ThreatExpert Report: Trojan.SuspectCRC, Trojan.Win32.Spy, possible-Threat.Keygen, Generic PWS.y!1ch..

Submission Summary:

Submission details:

Submission received: 16 August 2012, 07:52:17
Processing time: 9 min 5 sec
Submitted sample:

File MD5: 0xCDAC6B11AC6A5D30F51F947695FC4B9A
File SHA-1: 0x79A048C73773CF646A555969963AD18EE8C6C28F
Filesize: 1,052,684 bytes
Alias: Trojan.SuspectCRC [Ikarus]

Summary of the findings:

What's been found	Severity Level
Contains characteristics of an identified security risk.

Technical Details:

Possible Security Risk

Attention! Characteristics of the following security risk was identified in the system:

Security Risk	Description
Adware.FlashTrack	FlashTrack is an Internet Explorer Browser Helper Object that monitors users search activities and sends the information back to flashtrack.net. No personal information such as username, password or machine name are sent. The information sent out is used by FlashTrack to analyze a users search behaviours.

Attention! The following threat category was identified:

Threat Category	Description
	A malicious trojan horse or bot that may represent security risk for the compromised system and/or its network environment

File System Modifications

The following files were created in the system:

#	Filename(s)	File Size	File Hash	Alias
1	%Temp%\1.exe	12,800 bytes	MD5: 0x1A4CD449D27A2FE7D0F2A177423360E1 SHA-1: 0xCC5C1CA57D993F501655C390808BAA94D7D12856	Trojan.Win32.Spy [Ikarus]
2	%Temp%\10.exe	181,248 bytes	MD5: 0xD103BD79093737EBB12B66A0E227F6D8 SHA-1: 0x27DADE94496A2320A6EAF1FFBB2186D7A0D2A57D	possible-Threat.Keygen [Ikarus]
3	%Temp%\11.exe	9,435 bytes	MD5: 0xEA56C1A43BABF9057292D8A4946F1E5D SHA-1: 0xCE5F22358262B0CC2EAE6FCEB6AA35719CBEF5D9	Generic PWS.y!1ch [McAfee] Mal/Behav-370 [Sophos] Trojan-PWS.OnlineGames [Ikarus]
4	%Temp%\12.exe	8,926 bytes	MD5: 0x333CD8B1F08FA469AA8E971628698D44 SHA-1: 0xCB17649EF899EF950923C992D114C9C5F2419F51	(not available)
5	%Temp%\13.exe	4,711 bytes	MD5: 0xC4E960EAE9886FCCB845FBF5ADFFFE8D SHA-1: 0x6B01727EE4CFCB49C5399930B202FB6679EF261F	Suspicious.MH690 [Symantec]
6	%Temp%\14.exe	602,624 bytes	MD5: 0x389B9060425655CFA1A7FE5E2C64291C SHA-1: 0xF6F0907DE6475B2D935BBBB564293D946BDF58F4	(not available)
7	%Temp%\15.exe	31,232 bytes	MD5: 0x18EAEAED50F7D35479370AF722730E9F SHA-1: 0xEA24AD263EE4C05316F764A3C63AE3B0C820CED8	(not available)
8	%Temp%\2.exe	14,848 bytes	MD5: 0xC11530F81B7696D1F8EE23E4ACF8983E SHA-1: 0xE943A3208D51E1382C866C3533299810DDFB5E0C	Mal/KeyGen-Q [Sophos]
9	%Temp%\3.exe	6,144 bytes	MD5: 0x0F9E88E062510717277FB3554CDBA5F9 SHA-1: 0x100040DCBAB2C7DE5E2F5FC98D37C47C9AA0853D	(not available)
10	%Temp%\4.exe	61,440 bytes	MD5: 0x6644D4A80CBDBBA3253668095A1F9912 SHA-1: 0x4F85B2D8B393D2E4C11405C9A4E38EBA7B0B5DA8	Mal/KeyGen-M [Sophos] packed with PE_Patch [Kaspersky Lab]
11	%Temp%\5.exe	181,248 bytes	MD5: 0xF518746BE8AC3BC82D4609035F182F86 SHA-1: 0x73260D62187E8B90AA46E8ACA41D9F63B2701C84	possible-Threat.Keygen [Ikarus] packed with PE_Patch [Kaspersky Lab]
12	%Temp%\6.exe	9,449 bytes	MD5: 0x345CF1F87F30A2DA5876DF25B4B00ABD SHA-1: 0xB6C0472CB55D5E134B3FEC328F17C9522E21F5FE	Trojan.Nebuler [Symantec] Generic PWS.y!1ch [McAfee] Mal/Behav-370 [Sophos] packed with UPX [Kaspersky Lab]
13	%Temp%\7.exe	17,951 bytes	MD5: 0x7CEA3CC7FCAA108BDE92B2188D510979 SHA-1: 0x52ACC6024B13731D7DDAD91761DF397DE03C9F01	packed with UPX [Kaspersky Lab]
14	%Temp%\8.exe	20,875 bytes	MD5: 0x6E8C9873939DE3D22F17261C08C705AE SHA-1: 0x434D53F47454FD9C8D5C3F41CAEDF1AC9FFB4997	Trojan.Gen.2 [Symantec] Tool-TPatch [McAfee] Trojan.SuspectCRC [Ikarus]
15	%Temp%\9.exe	11,776 bytes	MD5: 0x9422C8D151EE18118C426592CAE3B999 SHA-1: 0xECAB200C58118A694CC118A2A068C6ABF2F48666	Trojan.SuspectCRC [Ikarus] packed with UPX [Kaspersky Lab]
16	[file and pathname of the sample #1]	1,052,684 bytes	MD5: 0xCDAC6B11AC6A5D30F51F947695FC4B9A SHA-1: 0x79A048C73773CF646A555969963AD18EE8C6C28F	Trojan.SuspectCRC [Ikarus]

Note:

%Temp% is a variable that refers to the temporary folder in the short path form. By default, this is C:\Documents and Settings\[UserName]\Local Settings\Temp\ (Windows NT/2000/XP).

Memory Modifications

There were new processes created in the system:

Process Name	Process Filename	Main Module Size
11.exe	%Temp%\11.exe	45,568 bytes
12.exe	%Temp%\12.exe	40,158 bytes
14.exe	%Temp%\14.exe	2,928,640 bytes
15.exe	%Temp%\15.exe	98,304 bytes
2.exe	%Temp%\2.exe	98,304 bytes
3.exe	%Temp%\3.exe	12,288 bytes
4.exe	%Temp%\4.exe	237,568 bytes
5.exe	%Temp%\5.exe	331,776 bytes
6.exe	%Temp%\6.exe	45,568 bytes
7.exe	%Temp%\7.exe	77,824 bytes
8.exe	%Temp%\8.exe	34,304 bytes
9.exe	%Temp%\9.exe	49,152 bytes
10.exe	%Temp%\10.exe	331,776 bytes
13.exe	%Temp%\13.exe	40,960 bytes

Other details

To mark the presence in the system, the following Mutex objects were created:

Window_Washer_Rules
Y93PE3uH
oleacc-msaa-loaded
nnan3Mau
H8dMYndY

All content ("Information") contained in this report is the copyrighted work of Threat Expert Ltd and its associated companies ("ThreatExpert") and may not be copied without the express permission of ThreatExpert.

The Information is provided on an "as is" basis. ThreatExpert disclaims all warranties, whether express or implied, to the maximum extent permitted by law, including the implied warranties that the Information is merchantable, of satisfactory quality, accurate, fit for a particular purpose or need, or non-infringing, unless such implied warranties are legally incapable of exclusion. Further, ThreatExpert does not warrant or make any representations regarding the use or the results of the use of the Information in terms of their correctness, accuracy, reliability, or otherwise.