ThreatExpert Report: Backdoor.VB!sd6, Backdoor.Win32.VB.grp, Backdoor.Win32.VB, Trojan Horse..

Visit ThreatExpert web site

Close Report

Submission Summary:

Submission details:

Submission received: 12 December 2008, 10:48:54
Processing time: 7 min 5 sec
Submitted sample:

File MD5: 0xD6016CF5762FC462E7BE93597A1FE3B2
File SHA-1: 0x1B8464644ABEF95200A9F03FD1CBEE69A7B50A8E
Filesize: 1,262,592 bytes
Alias:

Backdoor.VB!sd6 [PCTools]
Backdoor.Win32.VB.grp [Kaspersky Lab]
Backdoor.Win32.VB [Ikarus]

Summary of the findings:

What's been found	Severity Level
Hosts file modification that may block access to the security web sites.
Creates a startup registry entry.
Contains characteristics of an identified security risk.

Technical Details:

The new window was created, as shown below:

NOTICE: The content shown in the above window is captured automatically and is not controlled or endorsed by ThreatExpert.
Please contact us on this link should any material be offensive or inappropriate and we will ensure any such content is blocked from future viewers of the report.

Possible Security Risk

Attention! Characteristics of the following security risks were identified in the system:

Security Risk	Description
Backdoor.VB!sd6	Backdoor.VB!sd6 is a malicious application that runs in the background and allows remote access to your system, giving the attacker full control of your system.
Adware.Component.Unrelated	These common components have files and keys that are in different threats but the threats are not related to one another in that the author of the signature is not the same. It is recommended that all these entries be removed.

Attention! The following threat categories were identified:

Threat Category	Description
	A malicious backdoor trojan that runs in the background and allows remote access to the compromised system
	A malicious trojan horse or bot that may represent security risk for the compromised system and/or its network environment

File System Modifications

The following files were created in the system:

#	Filename(s)	File Size	File Hash	Alias
1	%Temp%\IXP000.TMP\explore.exe %System%\explore.exe	61,440 bytes	MD5: 0x635F983017C66039C6D7B32C8BECB970 SHA-1: 0xB4F40CE64BE56196F5BDB37D509FBAD7D2821BD5	Backdoor.VB!sd6 [PCTools] Trojan Horse [Symantec] Backdoor.Win32.VB.grp [Kaspersky Lab] Generic BackDoor [McAfee] Mal/Emogen-F [Sophos] Trojan:Win32/Sibleep.gen [Microsoft] Backdoor.Win32.VB [Ikarus]
2	%Temp%\IXP000.TMP\WRAR38~1.EXE	1,234,120 bytes	MD5: 0x7E8D59D3C0893730A9A590DB51C6D052 SHA-1: 0x7D432C4AB3647B4D9666DA4393C8E9BFC37E24AB	(not available)
3	%ProgramFiles%\WinRAR\Default.SFX	104,448 bytes	MD5: 0xA70A0C64D38CB274331F9488445A68F2 SHA-1: 0xEE76A3ADB2F7B1716D34E08641AA34C6D3A460B1	(not available)
4	%ProgramFiles%\WinRAR\Descript.ion	1,063 bytes	MD5: 0xB63259E35240A56947AC7D8B9E720EA0 SHA-1: 0x7EF21E641B5C40703E75C86CF1214AEE9CEC4566	(not available)
5	%ProgramFiles%\WinRAR\File_Id.diz	502 bytes	MD5: 0xC764040BDA6A3183A5898F88B0434CA4 SHA-1: 0x9420F277309DFC012F76168F50A26C505937AB3E	(not available)
6	%ProgramFiles%\WinRAR\Formats\7z.fmt	89,088 bytes	MD5: 0x0977E124C0054BB0C1C710A0CFA21A42 SHA-1: 0x3D16A4B7CBD6AC44CFDB25A1F50C56828FD53255	(not available)
7	%ProgramFiles%\WinRAR\Formats\7zxa.dll	163,328 bytes	MD5: 0x71FD74DF7BF558F85462C60A40B4AC92 SHA-1: 0x55A03EB940B5D2159B5AB62C3F6BE066424E8686	(not available)
8	%ProgramFiles%\WinRAR\Formats\ace.fmt	56,832 bytes	MD5: 0xC2B3E1D610CA6499AD1BF1C8E71ADB0A SHA-1: 0x363C569F98225D510DEAB6FF8D548D2F7D12BCD6	(not available)
9	%ProgramFiles%\WinRAR\Formats\arj.fmt	53,248 bytes	MD5: 0x6AA042E75E676C421D9BFCBE5BAA171F SHA-1: 0x26A7FBF32F618EE3D6E66BF9C9ECB304CFE53456	(not available)
10	%ProgramFiles%\WinRAR\Formats\bz2.fmt	74,752 bytes	MD5: 0x98C6F0EEB717DBDA5F419FAA28F0FCF5 SHA-1: 0xA0D57E6B050FBEF7A2CC3806CE7A3D2B4913504C	(not available)
11	%ProgramFiles%\WinRAR\Formats\cab.fmt	51,200 bytes	MD5: 0x060F196677E5B099F3DF3447BC751D07 SHA-1: 0x22C66046F921429A8B58A617E8EDAF387A408443	(not available)
12	%ProgramFiles%\WinRAR\Formats\gz.fmt	64,000 bytes	MD5: 0x011B577685DBB23D2F39D94C4AE7859A SHA-1: 0x71044601CB7EAADA762D34448C531C0D2FA3D8AA	(not available)
13	%ProgramFiles%\WinRAR\Formats\iso.fmt	73,728 bytes	MD5: 0xE30A9FD41FF1567F39BB929A52CD32C3 SHA-1: 0x2D22C5648F9ACC7B5675179229B69B384CDCC591	(not available)
14	%ProgramFiles%\WinRAR\Formats\lzh.fmt	58,368 bytes	MD5: 0xE63646F82FFBB3433DF965421337B506 SHA-1: 0xCA76A20A781FC41712C84B413952460DDBCD7866	(not available)
15	%ProgramFiles%\WinRAR\Formats\tar.fmt	55,296 bytes	MD5: 0xFCFC2C0A30F92BCB2963FF9745AFA5AB SHA-1: 0xFFD21ABC1C43B82D913B80384BB2FC26A9A60729	(not available)
16	%ProgramFiles%\WinRAR\Formats\UNACEV2.DLL	77,312 bytes	MD5: 0xDE02C4D04088B69E64ECC30A3D9E22E5 SHA-1: 0xA5F66D420B6A6EBB04242FB85CA462A99DBF89B6	packed with PE_Patch [Kaspersky Lab]
17	%ProgramFiles%\WinRAR\Formats\uue.fmt	48,128 bytes	MD5: 0xE33FF0C8D104F0EE4AA5977152E7E256 SHA-1: 0x03A93E4BCF33F9E860013D1BDCB5873EA4A30574	(not available)
18	%ProgramFiles%\WinRAR\Formats\z.fmt	59,392 bytes	MD5: 0x7230D7F581CEF4B832845ACCD36BFB18 SHA-1: 0x1643A8155913DFC2719D143C57C5F208CD3F1CFB	(not available)
19	%ProgramFiles%\WinRAR\License.txt	6,428 bytes	MD5: 0x62037EF975F0100AC52C9922BCA52934 SHA-1: 0x57F3A134F99940A40271FB7A515FE1C240D10782	(not available)
20	%ProgramFiles%\WinRAR\Order.htm	3,271 bytes	MD5: 0x3458285036E0F1B8B5A66C4957028640 SHA-1: 0x43304D07209E2010E838ECD7F855FAFDB83F3750	(not available)
21	%ProgramFiles%\WinRAR\Rar.exe	323,072 bytes	MD5: 0x073AD45909545C33219FB92A0CBC5D41 SHA-1: 0xF11979641099B87D490554EF148F8AC1A6637131	(not available)
22	%ProgramFiles%\WinRAR\Rar.txt	72,962 bytes	MD5: 0xC899F5D4A8BB692E18E0BD0E5663E398 SHA-1: 0xA675A344C41182613832DEDBE85267A1FFC948DF	(not available)
23	%ProgramFiles%\WinRAR\RarExt.dll	132,608 bytes	MD5: 0xF11FE030158F8EF14A56A3EA9E9BD47D SHA-1: 0x296EDF96A038E476EF8B6151D02CCCEEFE2B04D9	(not available)
24	%ProgramFiles%\WinRAR\RarExt64.dll	62,464 bytes	MD5: 0x0392C4FCE14E23040B5ACE69672A03BD SHA-1: 0x185615223D79B7FBA4A6B206696361D167E8855D	(not available)
25	%ProgramFiles%\WinRAR\RarExtLoader.exe	44,032 bytes	MD5: 0x30108227F4B8533FA3955306747F93F4 SHA-1: 0x2574444FF72481119E65E618D318533A81C523FC	(not available)
26	%ProgramFiles%\WinRAR\RarFiles.lst	1,088 bytes	MD5: 0xAF5604FF198E4B40AF78F9B71B649AF7 SHA-1: 0x6D717D9125FA86240D99767815660122CBE3EEDC	(not available)
27	%ProgramFiles%\WinRAR\ReadMe.txt	1,687 bytes	MD5: 0x383CB29E528FEAEAC24D9CFA539D1A18 SHA-1: 0x95C53F41F06D481F8920A391D7604509E4DCAFC6	(not available)
28	%ProgramFiles%\WinRAR\TechNote.txt	9,232 bytes	MD5: 0xFC44FD46BD957036B8500A528C32E21E SHA-1: 0xE5F1EB91DFA276E4659F93CF4BF0372E81086707	(not available)
29	%ProgramFiles%\WinRAR\Uninstall.exe	100,864 bytes	MD5: 0x3E20C4B85982E3CBD7655659A6800FC7 SHA-1: 0xC47A37416AC19089E8CBFD1B7BFC397D3F51FC51	(not available)
30	%ProgramFiles%\WinRAR\Uninstall.lst	639 bytes	MD5: 0xA85E009B4BB2982912D5E589938F6CD6 SHA-1: 0x51A2A8D9B93C3D29D019C54142A9B427F77494D7	(not available)
31	%ProgramFiles%\WinRAR\UnRAR.exe	204,800 bytes	MD5: 0xB836BA4579DE0FADD1142CC47A3AF756 SHA-1: 0x7ACF566E8637A83139ED2EE29261D993D3DF80E4	(not available)
32	%ProgramFiles%\WinRAR\UnrarSrc.txt	90 bytes	MD5: 0xC16BB921C05AF38382F946386224B1EC SHA-1: 0xE2B525E01A20F007EDFC50935DD1493A9079270A	(not available)
33	%ProgramFiles%\WinRAR\WhatsNew.txt	11,234 bytes	MD5: 0xCBD2B85BA896028512533194C9127E10 SHA-1: 0x4EB4F10E151E4170160F329867F7A2C21E672ED9	(not available)
34	%ProgramFiles%\WinRAR\WinCon.SFX	81,408 bytes	MD5: 0x4C1D7F356B7DAB5B2461AE8CD0B774C6 SHA-1: 0xCA608371054EF9702B547947E37C2D6E39C95632	(not available)
35	%ProgramFiles%\WinRAR\WinRAR.chm	254,538 bytes	MD5: 0xDFBFAE70B02EF5B39AC362E3D184E1A2 SHA-1: 0x1D460EF381239BFD9FBD841C77C7834E08A4716B	(not available)
36	%ProgramFiles%\WinRAR\WinRAR.exe	968,704 bytes	MD5: 0x1191D84C20F70BB4D84AE689E3E57F07 SHA-1: 0x1BA1D6D6A3D66CF9472DF63434EC7CA17AC3D951	(not available)
37	%ProgramFiles%\WinRAR\Zip.SFX	68,096 bytes	MD5: 0xFE352F539E2B5134567ECE8E4F5BFD36 SHA-1: 0x39ABCA4F0E2093156FD1CEF7E2784A180EA7C87F	(not available)
38	[file and pathname of the sample #1]	1,262,592 bytes	MD5: 0xD6016CF5762FC462E7BE93597A1FE3B2 SHA-1: 0x1B8464644ABEF95200A9F03FD1CBEE69A7B50A8E	Backdoor.VB!sd6 [PCTools] Backdoor.Win32.VB.grp [Kaspersky Lab] Backdoor.Win32.VB [Ikarus]

Notes:

%Temp% is a variable that refers to the temporary folder in the short path form. By default, this is C:\Documents and Settings\[UserName]\Local Settings\Temp\ (Windows NT/2000/XP).
%System% is a variable that refers to the System folder. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
%ProgramFiles% is a variable that refers to the Program Files folder. A typical path is C:\Program Files.

The following file was deleted:

%System%\drivers\etc\hosts

The following directories were created:

%Temp%\IXP000.TMP
%ProgramFiles%\WinRAR
%ProgramFiles%\WinRAR\Formats

Memory Modifications

There were new processes created in the system:

Process Name	Process Filename	Main Module Size
[filename of the sample #1]	[file and pathname of the sample #1]	1,277,952 bytes
Uninstall.exe	%ProgramFiles%\winrar\uninstall.exe	139,264 bytes
explore.exe	%Temp%\ixp000.tmp\explore.exe	65,536 bytes
explore.exe	%System%\explore.exe	65,536 bytes
WRAR38~1.EXE	%Temp%\IXP000.TMP\WRAR38~1.EXE	118,784 bytes

Registry Modifications

The following Registry Key was created:

HKEY_CURRENT_USER\Software\WinRAR SFX

The newly created Registry Values are:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

explore = "%System%\explore.exe"

so that explore.exe runs every time Windows starts

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

wextract_cleanup0 = "rundll32.exe %System%\advpack.dll,DelNodeRunDLL32 "%Temp%\IXP000.TMP\""

[HKEY_CURRENT_USER\Software\WinRAR SFX]

C%%Program Files%WinRAR = "%ProgramFiles%\WinRAR"

The following Registry Value was modified:

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]

Start Page = "http://www.google.com"

Other details

Analysis of the file resources indicate the following possible countries of origin:

	China
	Russian Federation

To mark the presence in the system, the following Mutex object was created:

_SHuassist.mtx

The HOSTS file was updated with the following URL-to-IP mappings:

61.157.217.210   www.yahoo.com
61.157.217.210   www.google.com
61.157.217.210   www.google.co.uk
61.157.217.210   www.myspace.com
61.157.217.210   www.youtube.com
61.157.217.210   www.facebook.com
61.157.217.210   www.antispy.com
61.157.217.210   www.yahoo.com
61.157.217.210   www.yahoo.co.uk
61.157.217.210   www.antispyware.com
61.157.217.210   antispyware.com
61.157.217.210   antispy.com
61.157.217.210   www.msn.com
123.251.143.110   www.asdfasdfd.com
123.251.143.110   www.gg.com
123.251.143.110   www.ghfhj.com
123.251.143.110   www.cvnbcvnb.com
123.251.143.110   www.1.com
123.251.143.110   www.3.com
123.251.143.110   www.asdf4asdfd.com
123.251.143.110   www.asdfawsdfd.com
123.251.143.110   www.asdfatsdfd.com
123.251.143.110   www.asdfasdfd.com
123.251.143.110   www.asdfadsdfd.com
123.251.143.110   www.asdfasdfd.com
123.251.143.110   www.asdfafsdfd.com
123.251.143.110   www.asdfasdfd.com
123.251.143.110   www.asdfagsdfd.com
123.251.143.110   www.asdfasgdfd.com
123.251.143.110   www.asdfasdhfd.com
123.251.143.110   www.asdfasdfjd.com
123.251.143.110   www.asdfasdfkd.com
123.251.143.110   www.asdfasdfld.com
123.251.143.110   www.asdfasdf,d.com
123.251.143.110   www.asxdfasdfd.com
123.251.143.110   www.asdzfasdfd.com
123.251.143.110   www.asdcfasdfd.com
123.251.143.110   www.asdfvasdfd.com
123.251.143.110   www.asdfabsdfd.com
123.251.143.110   www.asdfasndfd.com
123.251.143.110   www.asdfasdmfd.com
123.251.143.110   www.asdfasdfd.com
123.251.143.110   www.11asdfasdfd.com
123.251.143.110   www.as222dfasdfd.com
123.251.143.110   www.asdfa33sdfd.com
123.251.143.110   www.asdfasd44fd.com
123.251.143.110   www.asdfasdfd5.com
123.251.143.110   www.as66dfasdfd.com
123.251.143.110   www.asdf77asdfd.com
123.251.143.110   www.asdf8asdfd.com
123.251.143.110   www.asdf9asdfd.com
123.251.143.110   www.asdf0asdfd.com
123.251.143.110   www.asdf-asdfd.com
123.251.143.110   www.aqqsdfasdfd.com
123.251.143.110   www.aswwdfasdfd.com
123.16.197.121   www.asdhhfasdfdyy.com
61.157.217.210   www.live.com
123.251.143.110   www.asdwwwfasdfd.com
123.251.143.110   www.asdfeasdfd.com
123.251.143.110   www.asdfrrasdfd.com
123.251.143.110   www.asdfttasdfd.com
123.251.143.110   www.asdfyyasdfd.com
123.251.143.110   www.asdfuuuasdfd.com
123.251.143.110   www.asdfaiisdfd.com
123.251.143.110   www.asdfaoosdfd.com
123.251.143.110   www.asdfappsdfd.com
123.251.143.110   www.asdfasssdfd.com
123.251.143.110   www.aswwdfasdfd.com
123.251.143.110   www.asdeefasdfd.com
123.251.143.110   www.asdfffasdfd.com
123.251.143.110   www.asdfavvvsdfd.com
123.251.143.110   www.asnnndfasdfd.com
123.251.143.110   www.asdmmmfasdfd.com
123.251.143.110   www.asdfaffsdfd.com
123.251.143.110   www.asdhhfasdfd.com

All content ("Information") contained in this report is the copyrighted work of Threat Expert Ltd and its associated companies ("ThreatExpert") and may not be copied without the express permission of ThreatExpert.

The Information is provided on an "as is" basis. ThreatExpert disclaims all warranties, whether express or implied, to the maximum extent permitted by law, including the implied warranties that the Information is merchantable, of satisfactory quality, accurate, fit for a particular purpose or need, or non-infringing, unless such implied warranties are legally incapable of exclusion. Further, ThreatExpert does not warrant or make any representations regarding the use or the results of the use of the Information in terms of their correctness, accuracy, reliability, or otherwise.