| Visit ThreatExpert web site | | | Close Report |
[PCTools] [Symantec] [Kaspersky Lab] [Trend Micro] [Sophos] [Microsoft]| What's been found | Severity Level |
| Downloads/requests other files from Internet. |  |
| Creates a startup registry entry. |  |
| Installs a default debugger that is injected into the execution sequence of a target application. If a threat is installed as a default debugger, it will be run every time a target application is attempted to be launched - either to mimic it and hide its own presence (e.g. an open port or a running process), or simply to be activated as often as possible. |  |
| Contains characteristics of an identified security risk. |  |
 | Possible Security Risk |
| Security Risk | Description |
| Trojan-Dropper.Agent |
Trojan-Dropper.Agent attempts to drop a malicious file and run it on the compromised computer. |
| Trojan.Srizbi |
Trojan.Srizbi normally arrives on a system when a user unwittingly follows a link contained in a bogus email. It poses as an image file and once executed, it will install itself as a service and configures the system to executed it even in safemode. It uses rootkit technology is order to evade scanners. Some samples of this malware family can log keystrokes in order to steal valuable information such as usernames, passwords, credit card numbers, etc. |
| Application.BluSOD |
Application.BluSOD displays a fake blue screen error. Some RogueAntiSpyware may use this application as a component to trick the user into buying their product. |
| Trojan-Downloader.Small.GEN |
Trojan-Downloader.Small.GEN contacts remote servers in order to download additional malware onto a users computer without their knowledge. |
| Threat Category | Description |
 |
A malicious trojan horse or bot that may represent security risk for the compromised system and/or its network environment |
 |
A spyware program that represents security risk for a local system |
 |
A program that downloads files to the local computer that may represent security risk |
 |
A keylogger program that can capture all user keystrokes (including confidential details such username, password, credit card number, etc.) |
 |
A hacktool that could be used by attackers to break into a system |
 | File System Modifications |
| # | Filename(s) | File Size | File Hash | Alias |
| 1 |
%Temp%\.tt2.tmp
%Temp%\.ttB9.tmp %ProgramFiles%\Microsoft Common\emails.dat.z |
0 bytes | MD5: 0xD41D8CD98F00B204E9800998ECF8427E SHA-1: 0xDA39A3EE5E6B4B0D3255BFEF95601890AFD80709 |
(not available) |
| 2 | %Temp%\.tt2.tmp.vbs | 1,002 bytes | MD5: 0x9DF700C8F6FD43FAC0A89AEF04214BBD SHA-1: 0x6EC8BC6D4041CCF19757757C0DA6592469F71C57 |
VBS/InfSR-A [Sophos] |
| 3 |
%Temp%\finder.exe
%ProgramFiles%\Microsoft Common\svchost.exe
|
27,648 bytes | MD5: 0x90FC4C8948CFABB57EE4173CFD32F134 SHA-1: 0x6B205DEBE50BE817D1A9A3E4E990E0AF387E59B8 |
Trojan-Dropper.Agent [PCTools] Infostealer [Symantec]Trojan-Mailfinder.Win32.Agent.rj [Kaspersky Lab]TROJ_MAILFIND.C [Trend Micro]Troj/FakeAle-FO [Sophos]Trojan:Win32/Emold.gen!C [Microsoft] |
| 4 |
%Temp%\inst1_294.exe
|
167,936 bytes | MD5: 0xBD16EDF4E8D433722E040F5CCE424297 SHA-1: 0x3783DFBEF1BE9D44240921757B08DF4B66916776 |
Trojan.Srizbi [PCTools] Trojan.Dropper [Symantec]Trojan-Dropper.Win32.Agent.vsl [Kaspersky Lab]TROJ_DROPPER.GXU [Trend Micro]Mal/EncPk-CK [Sophos]TrojanDropper:Win32/Srizbi.gen!D [Microsoft] |
| 5 | %Temp%\jfk.bat | 226 bytes | MD5: 0x9885EEFEB6948938EFAB730AB6322B8D SHA-1: 0xD142B5A5FCA5BDBD65788F37F7147DFD90BFC82F |
(not available) |
| 6 |
%Temp%\ziqKJ4ZjGL.exe
|
61,440 bytes | MD5: 0x9CC15A575CDAB623C8685C519CA28652 SHA-1: 0xBA80A73B95425A29BF2C6021EB0EDD0C03BE9CE6 |
Infostealer.Banker.C [Symantec] Trojan-Downloader.Win32.Agent.ablq [Kaspersky Lab]TROJ_AGENT.AIUP [Trend Micro]Troj/FakeAle-FO [Sophos]Trojan:Win32/Busky.K [Microsoft] |
| 7 | %ProgramFiles%\Microsoft Common\emails.dat | 2,078 bytes | MD5: 0x6160E37BA173B4A53A9F876EDD467876 SHA-1: 0xABA5E2B03E4601A74A77FEA5EB85AC7CF87F3AF4 |
(not available) |
| 8 | %ProgramFiles%\Microsoft Common\log.dat | 134,693 bytes | MD5: 0xACB71785FF10F3079A72CF4C15D2C085 SHA-1: 0xA05D9F8C458690B6843E6BDDE26263CDD54ED622 |
(not available) |
| 9 |
%System%\blphc35dj0erc1.scr
|
118,784 bytes | MD5: 0xB10A43B9044B488DC8C7D33B250CFEBB SHA-1: 0x50100EA46001CC84EC2047C2BE142E8A44B94664 |
Application.BluSOD [PCTools] Joke.Blusod [Symantec]Troj/FakeAle-FK [Sophos] |
| 10 |
%System%\drivers\rrvvnnrr.sys
%System%\drivers\suqnqtuo.sys
|
177,664 bytes | MD5: 0xA443E23EACEB8DB09DA04BF092CCF6C1 SHA-1: 0x40EA575AFC39DD774F6FB37642A5BCE784DB0A22 |
Hacktool.Rootkit [Symantec] Trojan-Dropper.Win32.Agent.vsl [Kaspersky Lab]Spammer:WinNT/Srizbi.B [Microsoft] |
| 11 | %System%\frspipwr.tmp | 29 bytes | MD5: 0xDDC8B20706F978A10B699A740D011B5A SHA-1: 0xA2C569F1E8CA71A7791CA534075D4F5EC14AB194 |
(not available) |
| 12 |
%System%\lphc35dj0erc1.exe
|
195,584 bytes | MD5: 0x8DA4A8B70B2D9E94E3267AF9F87B27C4 SHA-1: 0x62D57A627CAFF8A496B2EE90B5388BBF44660BC0 |
Downloader.MisleadApp [Symantec] Trojan-Downloader.Win32.Small.abkn [Kaspersky Lab]TROJ_SMALL.KOE [Trend Micro]Mal/EncPk-CZ [Sophos]TrojanDownloader:Win32/Renos.gen!AU [Microsoft] |
| 13 | %System%\phc35dj0erc1.bmp | 625,208 bytes | MD5: 0x66FA7A528D4472EBB47D70E8F088B10C SHA-1: 0x62FC3FC8B24A34D71CB0ECA6EDC9EA4DCCA75B4D |
(not available) |
| 14 | %System%\Restore\MachineGuid.txt | 78 bytes | MD5: 0x6331307B7FA1DC849B809B3E89C254CD SHA-1: 0x4B50B9471715B958941AB729908B1DD8EEA8DC50 |
(not available) |
| 15 | [file and pathname of the sample #1] | 468,480 bytes | MD5: 0xC91D48D9189A85456592BDBFB2B9C49E SHA-1: 0xA5EE3414695D253149AE75DE024A7EF870A27BCA |
Trojan-Downloader.Small.GEN [PCTools] Trojan.Dropper [Symantec]Trojan-Downloader.Win32.Agent.ablq [Kaspersky Lab]TROJ_DROP.CF [Trend Micro]Troj/FakeAle-FO [Sophos]TrojanDropper:Win32/Srizbi.H [Microsoft] |
 | Memory Modifications |
| Process Name | Process Filename | Main Module Size |
| inst1_294.exe | %Temp%\inst1_294.exe | 401,408 bytes |
| rirjcjdh.exe | %Windir%\rirjcjdh.exe | 401,408 bytes |
| ziqKJ4ZjGL.exe | %Temp%\ziqKJ4ZjGL.exe | 61,440 bytes |
| lphc35dj0erc1.exe | %System%\lphc35dj0erc1.exe | 1,032,192 bytes |
| blphc35dj0erc1.scr | %System%\blphc35dj0erc1.scr | 831,488 bytes |
| finder.exe | %Temp%\finder.exe | 40,960 bytes |
| [filename of the sample #1] | [file and pathname of the sample #1] | 495,616 bytes |
| Process Name | Process Filename | Allocated Size |
| svchost.exe | %System%\svchost.exe | 45,056 bytes |
| Service Name | Display Name | New Status | Service Filename |
| srservice | System Restore Service | "Running" | %System%\svchost.exe -k netsvcs |
| Driver Name | Driver Filename |
| rrvvnnrr | %System%\drivers\rrvvnnrr.sys |
| suqnqtuo | %System%\drivers\suqnqtuo.sys |
 | Registry Modifications |
 | Other details |
| Server Name | Server Port | Connect as User | Connection Password |
| 216.6.228.190 | 80 | (null) | (null) |
All content ("Information") contained in this report is the copyrighted work of Threat Expert Ltd and its associated companies ("ThreatExpert") and may not be copied without the express permission of ThreatExpert.
The Information is provided on an "as is" basis. ThreatExpert disclaims all warranties, whether express or implied, to the maximum extent permitted by law, including the implied warranties that the Information is merchantable, of satisfactory quality, accurate, fit for a particular purpose or need, or non-infringing, unless such implied warranties are legally incapable of exclusion. Further, ThreatExpert does not warrant or make any representations regarding the use or the results of the use of the Information in terms of their correctness, accuracy, reliability, or otherwise.
Copyright © 2009 ThreatExpert. All rights reserved.