ThreatExpert Report: Trojan.Win32.Pakes.ofu, Generic BackDoor.aad, Mal/MSIL-AY, Worm:Win32/Rebhip.A..

Visit ThreatExpert web site

Close Report

Submission Summary:

Submission details:

Submission received: 20 September 2012, 20:40:00
Processing time: 13 min 11 sec
Submitted sample:

File MD5: 0xCF968DBB979BE298EFF7B134624B616A
File SHA-1: 0x65602707C68AD34B9F1739338B005F83BA3ED433
Filesize: 556,032 bytes
Alias:

Trojan.Win32.Pakes.ofu [Kaspersky Lab]
Generic BackDoor.aad [McAfee]
Mal/MSIL-AY [Sophos]
Worm:Win32/Rebhip.A [Microsoft]
Trojan.Win32.Pakes [Ikarus]

Summary of the findings:

What's been found	Severity Level
Produces outbound traffic.
Creates a startup registry entry.
Contains characteristics of an identified security risk.

Technical Details:

Possible Security Risk

Attention! The following threat category was identified:

Threat Category	Description
	A malicious trojan horse or bot that may represent security risk for the compromised system and/or its network environment

File System Modifications

The following files were created in the system:

#	Filename(s)	File Size	File Hash	Alias
1	%AppData%\Bifrost\logg.dat %ProgramFiles%\Bifrost\logg.dat	0 bytes	MD5: 0xD41D8CD98F00B204E9800998ECF8427E SHA-1: 0xDA39A3EE5E6B4B0D3255BFEF95601890AFD80709	(not available)
2	%AppData%\Bifrost\server.exe %Temp%\0.exe %ProgramFiles%\Bifrost\server.exe	100,285 bytes	MD5: 0xCE863EB9920B66DEF0756B98BCC975D3 SHA-1: 0x1FADD9AEEC949C04E21782AD8BE843988C7A703D	Win32.SuspectCrc [Ikarus]
3	%Temp%\1.exe	312,320 bytes	MD5: 0x083E1FDB7E8911194ABE575BDAABE603 SHA-1: 0xA1E463DBEC17752324D5073FBCBA9BCDC3FC8CEE	(not available)
4	[file and pathname of the sample #1]	556,032 bytes	MD5: 0xCF968DBB979BE298EFF7B134624B616A SHA-1: 0x65602707C68AD34B9F1739338B005F83BA3ED433	Trojan.Win32.Pakes.ofu [Kaspersky Lab] Generic BackDoor.aad [McAfee] Mal/MSIL-AY [Sophos] Worm:Win32/Rebhip.A [Microsoft] Trojan.Win32.Pakes [Ikarus]

Notes:

%AppData% is a variable that refers to the file system directory that serves as a common repository for application-specific data. A typical path is C:\Documents and Settings\[UserName]\Application Data.
%ProgramFiles% is a variable that refers to the Program Files folder. A typical path is C:\Program Files.
%Temp% is a variable that refers to the temporary folder in the short path form. By default, this is C:\Documents and Settings\[UserName]\Local Settings\Temp\ (Windows NT/2000/XP).

The following directories were created:

%AppData%\Bifrost
%ProgramFiles%\Bifrost

Memory Modifications

There were new processes created in the system:

Process Name	Process Filename	Main Module Size
server.exe	%ProgramFiles%\Bifrost\server.exe	36,864 bytes
0.exe	%Temp%\0.exe	36,864 bytes
1.exe	%Temp%\1.exe	N/A

Registry Modifications

The following Registry Keys were created:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{07B90934-C233-16D2-1288-6E3BE370585F}
HKEY_LOCAL_MACHINE\SOFTWARE\Bifrost
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\MediaResources\msvideo
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\MediaResources\msvideo
HKEY_CURRENT_USER\Software\Bifrost

The newly created Registry Values are:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{07B90934-C233-16D2-1288-6E3BE370585F}]

stubpath = "%ProgramFiles%\Bifrost\server.exe s"

so that server.exe runs every time Windows starts

[HKEY_LOCAL_MACHINE\SOFTWARE\Bifrost]

nck = ED 1B E6 27 B9 28 D6 32 74 C3 CD 74 FA 93 5B 67

[HKEY_CURRENT_USER\Software\Bifrost]

klg = 01

Other details

To mark the presence in the system, the following Mutex object was created:

Bif1234

The following Host Names were requested from a host database:

max15.myftp.biz
bbox20.no-ip.org

There was registered attempt to establish connection with the remote host. The connection details are:

Remote Host	Port Number
max15.myftp.biz	81

There was application-defined hook procedure installed into the hook chain (e.g. to monitor keystrokes). The installed hook is handled by the following module:

%ProgramFiles%\Internet Explorer\iexplore.exe

Outbound traffic (potentially malicious)

There was an outbound traffic produced on port 81:

00000000 | EA00 0000 994F B271 E274 8C02 5AF2 B130 | .....O.q.t..Z..0
00000010 | 9FF5 3A12 6612 976F 202A 2FA6 F3E0 2F22 | ..:.f..o */.../"
00000020 | 3572 93A1 EA72 7DBD F3E8 B8B6 3CAC 00AA | 5r...r}.....<...
00000030 | 48AC 2B97 E974 4820 8DC4 4004 D922 4B26 | H.+..tH ..@.."K&
00000040 | 1D0B 2F4A 9C9B 9AE8 0C09 4762 8C69 6EBE | ../J......Gb.in.
00000050 | F5F7 7295 1964 440C B7FF 50F2 4292 0896 | ..r..dD...P.B...
00000060 | 92AB A89F 2323 CC5E 47F3 22A7 B382 7CAA | ....##.^G."...|.
00000070 | 5E78 5A88 B9B5 8A20 7EF2 5117 F9CB 0C3D | ^xZ.... ~.Q....=
00000080 | 6CF5 11FC 27BC 6EF7 62F6 1C4A 9541 08A2 | l...'.n.b..J.A..
00000090 | 28C5 8D36 73E4 0CD6 0C74 A4D4 7DE6 BAE3 | (..6s....t..}...
000000A0 | 4975 38F9 D9BD 37F6 8E9B 708C 8B1E C4E4 | Iu8...7...p.....
000000B0 | A293 E37E F42B 9C4C 8190 37AB 3AA9 22EB | ...~.+.L..7.:.".
000000C0 | 472A D329 1461 5FD7 C8F7 60FF A5C5 A081 | G*.).a_...`.....
000000D0 | 4BA1 B7F7 040F 7CE8 F208 13B6 3C10 7908 | K.....|.....<.y.
000000E0 | 5135 B049 4204 F00A B9EF 77BF BFCE      | Q5.IB.....w...

All content ("Information") contained in this report is the copyrighted work of Threat Expert Ltd and its associated companies ("ThreatExpert") and may not be copied without the express permission of ThreatExpert.

The Information is provided on an "as is" basis. ThreatExpert disclaims all warranties, whether express or implied, to the maximum extent permitted by law, including the implied warranties that the Information is merchantable, of satisfactory quality, accurate, fit for a particular purpose or need, or non-infringing, unless such implied warranties are legally incapable of exclusion. Further, ThreatExpert does not warrant or make any representations regarding the use or the results of the use of the Information in terms of their correctness, accuracy, reliability, or otherwise.