Submission Summary:

• Submission details:
• Submission received: 30 January 2009, 11:25:14
• Processing time: 5 min 52 sec
• Submitted sample:
• File MD5: 0xBF42E61A447C5DFB0E549B66A55267EB
• File SHA-1: 0x5F64EB7BB1D8004C35DC93DC93D95974C3DE7577
• Filesize: 86,016 bytes
• Alias:
• Downloader [Symantec]
• Backdoor.Win32.Ceckno.cmz [Kaspersky Lab]
• Generic BackDoor [McAfee]
• Mal/Behav-236, Mal/Emogen-R [Sophos]
• Trojan:Win32/Veslorn [Microsoft]
• Backdoor.SdBot.DFSG [Ikarus]

• Summary of the findings:

What's been found	Severity Level
Produces outbound traffic.
Contains characteristics of an identified security risk.

Technical Details:

Possible Security Risk

• Attention! Characteristics of the following security risks were identified in the system:

Security Risk	Description
Backdoor.Ceckno.BHX	Backdoor.Ceckno.BHX is a backdoor that will provide remote access on infected system to attackers.
Adware.Component.Unrelated	These common components have files and keys that are in different threats but the threats are not related to one another in that the author of the signature is not the same. It is recommended that all these entries be removed.

• Attention! The following threat categories were identified:

Threat Category	Description
	A code with the rootkit-specific techniques designed to hide the software presence in the system
	A hacktool that could be used by attackers to break into a system
	A malicious backdoor trojan that runs in the background and allows remote access to the compromised system
	A program that downloads files to the local computer that may represent security risk

File System Modifications

• The following files were created in the system:

#	Filename(s)	File Size	File Hash	Alias
1	%System%\drivers\BFDDOS.sys	3,840 bytes	MD5: 0x6F93E01F97B56E802C956A407BC7068A SHA-1: 0xF2725DF4CB2D5BB659BC1B85BEA3263F63D50FD8	Hacktool.Rootkit [Symantec] Rootkit.Win32.Agent.dqk [Kaspersky Lab]
2	[file and pathname of the sample #1] %System%\svch0st.exe	86,016 bytes	MD5: 0xBF42E61A447C5DFB0E549B66A55267EB SHA-1: 0x5F64EB7BB1D8004C35DC93DC93D95974C3DE7577	Downloader [Symantec] Backdoor.Win32.Ceckno.cmz [Kaspersky Lab] Generic BackDoor [McAfee] Mal/Behav-236, Mal/Emogen-R [Sophos] Trojan:Win32/Veslorn [Microsoft] Backdoor.SdBot.DFSG [Ikarus]

• Note:
• %System% is a variable that refers to the System folder. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

Memory Modifications

• There were new processes created in the system:

Process Name	Process Filename	Main Module Size
[filename of the sample #1]	[file and pathname of the sample #1]	335,872 bytes
svch0st.exe	%System%\svch0st.exe	335,872 bytes

Registry Modifications

• The following Registry Key was created:
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Run

• The newly created Registry Value is:
• [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Run]
• (Default) = "%SystemRoot%\svch0st.exe"

Other details

• Analysis of the file resources indicate the following possible country of origin:

	China

• The following port was open in the system:

• The following Host Name was requested from a host database:
• �lluuusn

• There was registered attempt to establish connection with the remote host. The connection details are:

Outbound traffic (potentially malicious)

• There was an outbound traffic produced on port 4447: