ThreatExpert Report: Mal/FakeVirPk-A, Mal/TibsPk-A, TrojanDownloader:Win32/Renos.GN..

Visit ThreatExpert web site

Close Report

Submission Summary:

Submission details:

Submission received: 14 February 2009, 04:45:27
Processing time: 8 min 7 sec
Submitted sample:

File MD5: 0xCF4B1622DEE07228E76670C04361B01A
File SHA-1: 0x94823AA6F22D4499C79B168F6CACCF2B09149147
Filesize: 72,704 bytes
Alias:

Mal/FakeVirPk-A, Mal/TibsPk-A [Sophos]
TrojanDownloader:Win32/Renos.GN [Microsoft]

Summary of the findings:

What's been found	Severity Level
Downloads/requests other files from Internet.
Modifies some system settings that may have negative impact on overall system security state.
Registers a 32-bit in-process server DLL.
Registers a Browser Helper Object (Microsoft's Internet Explorer plugin module).
Contains characteristics of an identified security risk.

Technical Details:

Possible Security Risk

Attention! Characteristics of the following security risks were identified in the system:

Security Risk	Description
Adware.Component.Generic	Common Components that may be used by AdMedia, Adware.Allsum, Adware.Agent.BN, Trojan.Downloader.VideoCach and other adwares.
Adware.AdMedia	AdMedia is a Browser Helper Object which hooks to Internet Explorer and contacts various websites to download additional malware while Internet Explorere is open.

Attention! The following threat category was identified:

Threat Category	Description
	A malicious trojan horse or bot that may represent security risk for the compromised system and/or its network environment

File System Modifications

The following files were created in the system:

#	Filename(s)	File Size	File Hash	Alias
1	%ProgramFiles%\XPPoliceAntivirus\setup.dat	0 bytes	MD5: 0xD41D8CD98F00B204E9800998ECF8427E SHA-1: 0xDA39A3EE5E6B4B0D3255BFEF95601890AFD80709	(not available)
2	%Windir%\iehost.dll	19,968 bytes	MD5: 0x9FD6D3F13B379AA05079BD7901C779BC SHA-1: 0x4B2608017D081F9B14D0C467F4FB3BA72A14E00D	Trojan.Fakeavalert [Symantec] Trojan:Win32/Tibs.gen!lds [Microsoft]
3	[file and pathname of the sample #1]	72,704 bytes	MD5: 0xCF4B1622DEE07228E76670C04361B01A SHA-1: 0x94823AA6F22D4499C79B168F6CACCF2B09149147	Mal/FakeVirPk-A, Mal/TibsPk-A [Sophos] TrojanDownloader:Win32/Renos.GN [Microsoft]

Notes:

%ProgramFiles% is a variable that refers to the Program Files folder. A typical path is C:\Program Files.
%Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows or C:\Winnt.

The following directory was created:

%ProgramFiles%\XPPoliceAntivirus

Memory Modifications

There were new processes created in the system:

Process Name	Process Filename	Main Module Size
[filename of the sample #1]	[file and pathname of the sample #1]	155,648 bytes
[generic host process]	[generic host process filename]	20,480 bytes

Notes:

[generic host process filename] is a full path filename of [generic host process].

The following system service was modified:

Service Name	Display Name	New Status	Service Filename
wscsvc	Security Center	"Stopped"	%System%\svchost.exe -k netsvcs

Notes:

%System% is a variable that refers to the System folder. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

Registry Modifications

The following Registry Keys were created:

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{b6b571fb-b71d-449c-ad70-82e966328795}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{b6b571fb-b71d-449c-ad70-82e966328795}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{b6b571fb-b71d-449c-ad70-82e966328795}\ProgID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{b6b571fb-b71d-449c-ad70-82e966328795}\Programmable
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{b6b571fb-b71d-449c-ad70-82e966328795}\TypeLib
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{b6b571fb-b71d-449c-ad70-82e966328795}\VersionIndependentProgID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{967A494A-6AEC-4555-9CAF-FA6EB00ACF91}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{967A494A-6AEC-4555-9CAF-FA6EB00ACF91}\ProxyStubClsid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{967A494A-6AEC-4555-9CAF-FA6EB00ACF91}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{967A494A-6AEC-4555-9CAF-FA6EB00ACF91}\TypeLib
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{9692BE2F-EB8F-49D9-A11C-C24C1EF734D5}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{9692BE2F-EB8F-49D9-A11C-C24C1EF734D5}\ProxyStubClsid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{9692BE2F-EB8F-49D9-A11C-C24C1EF734D5}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{9692BE2F-EB8F-49D9-A11C-C24C1EF734D5}\TypeLib
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{16406580-14CE-4441-B904-AD56CC8064CA}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{16406580-14CE-4441-B904-AD56CC8064CA}\1.0
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{16406580-14CE-4441-B904-AD56CC8064CA}\1.0\0
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{16406580-14CE-4441-B904-AD56CC8064CA}\1.0\0\win32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{16406580-14CE-4441-B904-AD56CC8064CA}\1.0\FLAGS
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{16406580-14CE-4441-B904-AD56CC8064CA}\1.0\HELPDIR
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WinApp.WinSafe
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WinApp.WinSafe\CLSID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WinApp.WinSafe\CurVer
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WinApp.WinSafe.1
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WinApp.WinSafe.1\CLSID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{b6b571fb-b71d-449c-ad70-82e966328795}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System

The newly created Registry Values are:

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{b6b571fb-b71d-449c-ad70-82e966328795}\VersionIndependentProgID]

(Default) = "WinApp.WinSafe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{b6b571fb-b71d-449c-ad70-82e966328795}\TypeLib]

(Default) = "{16406580-14ce-4441-b904-ad56cc8064ca}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{b6b571fb-b71d-449c-ad70-82e966328795}\ProgID]

(Default) = "WinApp.WinSafe.1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{b6b571fb-b71d-449c-ad70-82e966328795}\InprocServer32]

(Default) = "%Windir%\iehost.dll"
ThreadingModel = "Apartment"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{b6b571fb-b71d-449c-ad70-82e966328795}]

(Default) = "WinSafe Class"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{967A494A-6AEC-4555-9CAF-FA6EB00ACF91}\TypeLib]

(Default) = "{16406580-14CE-4441-B904-AD56CC8064CA}"
Version = "1.0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{967A494A-6AEC-4555-9CAF-FA6EB00ACF91}\ProxyStubClsid32]

(Default) = "{00020420-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{967A494A-6AEC-4555-9CAF-FA6EB00ACF91}\ProxyStubClsid]

(Default) = "{00020420-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{967A494A-6AEC-4555-9CAF-FA6EB00ACF91}]

(Default) = "_IBhoAppEvents"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{9692BE2F-EB8F-49D9-A11C-C24C1EF734D5}\TypeLib]

(Default) = "{16406580-14CE-4441-B904-AD56CC8064CA}"
Version = "1.0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{9692BE2F-EB8F-49D9-A11C-C24C1EF734D5}\ProxyStubClsid32]

(Default) = "{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{9692BE2F-EB8F-49D9-A11C-C24C1EF734D5}\ProxyStubClsid]

(Default) = "{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{9692BE2F-EB8F-49D9-A11C-C24C1EF734D5}]

(Default) = "IBhoApp"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{16406580-14CE-4441-B904-AD56CC8064CA}\1.0\0\win32]

(Default) = "%Windir%\iehost.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{16406580-14CE-4441-B904-AD56CC8064CA}\1.0\HELPDIR]

(Default) = "%Windir%\"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{16406580-14CE-4441-B904-AD56CC8064CA}\1.0\FLAGS]

(Default) = "0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{16406580-14CE-4441-B904-AD56CC8064CA}\1.0]

(Default) = "WinSafe 1.0 Type Library"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WinApp.WinSafe\CurVer]

(Default) = "WinApp.WinSafe.1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WinApp.WinSafe\CLSID]

(Default) = "{b6b571fb-b71d-449c-ad70-82e966328795}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WinApp.WinSafe]

(Default) = "WinSafe Class"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WinApp.WinSafe.1\CLSID]

(Default) = "{b6b571fb-b71d-449c-ad70-82e966328795}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WinApp.WinSafe.1]

(Default) = "WinSafe Class"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]

AntiVirusDisableNotify = "1"
FirewallDisableNotify = "1"
UpdatesDisableNotify = "1"

to disable notification of firewall, antivirus and/or update status through the Windows Security Center

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{b6b571fb-b71d-449c-ad70-82e966328795}]

NoExplorer = 0x00000001

[HKEY_CURRENT_USER\Control Panel\don't load]

scui.cpl = "No"
wscui.cpl = "No"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]

DisableTaskMgr = "1"
DisableRegistryTools = "1"

to prevent users from starting Task Manager (Taskmgr.exe)

to disable the Windows registry editors (Regedt32.exe and Regedit.exe)

The following Registry Value was deleted:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]

AntiVirusDisableNotify = 0x00000001
FirewallDisableNotify = 0x00000001
UpdatesDisableNotify = 0x00000001

Other details

The data identified by the following URL was then requested from the remote web server:

http://89.149.194.188/setup.dat

Downloaded File Summary:

Download details:

Download retrieved: 14 February 2009 04:53:40
Processing time: 8 min 59 sec
Downloaded sample:

File MD5: 0x02C70E55829EB22533498EF90480DA23
File SHA-1: 0x7B83830F44FE084891EDA5F868BF1BA8F07D7EF1
Filesize: 7,496,666 bytes

Summary of the findings:

What's been found	Severity Level
Creates a startup registry entry.
Contains characteristics of an identified security risk.

Technical Details:

Possible Security Risk

Attention! Characteristics of the following security risk was identified in the system:

Security Risk	Description
RogueAntiSpyware.XPAntispyware	RogueAntiSpyware.XPAntispyware displays fake alerts in malware payloads in order to persuade users into buying the rogue antispyware products.

File System Modifications

The following files were created in the system:

#	Filename(s)	File Size	File Hash	Alias
1	%DesktopDir%\XP Police Antivirus.LNK	1,518 bytes	MD5: 0x1B49F84D156795A64E03F6700B45A708 SHA-1: 0xB37B99475C1207C0F481EDB188FF38A16F55F1C2	(not available)
2	%StartMenu%\XP Police Antivirus.LNK	1,518 bytes	MD5: 0xA108E49C25185DE17E0A8AFAB4F0CFD7 SHA-1: 0x691D70FC20E358D9342E19095CE969E806ADACA9	(not available)
3	%System%\AVCoreFn.dll	581,632 bytes	MD5: 0x42AD0E53CD7958D2C17E5A2CF2081030 SHA-1: 0xB4AFAD332018C1F3EA0BC34A770DBADEB619EA15	Trojan:Win32/Tibs.gen!lds [Microsoft]
4	%System%\bdconf.cfg	71 bytes	MD5: 0x691C8F94778606FF15232A7438B673A0 SHA-1: 0x772C2ED827C67860D61B496E0688F2215FB99307	(not available)
5	%System%\Core.dll	507,904 bytes	MD5: 0x7E5B5551F2A28DC8305BD28C70ACC0EF SHA-1: 0x0CC60435B61FE478E091D6C79E16078A495CD4BD	Trojan:Win32/Tibs.gen!lds [Microsoft]
6	%System%\Plugins\cevakrnl.cvd	358,723 bytes	MD5: 0x0F342407922483585BC74FBA5029CA68 SHA-1: 0x802E44AF669B864C4286179FD22C297BFFF0AAC7	(not available)
7	%System%\Plugins\cevakrnl.ivd	129,373 bytes	MD5: 0xF93CDE6DA0998FB4E3A202D2CCD3E89C SHA-1: 0xE4DDED01365AB56B1DC97F4C6F56D6455DE2D60D	(not available)
8	%System%\Plugins\cevakrnl.rvd	411,025 bytes	MD5: 0x5D79E1AEE2563AB43C592C5EB6ED21E1 SHA-1: 0xD8D162DC25153CF8ED2055D55186DA44241F304E	(not available)
9	%System%\Plugins\ceva_dll.cvd	120,121 bytes	MD5: 0x2396227606F2F07E32EB13156EFEE03D SHA-1: 0x5E59DB76A3CF53CE34020095866B2D4FD768608B	(not available)
10	%System%\Plugins\ceva_emu.cvd	129,906 bytes	MD5: 0xBA60756A62900DF23B0E0512333DE099 SHA-1: 0xD3EAB1012A93482FBFB4DD8472C9AA453412FB8C	(not available)
11	%System%\Plugins\ceva_vfs.cvd	396,598 bytes	MD5: 0x524F55D178510C8A0D7B8CE675B1ACE1 SHA-1: 0x1FEAD49FCAECACFCDB7D99302A2D0D6CBD3E4ABA	(not available)
12	%System%\Plugins\ceva_vfs.ivd	52,320 bytes	MD5: 0xD01FDCA1E496E4D5260A1D25318A04CF SHA-1: 0xDC59E318D027F9E2A9AE6F340A598CD8A17EF265	(not available)
13	%System%\Plugins\cookie.cvd	24,972 bytes	MD5: 0xBD8BCD43E7D76A3E7ED7C7596C91108B SHA-1: 0x36873D9E29D473D6E9C70B170905106A5E84A43D	(not available)
14	%System%\Plugins\cran.cvd	295,343 bytes	MD5: 0x10B48D5491435235DD3C712CA68A05C5 SHA-1: 0xBB36A6E3AA26E52C8727038C10AB5D52038B47FF	(not available)
15	%System%\Plugins\cran.ivd	170,059 bytes	MD5: 0xF0208B10E72542526EFAF161549FDB82 SHA-1: 0x3F2D0913BA35B3AEF8A0D831FCE443ADD7BF0B7B	(not available)
16	%System%\Plugins\emalware.ivd	32,189 bytes	MD5: 0xE41A4C5BCCAAE90F89BDCD449F186708 SHA-1: 0xE2C91CAF65AE02DEFA2E6ABEB7456231D2329D53	(not available)
17	%System%\Plugins\e_spyw.cvd	301,831 bytes	MD5: 0xBF19A363E3F5EE63027384A7C3EF2ABA SHA-1: 0xFC278A16122967844E8CB8796477321A18EA6DDB	(not available)
18	%System%\Plugins\e_spyw.ivd	66,261 bytes	MD5: 0x6E60215D90443793E2056256B3A165F4 SHA-1: 0x274AB013F348A9EDC612A19583635A013442EF05	(not available)
19	%System%\Plugins\gvmscripts.cvd	128,135 bytes	MD5: 0x95ABAE6250B81B83297E53311595B2D0 SHA-1: 0x10D8E5245249619B777FBBC2A5921A1EFC0D6873	(not available)
20	%System%\Plugins\hpe.cvd	4,669 bytes	MD5: 0xA167B91058A2265BB701BE77663AADD2 SHA-1: 0xFB2BA461ECB0749405A2F109080471916989099B	(not available)
21	%System%\Plugins\java.cvd	3,318 bytes	MD5: 0x520DAEA671A3B2B0EAA45113545CC212 SHA-1: 0x4767C1A7DDF79A3E23B142C0CCF1D4E4F0D135C8	(not available)
22	%System%\Plugins\mdx_97.cvd	344,892 bytes	MD5: 0x2811DB3512489DD6457E98A689487EEB SHA-1: 0xBE9E840462E16E6994904ACD3A43E5216D2C8A0C	(not available)
23	%System%\Plugins\mdx_97.ivd	173,258 bytes	MD5: 0x572109E80B783D8BCB97759923992D06 SHA-1: 0x3545A7FA3C7548F72BC1176B713B98B415ED7B36	(not available)
24	%System%\Plugins\mdx_w95.cvd	59,489 bytes	MD5: 0x61295A899329F7D21DB20531E5442579 SHA-1: 0xBC39DAFC6D2FDBD907399174D44CFB216F4A01B8	(not available)
25	%System%\Plugins\mdx_x95.cvd	9,651 bytes	MD5: 0x1B2E442311647EB16A85896E9331903A SHA-1: 0x8B176837F27A3243AEEC56AF425B6C02C9CA0CA1	(not available)
26	%System%\Plugins\mdx_xf.cvd	1,948 bytes	MD5: 0x7953EF34609E54E46C38F9D7D70E14C2 SHA-1: 0x781D556D4941DDEF6698FB0A165E6BEDC387E2AE	(not available)
27	%System%\Plugins\mobmalware.cvd	5,672 bytes	MD5: 0x743EB9A1E32B51B7F287466F92417E69 SHA-1: 0xE087C7F58245F2A40123E90F384E3C65BE33B5E0	(not available)
28	%System%\Plugins\na.cvd	205 bytes	MD5: 0xEF3665E9F27A52EFB6D2A14A7889AD38 SHA-1: 0x3CAF0EF524FAC4A7A1D25CE9C69FAE74C4E677AB	(not available)
29	%System%\Plugins\nelf.cvd	6,473 bytes	MD5: 0x0995CFEF1AC62029B40C9EEE7CBE7203 SHA-1: 0xAEB31B7580EB6AD32D9F3FD6A14FDA1A49D845E7	(not available)
30	%System%\Plugins\regarch.cvd	203 bytes	MD5: 0x8C187C523F7CA198981882F95325D47D SHA-1: 0xDCA5DC32627AF19A76A78DB788F34BB9EAE166E7	(not available)
31	%System%\Plugins\regscan.cvd	15,292 bytes	MD5: 0x3E4E2EB4E61AC69C75B187C1B8521367 SHA-1: 0x0162B449A231B284D9D05B7B89812A90D0EC7454	(not available)
32	%System%\Plugins\rup.cvd	1,904 bytes	MD5: 0x38A809F56C21E9DCD21CCB289679B75C SHA-1: 0xE1DB9F8AA0F1210ED74BA6E45CC7B6917B752A70	(not available)
33	%System%\Plugins\sdx.cvd	191,100 bytes	MD5: 0xCFD4E38254208BCC84669E099AB0EE85 SHA-1: 0x7ED12128C71C4F46448C04BF794D2B7B9F5C689F	(not available)
34	%System%\Plugins\sdx.ivd	149,855 bytes	MD5: 0xF6991C0768608742D75AF529B4BE202F SHA-1: 0xED3C3018DE95218B70D59C7E22F99BE2C1349EA2	(not available)
35	%System%\Plugins\unpack.cvd	193,291 bytes	MD5: 0x8D1CD8DF8F6FC7F48A1D48D454F40F82 SHA-1: 0xC2675CA3BDDA7DC83845945AF9247C2743FD7ACC	(not available)
36	%System%\Plugins\unpack.ivd	152,049 bytes	MD5: 0x3C3A10C42AAE726AADB8C5E50C737C63 SHA-1: 0x28EAB89EEFF976505DA66E705578F26E22B06C25	(not available)
37	%System%\Plugins\vb0.dat	63 bytes	MD5: 0x9721659A7553ED97E26788F5A82AD4ED SHA-1: 0x2E0F2C3BB8A96C83E4BA6BF7CBED98CF15B74A9A	(not available)
38	%System%\Plugins\vb1.dat	938,600 bytes	MD5: 0x66D68B291388322D35C3E6572170413E SHA-1: 0xAEB4D03531E63A3FBE26E2FC631761CF198D872E	(not available)
39	%System%\Plugins\vb2.dat	104,099 bytes	MD5: 0x10A11EF8B05962B233EDE65DB320EFAF SHA-1: 0x9BB897754CDD6D5CB65E205C05CA751B71B7E4E9	(not available)
40	%System%\Plugins\ve.cvd	49,435 bytes	MD5: 0x87B32F6CEF9D80F2233D7E6C290E4EC4 SHA-1: 0x23842F3FD3805C33EB39A4BC82B7DEAA72825CCD	(not available)
41	%System%\Plugins\ve.ivd	48 bytes	MD5: 0x9B9C94896A756CD00D641156EFC528C8 SHA-1: 0x96CB6FF04B1494CA0DFFE283A6242418CA35F160	(not available)
42	%System%\Plugins\vedata.cvd	688 bytes	MD5: 0x301B8CDC470B5BF3BF8060915230DE23 SHA-1: 0x7A7A1CB8D77026B2EC33A1C00E4474CE049C9669	(not available)
43	[file and pathname of the sample #1]	7,496,666 bytes	MD5: 0x02C70E55829EB22533498EF90480DA23 SHA-1: 0x7B83830F44FE084891EDA5F868BF1BA8F07D7EF1	(not available)
44	%System%\sounds\alert.wav	39,382 bytes	MD5: 0x19B1FE35E57567843009857DF3BA1CDB SHA-1: 0xF80815C6D8B832EEA9F1E30473AF13405D2EFFD3	(not available)
45	%System%\sounds\click.wav	2,202 bytes	MD5: 0xC2E5A28D15ADA7BBFF5F039C4C55DEA3 SHA-1: 0xFB33FD00711440B9D0F3B3D526A753ED75640797	(not available)
46	%System%\sounds\fire.wav	36,910 bytes	MD5: 0xE221302BEA8F7D6DA1AF46B0B630AA15 SHA-1: 0xBBA88FC28DF7AE963A2773BD509414CDB6F059A6	(not available)
47	%System%\xppolice.exe	1,990,656 bytes	MD5: 0xFE3700B340CA47362573C9200A8976D4 SHA-1: 0x8232B94EDFCC8BB7A9C65EB2F38EF2622B0466A7	(not available)

Notes:

%DesktopDir% is a variable that refers to the file system directory used to physically store file objects on the desktop. A typical path is C:\Documents and Settings\[UserName]\Desktop.
%StartMenu% is a variable that refers to the file system directory containing Start menu items. A typical path is C:\Documents and Settings\[UserName]\Start Menu.
%System% is a variable that refers to the System folder. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

The following directories were created:

%System%\Plugins
%System%\sounds

Memory Modifications

There were new processes created in the system:

Process Name	Process Filename	Main Module Size
[filename of the sample #1]	[file and pathname of the sample #1]	106,496 bytes
xppolice.exe	%System%\xppolice.exe	2,035,712 bytes

Registry Modifications

The newly created Registry Value is:

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]

PoliceAV = "%System%\xppolice.exe"

so that xppolice.exe runs every time Windows starts

Other details

Analysis of the file resources indicate the following possible countries of origin:

	Russian Federation
	Ukraine

All content ("Information") contained in this report is the copyrighted work of Threat Expert Ltd and its associated companies ("ThreatExpert") and may not be copied without the express permission of ThreatExpert.

The Information is provided on an "as is" basis. ThreatExpert disclaims all warranties, whether express or implied, to the maximum extent permitted by law, including the implied warranties that the Information is merchantable, of satisfactory quality, accurate, fit for a particular purpose or need, or non-infringing, unless such implied warranties are legally incapable of exclusion. Further, ThreatExpert does not warrant or make any representations regarding the use or the results of the use of the Information in terms of their correctness, accuracy, reliability, or otherwise.