ThreatExpert Report: Trojan.DR.Duckirc.Gen, not-a-virus:NetTool.Win32.Sniffer.c..

Visit ThreatExpert web site

Close Report

Submission Summary:

Submission details:

Submission received: 5 February 2008, 02:58:54
Processing time: 3 min 24 sec
Submitted sample:

File MD5: 0xC61E112BB3BBAB5721DF0E4D6A75CB57
Filesize: 1,004,362 bytes
Alias:

Trojan.DR.Duckirc.Gen [PCTools]
not-a-virus:NetTool.Win32.Sniffer.c, not-a-virus:RiskTool.Win32.HideWindows, not-a-virus:RiskTool.Win32.HideWindows, not-a-virus:PSWTool.Win32.PassView.162, not-a-virus:Client-IRC.Win32.mIRC.603 [Kaspersky Lab]

Summary of the findings:

What's been found	Severity Level
Communication with a remote IRC server.
Creates a startup registry entry.
Contains characteristics of an identified security risk.

Technical Details:

Possible Security Risk

Attention! Characteristics of the following security risks were identified in the system:

Security Risk	Description
Application.StoragePass_Viewer	StoragePass Viewer is a utility that is able to reveal passwords stored by Internet Explorer, Outlook Express and MSN Explorer.
Backdoor.mIRC	Backdoor.mIRC is a backdoor trojan which makes use of the popular mIRC client. It opens ports and allows unauthorized access to an attacker. It is also capable of hijacking a users browser startpage.
Backdoor.IRC.ABN	Backdoor.IRC.ABN is a backdoor which allows an attacker unauthorized remote access via IRC.

Attention! The following threat categories were identified:

Threat Category	Description
	A program that can be used to hijack certain aspects of users' web browser functionality (such as homepage, search page, and security settings)
	A malicious backdoor trojan that runs in the background and allows remote access to the compromised system
	A malicious trojan horse or bot that may represent security risk for the compromised system and/or its network environment
	A hacktool that could be used by attackers to break into a system

File System Modifications

The following files were created in the system:

#	Filename(s)	File Size	File Hash	Alias
1	[file and pathname of the sample #1]	1,004,362 bytes	MD5: 0xC61E112BB3BBAB5721DF0E4D6A75CB57	Trojan.DR.Duckirc.Gen [PCTools] not-a-virus:NetTool.Win32.Sniffer.c, not-a-virus:RiskTool.Win32.HideWindows, not-a-virus:RiskTool.Win32.HideWindows, not-a-virus:PSWTool.Win32.PassView.162, not-a-virus:Client-IRC.Win32.mIRC.603 [Kaspersky Lab]
2	%System%\ttt\aliases.ini	11 bytes	MD5: 0x2218DF9CDFFC814A3DC25C81DD8619DD	(not available)
3	%System%\ttt\d.dll	33,792 bytes	MD5: 0x638A6F2B03C828E9B3C77C104C56F4EA	Trojan.DuckIRC.F [PCTools] MotherboardMonitor [McAfee]
4	%System%\ttt\dbqp.fon	4,091 bytes	MD5: 0x00CA96B3FC7F5D2AD7EF59BDC4E2676D	IRC/Flood.gen.b [McAfee]
5	%System%\ttt\ksomk	12,602 bytes	MD5: 0x8DF50CCD9B7BAFB77B0376270A40922D	(not available)
6	%System%\ttt\l4m3rz.exe	21,236 bytes	MD5: 0x022B1F7E3AA2771BB3F014292EA9FC64	IRC.Flood.CJ [PCTools] IRC Trojan [Symantec] IRC/Flood.gen.c [McAfee]
7	%System%\ttt\l4m3rz1.bmp	20,837 bytes	MD5: 0x57200F0AE231D7609D878B594B9D0CA5	IRC Trojan [Symantec]
8	%System%\ttt\l4m3rz2.bmp	18,194 bytes	MD5: 0xDF68EC396FB63991CFC6E6A1F1D65CD3	IRC.Flood.CJ [PCTools] IRC Trojan [Symantec] IRC/Flood.gen.c [McAfee]
9	%System%\ttt\l4m3rz3.bmp	14,755 bytes	MD5: 0x28CA17BF90B7CF33ED32F6E70ED8F13F	IRC Trojan [Symantec] IRC/Flood.gen.c [McAfee]
10	%System%\ttt\l4m3rz4.bmp	20,407 bytes	MD5: 0x529A5B8FCD2AAF6EF4D26C99DBC8D8C8	IRC Trojan [Symantec]
11	%System%\ttt\l4m3rz5.bmp	50,203 bytes	MD5: 0x29ACB06F7F7465ECFAA3E3A48ADC6D37	IRC Trojan [Symantec]
12	%System%\ttt\l4m3rz6.bmp	17,720 bytes	MD5: 0x7E99649E7F034DF9FC30B939AF9B9396	IRC.Flood.CJ [PCTools] IRC Trojan [Symantec]
13	%System%\ttt\l4m3rz7.bmp	3,890 bytes	MD5: 0xD6280420ECF333B02778C48E02E7E354	IRC Trojan [Symantec] IRC/Flood.gen.c [McAfee] TROJ_Generic [Trend Micro]
14	%System%\ttt\lam1.exe	61,440 bytes	MD5: 0xDEC2F51A5EBDCC8EC6F22CFD3D225BE6	(not available)
15	%System%\ttt\lam2.exe	90,112 bytes	MD5: 0x43EC280041391A5C94573938E14DDADE	not-a-virus:NetTool.Win32.Sniffer.c [Kaspersky Lab] Sniff-DaSniff [McAfee]
16	%System%\ttt\lam3.exe	19,968 bytes	MD5: 0x687D6D8307AFAF5ED14D8D1285E59F27	RiskWare.HideWindows.B [PCTools] not-a-virus:RiskTool.Win32.HideWindows [Kaspersky Lab] HideWindow [McAfee]
17	%System%\ttt\lam4.exe	17,408 bytes	MD5: 0xD0005C64D093FE27ED12C3C509AA1120	Virtool.HideRun.B [PCTools] not-a-virus:RiskTool.Win32.HideWindows [Kaspersky Lab] HideRun [McAfee]
18	%System%\ttt\lam5.exe	31,744 bytes	MD5: 0x013ACBE7BA86B017018ACB387A8F43CA	Application.StoragePass_Viewer [PCTools] not-a-virus:PSWTool.Win32.PassView.162 [Kaspersky Lab] PWCrack-PassView [McAfee]
19	%System%\ttt\mirc.ini	31 bytes	MD5: 0xA2C42E128EF9C47C3EB51A1B5C3573AF	(not available)
20	%System%\ttt\msn.dll	18,432 bytes	MD5: 0xF1F6421F7BB0066BD07CD3815F909DEC	(not available)
21	%System%\ttt\nm	2,187 bytes	MD5: 0x14A441710EA85372DC1EA7B1DE5A4286	(not available)
22	%System%\ttt\ournik	11,165 bytes	MD5: 0x0A85DC399FAA6A94E946577CDA701924	(not available)
23	%System%\ttt\ournik.com	696,320 bytes	MD5: 0x7412345B598BF933863CCD25AF2881CC	Backdoor.mIRC [PCTools] Hacktool [Symantec] not-a-virus:Client-IRC.Win32.mIRC.603 [Kaspersky Lab] BKDR_IRCFLOOD.AL [Trend Micro]
24	%System%\ttt\poiyu	318 bytes	MD5: 0x3194C1A0A207A265EFE4925BFF1D375B	(not available)
25	%System%\ttt\reg.dll	86,016 bytes	MD5: 0x8650E5A54F7DF9D47B7FA8C5236ECCBA	Backdoor.IRC.ABN [PCTools] IRC Trojan [Symantec]
26	%System%\ttt\systemac.dll	29,184 bytes	MD5: 0x2DB18780EA5D7FF0D3CF0DE32B844164	(not available)
27	%System%\ttt\u	9,735 bytes	MD5: 0xA38B81D6975B04539DCAEAAFBBC3C414	IRC/Flood.dv [McAfee] IRC_Generic [Trend Micro]

Note:

%System% is a variable that refers to the System folder. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

The following directory was created:

%System%\ttt

Memory Modifications

There were new processes created in the system:

Process Name	Process Filename	Main Module Size
ournik.com	%System%\ttt\ournik.com	2,035,712 bytes
[filename of the sample #1]	[file and pathname of the sample #1]	90,112 bytes

The following module was loaded into the address space of other process(es):

Module Name	Module Filename	Address Space Details
systemac.dll	%System%\ttt\systemac.dll	Process name: ournik.com Process filename: %System%\ttt\ournik.com Address space: 0x3F0000 - 0x3FA000

Registry Modifications

The following Registry Keys were created:

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.cha
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.chat
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ChatFile
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ChatFile\DefaultIcon
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ChatFile\Shell
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ChatFile\Shell\open
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ChatFile\Shell\open\command
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ChatFile\Shell\open\ddeexec
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ChatFile\Shell\open\ddeexec\Application
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ChatFile\Shell\open\ddeexec\ifexec
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ChatFile\Shell\open\ddeexec\Topic
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\irc
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\irc\DefaultIcon
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\irc\Shell
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\irc\Shell\open
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\irc\Shell\open\command
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\irc\Shell\open\ddeexec
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\irc\Shell\open\ddeexec\Application
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\irc\Shell\open\ddeexec\ifexec
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\irc\Shell\open\ddeexec\Topic
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\mIRC
HKEY_CURRENT_USER\Software\Microsoft\Microsoft Agent
HKEY_CURRENT_USER\Software\mIRC
HKEY_CURRENT_USER\Software\mIRC\DateUsed

The newly created Registry Values are:

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.cha]

(Default) = "ChatFile"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.chat]

(Default) = "ChatFile"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ChatFile\Shell\open\ddeexec\Topic]

(Default) = "Connect"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ChatFile\Shell\open\ddeexec\ifexec]

(Default) = "%1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ChatFile\Shell\open\ddeexec\Application]

(Default) = "l4m3r"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ChatFile\Shell\open\ddeexec]

(Default) = "%1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ChatFile\Shell\open\command]

(Default) = ""%System%\ttt\ournik.com" -noconnect"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ChatFile\DefaultIcon]

(Default) = ""%System%\ttt\ournik.com""

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ChatFile]

(Default) = "Chat File"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\irc\Shell\open\ddeexec\Topic]

(Default) = "Connect"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\irc\Shell\open\ddeexec\ifexec]

(Default) = "%1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\irc\Shell\open\ddeexec\Application]

(Default) = "l4m3r"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\irc\Shell\open\ddeexec]

(Default) = "%1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\irc\Shell\open\command]

(Default) = ""%System%\ttt\ournik.com" -noconnect"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\irc\DefaultIcon]

(Default) = ""%System%\ttt\ournik.com""

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\irc]

(Default) = "URL:IRC Protocol"
EditFlags = 02 00 00 00
URL Protocol = ""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

msennger = "%System%\ttt\ournik.com"

so that ournik runs every time Windows starts

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\mIRC]

DisplayName = "mIRC"
UninstallString = ""%System%\ttt\ournik.com" -uninstall"

[HKEY_CURRENT_USER\Software\Microsoft\Microsoft Agent]

VoiceEnabled = 0x00000001
UseVoiceTips = 0x00000001
KeyHoldHotKey = 0x00000091
UseBeepSRPrompt = 0x00000001
SRTimerDelay = 0x000007D0
SRModeID = 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
EnableSpeaking = 0x00000001
UseBalloon = 0x00000001
UseCharacterFont = 0x00000001
UseSoundEffects = 0x00000001
SpeakingSpeed = 0x00000005
PropertySheetX = 0x000F423F
PropertySheetY = 0x000F423F
PropertySheetWidth = 0x00000000
PropertySheetHeight = 0x00000000
PropertySheetPage = 0x00000000
CommandsWindowLeft = 0xFFFFFFFF
CommandsWindowTop = 0xFFFFFFFF
CommandsWindowWidth = 0x000000C8
CommandsWindowHeight = 0x000000C8
CommandsWindowLocationSet = 0x00000000

[HKEY_CURRENT_USER\Software\mIRC\DateUsed]

(Default) = "1199747700"

Other details

The following ports were open in the system:

Port	Protocol	Process
113	TCP	ournik.com (%System%\ttt\ournik.com)
43408	TCP	ournik.com (%System%\ttt\ournik.com)

The following Host Name was requested from a host database:

we.wearabz.net

There was registered attempt to establish connection with the remote host. The connection details are:

Remote Host	Port Number
we.wearabz.net	5566

There was application-defined hook procedure installed into the hook chain (e.g. to monitor keystrokes). The installed hook is handled by the following module:

%System%\ttt\ournik.com

All content ("Information") contained in this report is the copyrighted work of Threat Expert Ltd and its associated companies ("ThreatExpert") and may not be copied without the express permission of ThreatExpert.

The Information is provided on an "as is" basis. ThreatExpert disclaims all warranties, whether express or implied, to the maximum extent permitted by law, including the implied warranties that the Information is merchantable, of satisfactory quality, accurate, fit for a particular purpose or need, or non-infringing, unless such implied warranties are legally incapable of exclusion. Further, ThreatExpert does not warrant or make any representations regarding the use or the results of the use of the Information in terms of their correctness, accuracy, reliability, or otherwise.