ThreatExpert Report: Backdoor.Win32.Poison.ayiw

Submission Summary:

Submission details:

Submission received: 3 November 2009, 16:28:54
Processing time: 5 min 3 sec
Submitted sample:

File MD5: 0xD026DCFAC0411439D40E4BA57856A545
File SHA-1: 0x489D9A2AB2C3105A2210F51C331574A5ACAF57FA
Filesize: 111,203 bytes
Alias: Backdoor.Win32.Poison.ayiw [Kaspersky Lab]

Summary of the findings:

What's been found	Severity Level
Hosts file modification that may block access to the security web sites.
Creates a startup registry entry.
Contains characteristics of an identified security risk.

Technical Details:

Possible Security Risk

Attention! The following threat category was identified:

Threat Category	Description
	A malicious backdoor trojan that runs in the background and allows remote access to the compromised system

File System Modifications

The following file was created in the system:

#	Filename(s)	File Size	File Hash	Alias
1	%Windir%\Notexpad.exe [file and pathname of the sample #1]	111,203 bytes	MD5: 0xD026DCFAC0411439D40E4BA57856A545 SHA-1: 0x489D9A2AB2C3105A2210F51C331574A5ACAF57FA	Backdoor.Win32.Poison.ayiw [Kaspersky Lab]

Note:

%Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows or C:\Winnt.

The following file was modified:

%System%\drivers\etc\hosts

Notes:

%System% is a variable that refers to the System folder. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

Memory Modifications

There was a new process created in the system:

Process Name	Process Filename	Main Module Size
[filename of the sample #1]	[file and pathname of the sample #1]	32,768 bytes

Registry Modifications

The newly created Registry Value is:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

scssrr.exe = "%Windir%\Notexpad.exe"

so that Notexpad.exe runs every time Windows starts

Other details

The HOSTS file was updated with the following URL-to-IP mappings:

All content ("Information") contained in this report is the copyrighted work of Threat Expert Ltd and its associated companies ("ThreatExpert") and may not be copied without the express permission of ThreatExpert.

The Information is provided on an "as is" basis. ThreatExpert disclaims all warranties, whether express or implied, to the maximum extent permitted by law, including the implied warranties that the Information is merchantable, of satisfactory quality, accurate, fit for a particular purpose or need, or non-infringing, unless such implied warranties are legally incapable of exclusion. Further, ThreatExpert does not warrant or make any representations regarding the use or the results of the use of the Information in terms of their correctness, accuracy, reliability, or otherwise.