Submission Summary:

What's been foundSeverity Level
Downloads/requests other files from Internet.
Modifies some system settings that may have negative impact on overall system security state.
Registers a 32-bit in-process server DLL.
Registers a Browser Helper Object (Microsoft's Internet Explorer plugin module).
Contains characteristics of an identified security risk.

 

Technical Details:

 

Possible Security Risk

Security RiskDescription
Adware.Component.Generic Common Components that may be used by AdMedia, Adware.Allsum, Adware.Agent.BN, Trojan.Downloader.VideoCach and other adwares.
Adware.AdMedia AdMedia is a Browser Helper Object which hooks to Internet Explorer and contacts various websites to download additional malware while Internet Explorere is open.

Threat CategoryDescription
A malicious trojan horse or bot that may represent security risk for the compromised system and/or its network environment

 

File System Modifications

#Filename(s)File SizeFile HashAlias
1 %ProgramFiles%\XPPoliceAntivirus\setup.dat 0 bytes MD5: 0xD41D8CD98F00B204E9800998ECF8427E
SHA-1: 0xDA39A3EE5E6B4B0D3255BFEF95601890AFD80709
(not available)
2 %Windir%\iehost.dll 19,968 bytes MD5: 0x9FD6D3F13B379AA05079BD7901C779BC
SHA-1: 0x4B2608017D081F9B14D0C467F4FB3BA72A14E00D
Trojan.Fakeavalert [Symantec]
Trojan:Win32/Tibs.gen!lds [Microsoft]
3 [file and pathname of the sample #1] 72,704 bytes MD5: 0xCF4B1622DEE07228E76670C04361B01A
SHA-1: 0x94823AA6F22D4499C79B168F6CACCF2B09149147
Mal/FakeVirPk-A, Mal/TibsPk-A [Sophos]
TrojanDownloader:Win32/Renos.GN [Microsoft]

 

Memory Modifications

Process NameProcess FilenameMain Module Size
[filename of the sample #1][file and pathname of the sample #1]155,648 bytes
[generic host process][generic host process filename]20,480 bytes

Service NameDisplay NameNew StatusService Filename
wscsvcSecurity Center"Stopped"%System%\svchost.exe -k netsvcs

 

Registry Modifications

 

Other details

 

 

Downloaded File Summary:

What's been foundSeverity Level
Creates a startup registry entry.
Contains characteristics of an identified security risk.

 

Technical Details:

 

Possible Security Risk

Security RiskDescription
RogueAntiSpyware.XPAntispyware RogueAntiSpyware.XPAntispyware displays fake alerts in malware payloads in order to persuade users into buying the rogue antispyware products.

 

File System Modifications

#Filename(s)File SizeFile HashAlias
1 %DesktopDir%\XP Police Antivirus.LNK 1,518 bytes MD5: 0x1B49F84D156795A64E03F6700B45A708
SHA-1: 0xB37B99475C1207C0F481EDB188FF38A16F55F1C2
(not available)
2 %StartMenu%\XP Police Antivirus.LNK 1,518 bytes MD5: 0xA108E49C25185DE17E0A8AFAB4F0CFD7
SHA-1: 0x691D70FC20E358D9342E19095CE969E806ADACA9
(not available)
3 %System%\AVCoreFn.dll 581,632 bytes MD5: 0x42AD0E53CD7958D2C17E5A2CF2081030
SHA-1: 0xB4AFAD332018C1F3EA0BC34A770DBADEB619EA15
Trojan:Win32/Tibs.gen!lds [Microsoft]
4 %System%\bdconf.cfg 71 bytes MD5: 0x691C8F94778606FF15232A7438B673A0
SHA-1: 0x772C2ED827C67860D61B496E0688F2215FB99307
(not available)
5 %System%\Core.dll 507,904 bytes MD5: 0x7E5B5551F2A28DC8305BD28C70ACC0EF
SHA-1: 0x0CC60435B61FE478E091D6C79E16078A495CD4BD
Trojan:Win32/Tibs.gen!lds [Microsoft]
6 %System%\Plugins\cevakrnl.cvd 358,723 bytes MD5: 0x0F342407922483585BC74FBA5029CA68
SHA-1: 0x802E44AF669B864C4286179FD22C297BFFF0AAC7
(not available)
7 %System%\Plugins\cevakrnl.ivd 129,373 bytes MD5: 0xF93CDE6DA0998FB4E3A202D2CCD3E89C
SHA-1: 0xE4DDED01365AB56B1DC97F4C6F56D6455DE2D60D
(not available)
8 %System%\Plugins\cevakrnl.rvd 411,025 bytes MD5: 0x5D79E1AEE2563AB43C592C5EB6ED21E1
SHA-1: 0xD8D162DC25153CF8ED2055D55186DA44241F304E
(not available)
9 %System%\Plugins\ceva_dll.cvd 120,121 bytes MD5: 0x2396227606F2F07E32EB13156EFEE03D
SHA-1: 0x5E59DB76A3CF53CE34020095866B2D4FD768608B
(not available)
10 %System%\Plugins\ceva_emu.cvd 129,906 bytes MD5: 0xBA60756A62900DF23B0E0512333DE099
SHA-1: 0xD3EAB1012A93482FBFB4DD8472C9AA453412FB8C
(not available)
11 %System%\Plugins\ceva_vfs.cvd 396,598 bytes MD5: 0x524F55D178510C8A0D7B8CE675B1ACE1
SHA-1: 0x1FEAD49FCAECACFCDB7D99302A2D0D6CBD3E4ABA
(not available)
12 %System%\Plugins\ceva_vfs.ivd 52,320 bytes MD5: 0xD01FDCA1E496E4D5260A1D25318A04CF
SHA-1: 0xDC59E318D027F9E2A9AE6F340A598CD8A17EF265
(not available)
13 %System%\Plugins\cookie.cvd 24,972 bytes MD5: 0xBD8BCD43E7D76A3E7ED7C7596C91108B
SHA-1: 0x36873D9E29D473D6E9C70B170905106A5E84A43D
(not available)
14 %System%\Plugins\cran.cvd 295,343 bytes MD5: 0x10B48D5491435235DD3C712CA68A05C5
SHA-1: 0xBB36A6E3AA26E52C8727038C10AB5D52038B47FF
(not available)
15 %System%\Plugins\cran.ivd 170,059 bytes MD5: 0xF0208B10E72542526EFAF161549FDB82
SHA-1: 0x3F2D0913BA35B3AEF8A0D831FCE443ADD7BF0B7B
(not available)
16 %System%\Plugins\emalware.ivd 32,189 bytes MD5: 0xE41A4C5BCCAAE90F89BDCD449F186708
SHA-1: 0xE2C91CAF65AE02DEFA2E6ABEB7456231D2329D53
(not available)
17 %System%\Plugins\e_spyw.cvd 301,831 bytes MD5: 0xBF19A363E3F5EE63027384A7C3EF2ABA
SHA-1: 0xFC278A16122967844E8CB8796477321A18EA6DDB
(not available)
18 %System%\Plugins\e_spyw.ivd 66,261 bytes MD5: 0x6E60215D90443793E2056256B3A165F4
SHA-1: 0x274AB013F348A9EDC612A19583635A013442EF05
(not available)
19 %System%\Plugins\gvmscripts.cvd 128,135 bytes MD5: 0x95ABAE6250B81B83297E53311595B2D0
SHA-1: 0x10D8E5245249619B777FBBC2A5921A1EFC0D6873
(not available)
20 %System%\Plugins\hpe.cvd 4,669 bytes MD5: 0xA167B91058A2265BB701BE77663AADD2
SHA-1: 0xFB2BA461ECB0749405A2F109080471916989099B
(not available)
21 %System%\Plugins\java.cvd 3,318 bytes MD5: 0x520DAEA671A3B2B0EAA45113545CC212
SHA-1: 0x4767C1A7DDF79A3E23B142C0CCF1D4E4F0D135C8
(not available)
22 %System%\Plugins\mdx_97.cvd 344,892 bytes MD5: 0x2811DB3512489DD6457E98A689487EEB
SHA-1: 0xBE9E840462E16E6994904ACD3A43E5216D2C8A0C
(not available)
23 %System%\Plugins\mdx_97.ivd 173,258 bytes MD5: 0x572109E80B783D8BCB97759923992D06
SHA-1: 0x3545A7FA3C7548F72BC1176B713B98B415ED7B36
(not available)
24 %System%\Plugins\mdx_w95.cvd 59,489 bytes MD5: 0x61295A899329F7D21DB20531E5442579
SHA-1: 0xBC39DAFC6D2FDBD907399174D44CFB216F4A01B8
(not available)
25 %System%\Plugins\mdx_x95.cvd 9,651 bytes MD5: 0x1B2E442311647EB16A85896E9331903A
SHA-1: 0x8B176837F27A3243AEEC56AF425B6C02C9CA0CA1
(not available)
26 %System%\Plugins\mdx_xf.cvd 1,948 bytes MD5: 0x7953EF34609E54E46C38F9D7D70E14C2
SHA-1: 0x781D556D4941DDEF6698FB0A165E6BEDC387E2AE
(not available)
27 %System%\Plugins\mobmalware.cvd 5,672 bytes MD5: 0x743EB9A1E32B51B7F287466F92417E69
SHA-1: 0xE087C7F58245F2A40123E90F384E3C65BE33B5E0
(not available)
28 %System%\Plugins\na.cvd 205 bytes MD5: 0xEF3665E9F27A52EFB6D2A14A7889AD38
SHA-1: 0x3CAF0EF524FAC4A7A1D25CE9C69FAE74C4E677AB
(not available)
29 %System%\Plugins\nelf.cvd 6,473 bytes MD5: 0x0995CFEF1AC62029B40C9EEE7CBE7203
SHA-1: 0xAEB31B7580EB6AD32D9F3FD6A14FDA1A49D845E7
(not available)
30 %System%\Plugins\regarch.cvd 203 bytes MD5: 0x8C187C523F7CA198981882F95325D47D
SHA-1: 0xDCA5DC32627AF19A76A78DB788F34BB9EAE166E7
(not available)
31 %System%\Plugins\regscan.cvd 15,292 bytes MD5: 0x3E4E2EB4E61AC69C75B187C1B8521367
SHA-1: 0x0162B449A231B284D9D05B7B89812A90D0EC7454
(not available)
32 %System%\Plugins\rup.cvd 1,904 bytes MD5: 0x38A809F56C21E9DCD21CCB289679B75C
SHA-1: 0xE1DB9F8AA0F1210ED74BA6E45CC7B6917B752A70
(not available)
33 %System%\Plugins\sdx.cvd 191,100 bytes MD5: 0xCFD4E38254208BCC84669E099AB0EE85
SHA-1: 0x7ED12128C71C4F46448C04BF794D2B7B9F5C689F
(not available)
34 %System%\Plugins\sdx.ivd 149,855 bytes MD5: 0xF6991C0768608742D75AF529B4BE202F
SHA-1: 0xED3C3018DE95218B70D59C7E22F99BE2C1349EA2
(not available)
35 %System%\Plugins\unpack.cvd 193,291 bytes MD5: 0x8D1CD8DF8F6FC7F48A1D48D454F40F82
SHA-1: 0xC2675CA3BDDA7DC83845945AF9247C2743FD7ACC
(not available)
36 %System%\Plugins\unpack.ivd 152,049 bytes MD5: 0x3C3A10C42AAE726AADB8C5E50C737C63
SHA-1: 0x28EAB89EEFF976505DA66E705578F26E22B06C25
(not available)
37 %System%\Plugins\vb0.dat 63 bytes MD5: 0x9721659A7553ED97E26788F5A82AD4ED
SHA-1: 0x2E0F2C3BB8A96C83E4BA6BF7CBED98CF15B74A9A
(not available)
38 %System%\Plugins\vb1.dat 938,600 bytes MD5: 0x66D68B291388322D35C3E6572170413E
SHA-1: 0xAEB4D03531E63A3FBE26E2FC631761CF198D872E
(not available)
39 %System%\Plugins\vb2.dat 104,099 bytes MD5: 0x10A11EF8B05962B233EDE65DB320EFAF
SHA-1: 0x9BB897754CDD6D5CB65E205C05CA751B71B7E4E9
(not available)
40 %System%\Plugins\ve.cvd 49,435 bytes MD5: 0x87B32F6CEF9D80F2233D7E6C290E4EC4
SHA-1: 0x23842F3FD3805C33EB39A4BC82B7DEAA72825CCD
(not available)
41 %System%\Plugins\ve.ivd 48 bytes MD5: 0x9B9C94896A756CD00D641156EFC528C8
SHA-1: 0x96CB6FF04B1494CA0DFFE283A6242418CA35F160
(not available)
42 %System%\Plugins\vedata.cvd 688 bytes MD5: 0x301B8CDC470B5BF3BF8060915230DE23
SHA-1: 0x7A7A1CB8D77026B2EC33A1C00E4474CE049C9669
(not available)
43 [file and pathname of the sample #1] 7,496,666 bytes MD5: 0x02C70E55829EB22533498EF90480DA23
SHA-1: 0x7B83830F44FE084891EDA5F868BF1BA8F07D7EF1
(not available)
44 %System%\sounds\alert.wav 39,382 bytes MD5: 0x19B1FE35E57567843009857DF3BA1CDB
SHA-1: 0xF80815C6D8B832EEA9F1E30473AF13405D2EFFD3
(not available)
45 %System%\sounds\click.wav 2,202 bytes MD5: 0xC2E5A28D15ADA7BBFF5F039C4C55DEA3
SHA-1: 0xFB33FD00711440B9D0F3B3D526A753ED75640797
(not available)
46 %System%\sounds\fire.wav 36,910 bytes MD5: 0xE221302BEA8F7D6DA1AF46B0B630AA15
SHA-1: 0xBBA88FC28DF7AE963A2773BD509414CDB6F059A6
(not available)
47 %System%\xppolice.exe 1,990,656 bytes MD5: 0xFE3700B340CA47362573C9200A8976D4
SHA-1: 0x8232B94EDFCC8BB7A9C65EB2F38EF2622B0466A7
(not available)

 

Memory Modifications

Process NameProcess FilenameMain Module Size
[filename of the sample #1][file and pathname of the sample #1]106,496 bytes
xppolice.exe%System%\xppolice.exe2,035,712 bytes

 

Registry Modifications

 

Other details

Russian Federation
Ukraine

 

 

All content ("Information") contained in this report is the copyrighted work of Threat Expert Ltd and its associated companies ("ThreatExpert") and may not be copied without the express permission of ThreatExpert.

The Information is provided on an "as is" basis. ThreatExpert disclaims all warranties, whether express or implied, to the maximum extent permitted by law, including the implied warranties that the Information is merchantable, of satisfactory quality, accurate, fit for a particular purpose or need, or non-infringing, unless such implied warranties are legally incapable of exclusion. Further, ThreatExpert does not warrant or make any representations regarding the use or the results of the use of the Information in terms of their correctness, accuracy, reliability, or otherwise.

Copyright © 2014 ThreatExpert. All rights reserved.