ifexec]

(Default) = "%1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\irc\Shell\open\ddeexec\Application]

(Default) = "svchost"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\irc\Shell\open\ddeexec]

(Default) = "%1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\irc\Shell\open\command]

(Default) = ""%Windir%\temp\spoolsv\spoolsv.exe" -noconnect"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\irc\DefaultIcon]

(Default) = ""%Windir%\temp\spoolsv\spoolsv.exe""

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\irc]

(Default) = "URL:IRC Protocol"
EditFlags = 02 00 00 00
URL Protocol = ""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

spoolsv = ""%Windir%\temp\spoolsv\spoolsv.exe""

so that spoolsv.exe runs every time Windows starts

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\mIRC]

DisplayName = "mIRC"
UninstallString = ""%Windir%\temp\spoolsv\spoolsv.exe" -uninstall"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\svchost\Parameters]

Application = ""%Windir%\temp\spoolsv\spoolsv.exe""
AppDirectory = ""%Windir%\temp\spoolsv\spoolsv.exe""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\svchost\Parameters]

Application = ""%Windir%\temp\spoolsv\spoolsv.exe""
AppDirectory = ""%Windir%\temp\spoolsv\spoolsv.exe""

[HKEY_CURRENT_USER\Software\Microsoft\Microsoft Agent]

VoiceEnabled = 0x00000001
UseVoiceTips = 0x00000001
KeyHoldHotKey = 0x00000091
UseBeepSRPrompt = 0x00000001
SRTimerDelay = 0x000007D0
SRModeID = 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
EnableSpeaking = 0x00000001
UseBalloon = 0x00000001
UseCharacterFont = 0x00000001
UseSoundEffects = 0x00000001
SpeakingSpeed = 0x00000005
PropertySheetX = 0x000F423F
PropertySheetY = 0x000F423F
PropertySheetWidth = 0x00000000
PropertySheetHeight = 0x00000000
PropertySheetPage = 0x00000000
CommandsWindowLeft = 0xFFFFFFFF
CommandsWindowTop = 0xFFFFFFFF
CommandsWindowWidth = 0x000000C8
CommandsWindowHeight = 0x000000C8
CommandsWindowLocationSet = 0x00000000

[HKEY_CURRENT_USER\Software\mIRC\%UserName%]

(Default) = "WhiteHat"

[HKEY_CURRENT_USER\Software\mIRC\LockOptions]

(Default) = "0,4096"

[HKEY_CURRENT_USER\Software\mIRC\License]

(Default) = "5662-546732"

[HKEY_CURRENT_USER\Software\WinRAR SFX]

C%%Windows%temp%spoolsv% = "%Windir%\temp\spoolsv\"

Other details

Analysis of the file resources indicate the following possible country of origin:

Russian Federation

The following Host Names were requested from a host database:

Mesa2.AZ.US.Undernet.Org
username.servebeer.com

There was application-defined hook procedure installed into the hook chain (e.g. to monitor keystrokes). The installed hook is handled by the following module:

%Windir%\temp\spoolsv\spoolsv.exe

Outbound traffic (potentially malicious)

Attention! There was a new connection established with a remote IRC Server. The generated outbound IRC traffic is provided below:

All content ("Information") contained in this report is the copyrighted work of Threat Expert Ltd and its associated companies ("ThreatExpert") and may not be copied without the express permission of ThreatExpert.

The Information is provided on an "as is" basis. ThreatExpert disclaims all warranties, whether express or implied, to the maximum extent permitted by law, including the implied warranties that the Information is merchantable, of satisfactory quality, accurate, fit for a particular purpose or need, or non-infringing, unless such implied warranties are legally incapable of exclusion. Further, ThreatExpert does not warrant or make any representations regarding the use or the results of the use of the Information in terms of their correctness, accuracy, reliability, or otherwise.