ThreatExpert Report: Trojan:Win32/PrivacyCenter, not-a-virus:FraudTool.Win32.PrivacyCenter..

Submission Summary:

Submission details:

Submission received: 4 June 2009, 12:59:55
Processing time: 5 min 50 sec
Submitted sample:

File MD5: 0xCE76FB0375F6BF2717371EC43FF6EDE2
File SHA-1: 0x47E563AE8FC7A30BE9C2213CD74E841EED5E3BC9
Filesize: 1,981,631 bytes

Summary of the findings:

What's been found	Severity Level
Downloads/requests other files from Internet.
Creates a startup registry entry.

Technical Details:

File System Modifications

The following files were created in the system:

#	Filename(s)	File Size	File Hash	Alias
1	%AppData%\PCenter\dbases\cg.dat	162 bytes	MD5: 0xD0AB4A72AC6EE96FA02ED7BD8B5652AC SHA-1: 0xF4D64BD6D932CD0FEDDA18A087C5020756B2F5FC	(not available)
2	%AppData%\PCenter\dbases\mw.dat %AppData%\PCenter\dbases\rd.dat %AppData%\PCenter\dbases\sc.dat %AppData%\PCenter\dbases\sm.dat	2 bytes	MD5: 0x1FF1DE774005F8DA13F42943881C655F SHA-1: 0x4D134BC072212ACE2DF385DAE143139DA74EC0EF	(not available)
3	%AppData%\PCenter\dbases\sp.dat	148,001 bytes	MD5: 0x8DF50533B9DBB647EB0800D518CC361A SHA-1: 0x515CAECCAB272B2FD5E257E7ED67FD4A6D1DD332	(not available)
4	%AppData%\PCenter\keys\cg.key %AppData%\PCenter\keys\rd.key %AppData%\PCenter\keys\sc.key %AppData%\PCenter\keys\sp.key	0 bytes	MD5: 0xD41D8CD98F00B204E9800998ECF8427E SHA-1: 0xDA39A3EE5E6B4B0D3255BFEF95601890AFD80709	(not available)
5	%AppData%\PCenter\temp\settings.ini	19 bytes	MD5: 0x295F3BAD13B6DC76E67F0F07EA980C93 SHA-1: 0xC1C1AC9832A1402A2C1DC06591B62965F62464D2	(not available)
6	%AppData%\PCenter\temp\spfilter	394 bytes	MD5: 0xBCE8ED998A503272CC1F333385E9A93F SHA-1: 0x117BC6CE8B69B236BBDB8F6CB374E918D6981A43	(not available)
7	%DesktopDir%\PCenter.lnk	717 bytes	MD5: 0x4246ACE6D207917BE28CBFB230572B78 SHA-1: 0xF63BB37B543C0EC8ADFC1CED777AD0BAF7734B44	(not available)
8	%ProgramFiles%\PCenter\agent.exe	553,984 bytes	MD5: 0xF03647771C1166FF80A91BDF41CFAA10 SHA-1: 0x282CB6C183E997EF46EAEEF36D186C39872F4EA8	Trojan:Win32/PrivacyCenter [Microsoft]
9	%ProgramFiles%\PCenter\faq\guide.html	10,578 bytes	MD5: 0xCB1AA1F89FAFDE93A99A36AF562DFC33 SHA-1: 0xF1ED6AC9109BF76D9E275A9DE3565A59C994C996	not-a-virus:FraudTool.Win32.PrivacyCenter [Ikarus]
10	%ProgramFiles%\PCenter\faq\images\gimg1.jpg	49,364 bytes	MD5: 0x30B6B70A6045E3D0C19477AD64683F27 SHA-1: 0x56CD2C6632DA415D921730F8363477D92AA5C3D4	(not available)
11	%ProgramFiles%\PCenter\faq\images\gimg10.jpg	75,454 bytes	MD5: 0xD8D5EB39C0E15A22A2E6E95AA113B1C5 SHA-1: 0x63266B03B48F0F584C6CD5D27979D3B697FE09BE	(not available)
12	%ProgramFiles%\PCenter\faq\images\gimg2.jpg	38,492 bytes	MD5: 0x86F01A14CB1EBE0D7CE42AE6B0DD3889 SHA-1: 0x176781F9D3F4F802D100E8419EB3391FEACED458	(not available)
13	%ProgramFiles%\PCenter\faq\images\gimg3.jpg	20,320 bytes	MD5: 0x0541752785813566B32B8BCD9A58E2C8 SHA-1: 0x93FDF2B613E2B063928E6D28BED45D0961174920	(not available)
14	%ProgramFiles%\PCenter\faq\images\gimg4.jpg	71,970 bytes	MD5: 0xE287FACD58EAFF41844B5B90F835BBEE SHA-1: 0xE8EF25B2377C0ACB43547F1F1A39F8A5AEACE9B4	(not available)
15	%ProgramFiles%\PCenter\faq\images\gimg5.jpg	72,989 bytes	MD5: 0xB6FAB1BA23D882765AD1A06BE3E0F333 SHA-1: 0x33189607F901A003F9BEDD29B4C9BC67C8320D37	(not available)
16	%ProgramFiles%\PCenter\faq\images\gimg6.jpg	72,831 bytes	MD5: 0x3C62DBBFC7031E026F5BB0721654000E SHA-1: 0xA44E524B7199A204ED832D5EB5F310A2BA1B2532	(not available)
17	%ProgramFiles%\PCenter\faq\images\gimg7.jpg	66,434 bytes	MD5: 0xB26E8D771E9CDF30319D7B10359843D7 SHA-1: 0x5D8D8444833EB72BC4F63A0DFBDA1CBDFCB5E2C0	(not available)
18	%ProgramFiles%\PCenter\faq\images\gimg8.jpg	73,822 bytes	MD5: 0x493A9CE3CAF1CCF0F8D2EE36E10247DA SHA-1: 0x554AC2ED7552783A5348A500DD85673BC1567B86	(not available)
19	%ProgramFiles%\PCenter\faq\images\gimg9.jpg	74,766 bytes	MD5: 0xD5A33E0F1D1E1B72F731EB40C55960EB SHA-1: 0x8081CDBE894C22F7752C6A8DE6E7D7D53796524B	(not available)
20	%ProgramFiles%\PCenter\pc.exe	1,849,344 bytes	MD5: 0xDA5CFB0FBCF258722E3E967BC9F651A2 SHA-1: 0xEBD68AFF3DADBAA3858D79E1BC2BE9A5B775452D	FakeAlert-CP [McAfee]
21	%ProgramFiles%\PCenter\sounds\1.mp3	58,830 bytes	MD5: 0x289B099CDA4CF8DD36B3E847A6027831 SHA-1: 0xEDFCAE9EEA432EA050A533C430FBEC3EA5C6A636	(not available)
22	%ProgramFiles%\PCenter\sounds\3.mp3	76,593 bytes	MD5: 0x4E75B108C3C5DDE51AD6E212F8C1EF39 SHA-1: 0xEBC523E6FA085DA5FF075C67283D61EB96D41440	(not available)
23	%ProgramFiles%\PCenter\uninstall.exe	149,482 bytes	MD5: 0x36DCAD1C991125FA2B3C6C17AF2D5CAE SHA-1: 0x95119918AE268EEDFF77D9734B0C745FE74296ED	(not available)
24	[file and pathname of the sample #1]	1,981,631 bytes	MD5: 0xCE76FB0375F6BF2717371EC43FF6EDE2 SHA-1: 0x47E563AE8FC7A30BE9C2213CD74E841EED5E3BC9	(not available)

Notes:

%AppData% is a variable that refers to the file system directory that serves as a common repository for application-specific data. A typical path is C:\Documents and Settings\[UserName]\Application Data.
%DesktopDir% is a variable that refers to the file system directory used to physically store file objects on the desktop. A typical path is C:\Documents and Settings\[UserName]\Desktop.
%ProgramFiles% is a variable that refers to the Program Files folder. A typical path is C:\Program Files.

The following directories were created:

%AppData%\PCenter
%AppData%\PCenter\dbases
%AppData%\PCenter\keys
%AppData%\PCenter\temp
%ProgramFiles%\PCenter
%ProgramFiles%\PCenter\faq
%ProgramFiles%\PCenter\faq\images
%ProgramFiles%\PCenter\sounds
%ProgramFiles%\PCenter\tools
%ProgramFiles%\PCenter\tools\sc
%ProgramFiles%\PCenter\tools\sp

Memory Modifications

There were new processes created in the system:

Process Name	Process Filename	Main Module Size
[filename of the sample #1]	[file and pathname of the sample #1]	200,704 bytes
agent.exe	%ProgramFiles%\pcenter\agent.exe	585,728 bytes

Registry Modifications

The following Registry Keys were created:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Privacy center
HKEY_CURRENT_USER\Software\Microsoft\ActiveMovie\devenum\{4EFE2452-168A-11D1-BC76-00C04FB9453B}
HKEY_CURRENT_USER\Software\Microsoft\ActiveMovie\devenum\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device
HKEY_CURRENT_USER\Software\Microsoft\ActiveMovie\devenum\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}
HKEY_CURRENT_USER\Software\Microsoft\ActiveMovie\devenum\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device
HKEY_CURRENT_USER\Software\Microsoft\Multimedia\ActiveMovie
HKEY_CURRENT_USER\Software\Microsoft\Multimedia\ActiveMovie\Filter Cache

The newly created Registry Values are:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Privacy center]

DisplayName = "Privacy center"
UninstallString = "%ProgramFiles%\PCenter\uninstall.exe"
NoModify = 0x00000001
NoRepair = 0x00000001

[HKEY_CURRENT_USER\Software\Microsoft\ActiveMovie\devenum\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device]

FriendlyName = "Default MidiOut Device"
CLSID = "{07B65360-C445-11CE-AFDE-00AA006C14F4}"
FilterData = 02 00 00 00 00 00 80 00 01 00 00 00 00 00 00 00 30 70 69 33 02 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 30 74 79 33 00 00 00 00 38 00 00 00 48 00 00 00 6D 69 64 73 00 00 10 00 80 00 00 AA 00 38 9B 71 00 00 00 00 00 00 00 00 00 00 00 0
MidiOutId = 0xFFFFFFFF

[HKEY_CURRENT_USER\Software\Microsoft\ActiveMovie\devenum\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device]

FriendlyName = "Default DirectSound Device"
CLSID = "{79376820-07D0-11CF-A24D-0020AFD79767}"
FilterData = 02 00 00 00 00 00 80 00 01 00 00 00 00 00 00 00 30 70 69 33 02 00 00 00 00 00 00 00 08 00 00 00 00 00 00 00 00 00 00 00 30 74 79 33 00 00 00 00 A8 00 00 00 B8 00 00 00 31 74 79 33 00 00 00 00 A8 00 00 00 C8 00 00 00 32 74 79 33 00 00 00 00 A8 00 00 0
DSGuid = "{00000000-0000-0000-0000-000000000000}"

[HKEY_CURRENT_USER\Software\Microsoft\Multimedia\ActiveMovie\Filter Cache]

0 = E0 5A 00 00 65 68 63 66 00 00 00 00 00 00 00 00 02 01 00 00 00 00 00 00 01 00 20 00 49 00 00 00 40 00 64 00 65 00 76 00 69 00 63 00 65 00 3A 00 64 00 6D 00 6F 00 3A 00 7B 00 32 00 45 00 45 00 42 00 34 00 41 00 44 00 46 00 2D 00 34 00 35 00 37 00 38 0

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]

agent.exe = "%ProgramFiles%\PCenter\agent.exe"

so that agent.exe runs every time Windows starts

[HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]

Shell = "%ProgramFiles%\PCenter\pc.exe"

so that pc.exe runs every time Windows starts

Other details

Analysis of the file resources indicate the following possible country of origin:

Russian Federation

To mark the presence in the system, the following Mutex objects were created:

AMResourceMutex2
VideoRenderer

The following Host Name was requested from a host database:

pcenter56.com

There was registered attempt to establish connection with the remote host. The connection details are:

Remote Host	Port Number
194.165.4.39	80

The following HTTP URLs were started reading:

http://194.165.4.39/handlers/software_response.php?uid=0
http://pcenter56.com/avail

All content ("Information") contained in this report is the copyrighted work of Threat Expert Ltd and its associated companies ("ThreatExpert") and may not be copied without the express permission of ThreatExpert.

The Information is provided on an "as is" basis. ThreatExpert disclaims all warranties, whether express or implied, to the maximum extent permitted by law, including the implied warranties that the Information is merchantable, of satisfactory quality, accurate, fit for a particular purpose or need, or non-infringing, unless such implied warranties are legally incapable of exclusion. Further, ThreatExpert does not warrant or make any representations regarding the use or the results of the use of the Information in terms of their correctness, accuracy, reliability, or otherwise.