ThreatExpert Report: Trojan-Spy.Win32.Agent.bwjr, Mal/PWS-AL, Trojan-PWS.OnlineGames, Infostealer..

Visit ThreatExpert web site

Close Report

Submission Summary:

Submission details:

Submission received: 1 October 2012, 10:23:21
Processing time: 7 min 58 sec
Submitted sample:

File MD5: 0xBF19503FC4B732F79A4E3F7F541FAF5E
File SHA-1: 0x770092680A5410C07BAC6B9FD2262A6006DB74C2
Filesize: 66,460 bytes
Alias & packer info:

Trojan-Spy.Win32.Agent.bwjr [Kaspersky Lab]
Mal/PWS-AL [Sophos]
Trojan-PWS.OnlineGames [Ikarus]
packed with: UPX [Kaspersky Lab]

Summary of the findings:

What's been found	Severity Level
Contains characteristics of an identified security risk.

Technical Details:

Possible Security Risk

Attention! The following threat categories were identified:

Threat Category	Description
	A malicious trojan horse or bot that may represent security risk for the compromised system and/or its network environment
	A keylogger program that can capture all user keystrokes (including confidential details such username, password, credit card number, etc.)

File System Modifications

The following files were created in the system:

#	Filename(s)	File Size	File Hash	Alias
1	%ProgramFiles%\Common Files\00017A6Bce.dll	10,240 bytes	MD5: 0xF1F49FB85AB029AD86C02EBECB892B12 SHA-1: 0x664A602F8E843218C1158571714CD0ADEE1DA939	Infostealer [Symantec] Trojan.Win32.Genome.aeixq [Kaspersky Lab] PWS-Mmorpg!yy [McAfee] Troj/WoW-KL [Sophos] Trojan:Win32/Bumat!rts [Microsoft] Trojan.Win32.Genome [Ikarus]
2	%ProgramFiles%\Common Files\whh03031.ocx	77,212 bytes	MD5: 0xC8F18F9236AABCE379D813AED9A47390 SHA-1: 0x49C3189F22F557277D85F79BFD78CF394FE150EF	Mal_OLGM-6 [Trend Micro] PWS:Win32/OnLineGames.LP [Microsoft] Trojan-PWS.Win32.Kykymber [Ikarus]
3	[file and pathname of the sample #1]	66,460 bytes	MD5: 0xBF19503FC4B732F79A4E3F7F541FAF5E SHA-1: 0x770092680A5410C07BAC6B9FD2262A6006DB74C2	Trojan-Spy.Win32.Agent.bwjr [Kaspersky Lab] Mal/PWS-AL [Sophos] Trojan-PWS.OnlineGames [Ikarus] packed with UPX [Kaspersky Lab]
4	%System%\whhfd008.ocx	14,336 bytes	MD5: 0x731659D09654891912AC223E20CD10AB SHA-1: 0x13CEE04ADC7B09EF1C0C6B9ABC02D0C7BC02A071	Infostealer [Symantec] Trojan-Spy.Win32.Agent.bwjr [Kaspersky Lab] PWS-Mmorpg!yr [McAfee] Troj/Monkif-Fam [Sophos] Trojan:Win32/Bumat!rts [Microsoft] Trojan.Win32.Patched [Ikarus]

Notes:

%ProgramFiles% is a variable that refers to the Program Files folder. A typical path is C:\Program Files.
%System% is a variable that refers to the System folder. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

Memory Modifications

There were new processes created in the system:

Process Name	Process Filename	Main Module Size
[filename of the sample #1]	[file and pathname of the sample #1]	2,232,320 bytes
[generic host process]	[generic host process filename]	45,056 bytes

Notes:

[generic host process filename] is a full path filename of [generic host process].

The following module was loaded into the address space of other process(es):

Module Name	Module Filename	Address Space Details
00017A6Bce.dll	%ProgramFiles%\Common Files\00017A6Bce.dll	Process name: svchost.exe Process filename: %System%\svchost.exe Address space: 0xB50000 - 0xD56000

Registry Modifications

The following Registry Keys were created:

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Keyboard Layouts\E0200804
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\E0200804

The newly created Registry Values are:

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Keyboard Layouts\E0200804]

Ime File = "WHHFD008.OCX"
Layout Text = "US"
Layout File = "kbdus.dll"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\E0200804]

Ime File = "WHHFD008.OCX"
Layout Text = "US"
Layout File = "kbdus.dll"

[HKEY_CURRENT_USER\Keyboard Layout\Preload]

2 = "00000409"

The following Registry Value was modified:

[HKEY_CURRENT_USER\Keyboard Layout\Preload]

Other details

Analysis of the file resources indicate the following possible country of origin:

China

To mark the presence in the system, the following Mutex objects were created:

jahDXY203031_rel_regamle_00000200_
jahDXY203031_rel_regamle_00000212_
jahDXY203031_rel_regamle_00000220_

The following Host Name was requested from a host database:

192.5.5.241

All content ("Information") contained in this report is the copyrighted work of Threat Expert Ltd and its associated companies ("ThreatExpert") and may not be copied without the express permission of ThreatExpert.

The Information is provided on an "as is" basis. ThreatExpert disclaims all warranties, whether express or implied, to the maximum extent permitted by law, including the implied warranties that the Information is merchantable, of satisfactory quality, accurate, fit for a particular purpose or need, or non-infringing, unless such implied warranties are legally incapable of exclusion. Further, ThreatExpert does not warrant or make any representations regarding the use or the results of the use of the Information in terms of their correctness, accuracy, reliability, or otherwise.