Submission Summary:

• Submission details:
• Submission received: 11 January 2009, 23:59:42
• Processing time: 5 min 34 sec
• Submitted sample:
• File MD5: 0xC100A1F8567BBE4A72FC44109013255F
• File SHA-1: 0xE24648CDDD0DD2091F7F63E6644AD52F1673F8EB
• Filesize: 40,448 bytes

• Summary of the findings:

What's been found	Severity Level
Contains characteristics of an identified security risk.

Technical Details:

Possible Security Risk

• Attention! Characteristics of the following security risk was identified in the system:

Security Risk	Description
Trojan.Pandex!sd6	Trojan.Pandex!sd6 is a malicious program that does not infect other files but may represents security risk for your computer and/or network environment.

• Attention! The following threat categories were identified:

Threat Category	Description
	A code with the rootkit-specific techniques designed to hide the software presence in the system
	A malicious trojan horse or bot that may represent security risk for the compromised system and/or its network environment

File System Modifications

• The following files were created in the system:

#	Filename(s)	File Size	File Hash	Alias
1	%Temp%\WERb70a.dir00\appcompat.txt	16,296 bytes	MD5: 0xF560A82E9385739415E085B4553CBA8F SHA-1: 0x958B55E9517896C07D689F6BDDED4EF10D0718A9	(not available)
2	%Temp%\WERb70a.dir00\manifest.txt	1,742 bytes	MD5: 0xD254606B0F5D5BA027B696FF67E657B0 SHA-1: 0x0EAF59D46B03C4410BDC2EE7BE572D7C221FD441	(not available)
3	%Temp%\WERb70a.dir00\services.exe.hdmp	6,273,748 bytes	MD5: 0x35F23D79F0268E755F648419859D632C SHA-1: 0x77C1065D8D45D0483CEF254294357349F3CF6AE5	(not available)
4	%Temp%\WERb70a.dir00\services.exe.mdmp	59,713 bytes	MD5: 0x147A8740A6B3C68420E7BC65EB8890B2 SHA-1: 0x476D09253844725AC7FB87F9C28D6AC5BE5A2DF6	(not available)
5	%System%\drivers\ati3qvxx.sys	32,768 bytes	MD5: 0xACBB1BB95D5A7B2894EA066452D00865 SHA-1: 0xA7EEF95789EBAF8068B6F2E856C9E3021D2DC2F5	Trojan.Pandex!sd6 [PCTools] Trojan.Pandex [Symantec] Rootkit.Win32.Protector.cd [Kaspersky Lab] Cutwail.gen.a [McAfee] TROJ_PANDEX.ROY [Trend Micro] Troj/Pushu-Gen [Sophos] VirTool:WinNT/Cutwail.K [Microsoft] Rootkit.Win32.Protector [Ikarus]
6	[file and pathname of the sample #1]	40,448 bytes	MD5: 0xC100A1F8567BBE4A72FC44109013255F SHA-1: 0xE24648CDDD0DD2091F7F63E6644AD52F1673F8EB	(not available)

• Notes:
• %Temp% is a variable that refers to the temporary folder in the short path form. By default, this is C:\Documents and Settings\[UserName]\Local Settings\Temp\ (Windows NT/2000/XP).
• %System% is a variable that refers to the System folder. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

• The following directory was created:
• %Temp%\WERb70a.dir00

Memory Modifications

• There was a new process created in the system:

• There was a new kernel-mode driver installed in the system:

Driver Name	Driver Filename
ati3qvxx.sys	%System%\drivers\ati3qvxx.sys

• Attention! The following Major I/O Request Packet (IRP) function was hooked in the kernel-mode driver:
• IRP_MJ_CREATE

Registry Modifications

• The following Registry Keys were created:
• HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ati3qvxx.sys
• HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\ati3qvxx.sys
• HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_ATI3QVXX
• HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_ATI3QVXX\0000
• HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_ATI3QVXX\0000\Control
• HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ati3qvxx
• HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ati3qvxx\Security
• HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ati3qvxx\Enum
• HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\ati3qvxx
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ati3qvxx.sys
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\ati3qvxx.sys
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_ATI3QVXX
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_ATI3QVXX\0000
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_ATI3QVXX\0000\Control
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ati3qvxx
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ati3qvxx\Security
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ati3qvxx\Enum

• The newly created Registry Values are:
• [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ati3qvxx.sys]
• (Default) = "Driver"
• [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\ati3qvxx.sys]
• (Default) = "Driver"
• [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_ATI3QVXX\0000\Control]
• *NewlyCreated* = 0x00000000
• ActiveService = "ati3qvxx"
• [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_ATI3QVXX\0000]
• Service = "ati3qvxx"
• Legacy = 0x00000001
• ConfigFlags = 0x00000000
• Class = "LegacyDriver"
• ClassGUID = "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
• DeviceDesc = "ati3qvxx"
• [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_ATI3QVXX]
• NextInstance = 0x00000001
• [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ati3qvxx\Enum]
• 0 = "Root\LEGACY_ATI3QVXX\0000"
• Count = 0x00000001
• NextInstance = 0x00000001
• [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ati3qvxx\Security]
• Security = 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 0
• [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ati3qvxx]
• Type = 0x00000001
• Start = 0x00000000
• ErrorControl = 0x00000000
• ImagePath = "%System%\Drivers\ati3qvxx.sys"
• Group = "SCSI Class"
• [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\ati3qvxx]
• Type = 0x00000001
• Start = 0x00000000
• ImagePath = "%System%\Drivers\ati3qvxx.sys"
• Group = "SCSI Class"
• [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ati3qvxx.sys]
• (Default) = "Driver"
• [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\ati3qvxx.sys]
• (Default) = "Driver"
• [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_ATI3QVXX\0000\Control]
• *NewlyCreated* = 0x00000000
• ActiveService = "ati3qvxx"
• [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_ATI3QVXX\0000]
• Service = "ati3qvxx"
• Legacy = 0x00000001
• ConfigFlags = 0x00000000
• Class = "LegacyDriver"
• ClassGUID = "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
• DeviceDesc = "ati3qvxx"
• [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_ATI3QVXX]
• NextInstance = 0x00000001
• [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ati3qvxx\Enum]
• 0 = "Root\LEGACY_ATI3QVXX\0000"
• Count = 0x00000001
• NextInstance = 0x00000001
• [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ati3qvxx\Security]
• Security = 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 0
• [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ati3qvxx]
• Type = 0x00000001
• Start = 0x00000000
• ErrorControl = 0x00000000
• ImagePath = "%System%\Drivers\ati3qvxx.sys"
• Group = "SCSI Class"

Other details

• There was registered attempt to establish connection with the remote host. The connection details are: