ThreatExpert Report: Trojan.Win32.Genome

Visit ThreatExpert web site

Close Report

Submission Summary:

Submission details:

Submission received: 1 October 2012, 02:50:08
Processing time: 9 min 41 sec
Submitted sample:

File MD5: 0xC5967E7D63EE661611F8282406AAC4DF
File SHA-1: 0x50EEF61837554FD28D61F32F3A76CF756AD2DC27
Filesize: 204,800 bytes
Alias: Trojan.Win32.Genome [Ikarus]

Technical Details:

File System Modifications

The following files were created in the system:

#	Filename(s)	File Size	File Hash	Alias
1	%Temp%\glukdig.txt	1,599 bytes	MD5: 0x909D408320047588769145536B80DDE5 SHA-1: 0x227EFD9B14ECFB1BABAB82E12A845DF40E8D9ACB	(not available)
2	%Temp%\invisible.acs	832 bytes	MD5: 0x29B223386C1DE17279B70C65E3C5B1B7 SHA-1: 0x6312D6A473D81B34AA3006BDA9174D506C27C404	(not available)
3	%Temp%\lb.htm	9,056 bytes	MD5: 0xB00BDA7295E0416EF72E841F34A4FFA1 SHA-1: 0xF6A382F1FF545F77A307DC90F160FC4CE5B3E047	(not available)
4	%Temp%\lb24.exe	50,688 bytes	MD5: 0xF6EC9C1CCBA6F7FE40BC308EB0D6D035 SHA-1: 0x7872B7D5FEC1CBF7A50FB154EE727262778F581E	packed with UPX [Kaspersky Lab]
5	[file and pathname of the sample #1]	204,800 bytes	MD5: 0xC5967E7D63EE661611F8282406AAC4DF SHA-1: 0x50EEF61837554FD28D61F32F3A76CF756AD2DC27	Trojan.Win32.Genome [Ikarus]

Note:

%Temp% is a variable that refers to the temporary folder in the short path form. By default, this is C:\Documents and Settings\[UserName]\Local Settings\Temp\ (Windows NT/2000/XP).

The following file was modified:

%System%\RICHTX32.OCX

Notes:

%System% is a variable that refers to the System folder. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

Memory Modifications

There were new processes created in the system:

Process Name	Process Filename	Main Module Size
[filename of the sample #1]	[file and pathname of the sample #1]	249,856 bytes
lb24.exe	%Temp%\lb24.exe	217,088 bytes

Registry Modifications

The following Registry Key was created:

HKEY_CURRENT_USER\Software\Microsoft\Microsoft Agent

The newly created Registry Value is:

[HKEY_CURRENT_USER\Software\Microsoft\Microsoft Agent]

VoiceEnabled = 0x00000001
UseVoiceTips = 0x00000001
KeyHoldHotKey = 0x00000091
UseBeepSRPrompt = 0x00000001
SRTimerDelay = 0x000007D0
SRModeID = 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
EnableSpeaking = 0x00000001
UseBalloon = 0x00000001
UseCharacterFont = 0x00000001
UseSoundEffects = 0x00000001
SpeakingSpeed = 0x00000005
PropertySheetX = 0x000F423F
PropertySheetY = 0x000F423F
PropertySheetWidth = 0x00000000
PropertySheetHeight = 0x00000000
PropertySheetPage = 0x00000000
CommandsWindowLeft = 0xFFFFFFFF
CommandsWindowTop = 0xFFFFFFFF
CommandsWindowWidth = 0x000000C8
CommandsWindowHeight = 0x000000C8
CommandsWindowLocationSet = 0x00000000

Other details

To mark the presence in the system, the following Mutex object was created:

_!SHMSFTHISTORY!_

The following Host Name was requested from a host database:

192.5.5.241

There was application-defined hook procedure installed into the hook chain (e.g. to monitor keystrokes). The installed hook is handled by the following module:

%System%\MSVBVM60.DLL

All content ("Information") contained in this report is the copyrighted work of Threat Expert Ltd and its associated companies ("ThreatExpert") and may not be copied without the express permission of ThreatExpert.

The Information is provided on an "as is" basis. ThreatExpert disclaims all warranties, whether express or implied, to the maximum extent permitted by law, including the implied warranties that the Information is merchantable, of satisfactory quality, accurate, fit for a particular purpose or need, or non-infringing, unless such implied warranties are legally incapable of exclusion. Further, ThreatExpert does not warrant or make any representations regarding the use or the results of the use of the Information in terms of their correctness, accuracy, reliability, or otherwise.