ThreatExpert Report: Trojan.Mebroot, New Win32.g4

Visit ThreatExpert web site

Close Report

Submission Summary:

Submission details:

Submission received: 20 August 2008, 23:54:56
Processing time: 5 min 12 sec
Submitted sample:

File MD5: 0xC5F5C27024CA2E182A0D3D94B18459F1
File SHA-1: 0x4A01E477F2DAED19DDA2CF3A4403525F8F5F6FDD
Filesize: 289,352 bytes
Alias:

Trojan.Mebroot [Symantec]
New Win32.g4 [McAfee]

Summary of the findings:

What's been found	Severity Level
Threat characteristics of Mebroot (aka Mbroot/StealthMBR), a backdoor trojan that overwrites the Master Boot Record (MBR) of the hard disk and uses rootkit techniques to hide itself.
Contains characteristics of an identified security risk.

Technical Details:

Possible Security Risk

Attention! The following threat category was identified:

Threat Category	Description
	A malicious trojan horse or bot that may represent security risk for the compromised system and/or its network environment

File System Modifications

The following files were created in the system:

#	Filename(s)	File Size	File Hash	Alias
1	%Temp%\1.tmp	245,696 bytes	MD5: 0xACFE130A55A29ED90D1E72DF45FA1FBD SHA-1: 0x5434CCDA77531822665FB9425B025A819FCD28AC	Trojan.Mebroot [Symantec]
2	%Temp%\2.tmp	289,352 bytes	MD5: 0xD0B56869329E3B71495E4992285DFA5D SHA-1: 0x34D353100EB8A1AFE46E00499D99BE9B63918BCB	Trojan.Mebroot [Symantec]
3	[file and pathname of the sample #1]	289,352 bytes	MD5: 0xC5F5C27024CA2E182A0D3D94B18459F1 SHA-1: 0x4A01E477F2DAED19DDA2CF3A4403525F8F5F6FDD	Trojan.Mebroot [Symantec] New Win32.g4 [McAfee]

Note:

%Temp% is a variable that refers to the temporary folder in the short path form. By default, this is C:\Documents and Settings\[UserName]\Local Settings\Temp\ (Windows NT/2000/XP).

Memory Modifications

There were new processes created in the system:

Process Name	Process Filename	Main Module Size
[filename of the sample #1]	[file and pathname of the sample #1]	311,296 bytes
1.tmp	%Temp%\1.tmp	255,424 bytes

All content ("Information") contained in this report is the copyrighted work of Threat Expert Ltd and its associated companies ("ThreatExpert") and may not be copied without the express permission of ThreatExpert.

The Information is provided on an "as is" basis. ThreatExpert disclaims all warranties, whether express or implied, to the maximum extent permitted by law, including the implied warranties that the Information is merchantable, of satisfactory quality, accurate, fit for a particular purpose or need, or non-infringing, unless such implied warranties are legally incapable of exclusion. Further, ThreatExpert does not warrant or make any representations regarding the use or the results of the use of the Information in terms of their correctness, accuracy, reliability, or otherwise.