ThreatExpert Report: Trojan Horse, Generic.dx, Win-Trojan/Agent.206804

Submission Summary:

Submission details:

Submission received: 30 September 2012, 06:09:46
Processing time: 10 min 12 sec
Submitted sample:

File MD5: 0xD68DA518B3F4B88FA92A80D36CD6788F
File SHA-1: 0x1B20A22025D831C747CFBA4562E135D6F5ABD395
Filesize: 1,348,157 bytes

Summary of the findings:

What's been found	Severity Level
Capability to send out email message(s) with the built-in SMTP client engine.
Contains characteristics of an identified security risk.

Technical Details:

The new window was created, as shown below:

NOTICE: The content shown in the above window is captured automatically and is not controlled or endorsed by ThreatExpert.
Please contact us on this link should any material be offensive or inappropriate and we will ensure any such content is blocked from future viewers of the report.

Possible Security Risk

Attention! The following threat category was identified:

Threat Category	Description
	A malicious trojan horse or bot that may represent security risk for the compromised system and/or its network environment

File System Modifications

The following files were created in the system:

#	Filename(s)	File Size	File Hash	Alias
1	%CommonPrograms%\Toolbar Uninstaller\Toolbar Uninstaller Help.lnk	740 bytes	MD5: 0xC8F1D1F12DCA57301058B66EABF236BF SHA-1: 0x169982AF43EA31CB9DC250F82881100B8E796404	(not available)
2	%CommonPrograms%\Toolbar Uninstaller\Toolbar Uninstaller on the Web.url	56 bytes	MD5: 0x3B7DD00E9936D8A9B73125FDE624AC1C SHA-1: 0xB42F2958AC348A6282CE68700DEAB53841FDD65D	(not available)
3	%CommonPrograms%\Toolbar Uninstaller\Toolbar Uninstaller.lnk	740 bytes	MD5: 0xBC0A2BA7902D63805B551DA55BAD2F28 SHA-1: 0x5E7CAE0FFCB21B26DDECBFC93505EF491642DBF2	(not available)
4	%CommonPrograms%\Toolbar Uninstaller\Uninstall Toolbar Uninstaller.lnk	771 bytes	MD5: 0x3C58827D913B7E3A9B1E0CBADD7C6958 SHA-1: 0x5209BE98A8141BFC0AF092B2BC4DB7E66F7CD427	(not available)
5	%ProgramFiles%\Toolbar Uninstaller\detection.dtz	7,346 bytes	MD5: 0xC142E1A57E6315FD14E8AFBA016CC27C SHA-1: 0x5688FC08FDC00E2C5B95B8DA106A1C0989D38FD3	(not available)
6	%ProgramFiles%\Toolbar Uninstaller\dutch.lng	9,158 bytes	MD5: 0x855E32FB331C480D96539706199BD258 SHA-1: 0x4729CD68E1A640353A43E896CFDEA415291E87EA	(not available)
7	%ProgramFiles%\Toolbar Uninstaller\helper.exe	205,144 bytes	MD5: 0x2D04978C2C7D2003B92C416AFD40E2DC SHA-1: 0xA41B79922338FD1D78E7AA30B8926A14B4678AB3	Trojan Horse [Symantec] Generic.dx [McAfee] Win-Trojan/Agent.206804 [AhnLab]
8	%ProgramFiles%\Toolbar Uninstaller\logfile.txt	165 bytes	MD5: 0x7B2CB3EC7131E445A753DF5FFB1ABF00 SHA-1: 0xBD7E22F2F42BF4A96A8CA59C7D4F212C3B337111	(not available)
9	%ProgramFiles%\Toolbar Uninstaller\settings.ini	161 bytes	MD5: 0x2ADFD09C25A7720F4B9F73FC8D47F054 SHA-1: 0xCCA510EECD98F6E88EE3486D73134189E59EC847	(not available)
10	%ProgramFiles%\Toolbar Uninstaller\TbU.chm	287,480 bytes	MD5: 0xA25C71243CB9D50CA9CDB3BE2A2B856C SHA-1: 0xE47E6D13B02A1036F294AAE90DEC6E47F15BE9B6	(not available)
11	%ProgramFiles%\Toolbar Uninstaller\tbu.exe	580,096 bytes	MD5: 0xBDCBEB5B44498398B88484A8C203711A SHA-1: 0xC604CD294B66C7B42D648AC6F14C390AD3F38D2F	packed with UPX [Kaspersky Lab]
12	%ProgramFiles%\Toolbar Uninstaller\unins000.dat	2,810 bytes	MD5: 0x2F0249A31DF80D2096269663656E8747 SHA-1: 0xFA83EB3B2D6FE50555AB09B4C40FBD70123A9E8A	(not available)
13	%ProgramFiles%\Toolbar Uninstaller\unins000.exe	697,690 bytes	MD5: 0x9AD866AE470F96C604ED2CCB38C4BC95 SHA-1: 0xDAD5B829C6282081434BE1CB1BA8C2142A79AA43	(not available)
14	[file and pathname of the sample #1]	1,348,157 bytes	MD5: 0xD68DA518B3F4B88FA92A80D36CD6788F SHA-1: 0x1B20A22025D831C747CFBA4562E135D6F5ABD395	(not available)

Notes:

%CommonPrograms% is a variable that refers to the file system directory that contains the directories for the common program groups that appear on the Start menu for all users. A typical path is C:\Documents and Settings\All Users\Start Menu\Programs (Windows NT/2000/XP).
%ProgramFiles% is a variable that refers to the Program Files folder. A typical path is C:\Program Files.

The following directories were created:

%CommonPrograms%\Toolbar Uninstaller
%ProgramFiles%\Toolbar Uninstaller
%ProgramFiles%\Toolbar Uninstaller\updates

Memory Modifications

There were new processes created in the system:

Process Name	Process Filename	Main Module Size
tbu.exe	%ProgramFiles%\toolbar uninstaller\tbu.exe	1,622,016 bytes
[filename of the sample #1]	[file and pathname of the sample #1]	81,920 bytes
[filename of the sample #1 without extension].tmp	%Temp%\is-RVGHN.tmp\[filename of the sample #1 without extension].tmp	749,568 bytes
helper.exe	%ProgramFiles%\toolbar uninstaller\helper.exe	475,136 bytes

Notes:

%Temp% is a variable that refers to the temporary folder in the short path form. By default, this is C:\Documents and Settings\[UserName]\Local Settings\Temp\ (Windows NT/2000/XP).

Registry Modifications

The following Registry Key was created:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Toolbar Uninstaller_is1

The newly created Registry Value is:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Toolbar Uninstaller_is1]

Inno Setup: Setup Version = "5.2.4-dev"
Inno Setup: App Path = "%ProgramFiles%\Toolbar Uninstaller"
InstallLocation = "%ProgramFiles%\Toolbar Uninstaller\"
Inno Setup: Icon Group = "Toolbar Uninstaller"
Inno Setup: User = "%UserName%"
Inno Setup: Selected Tasks = ""
Inno Setup: Deselected Tasks = "desktopicon,quicklaunchicon"
DisplayName = "Toolbar Uninstaller 1.0.0.1"
UninstallString = ""%ProgramFiles%\Toolbar Uninstaller\unins000.exe""
QuietUninstallString = ""%ProgramFiles%\Toolbar Uninstaller\unins000.exe" /SILENT"
Publisher = "Decomputeur.nl"
URLInfoAbout = "http://toolbar.decomputeur.nl/"
HelpLink = "http://toolbar.decomputeur.nl/"
URLUpdateInfo = "http://toolbar.decomputeur.nl/"
NoModify = 0x00000001
NoRepair = 0x00000001
InstallDate = "20120930"

Other details

Analysis of the file resources indicate the following possible countries of origin:

	Germany
	Netherlands

To mark the presence in the system, the following Mutex object was created:

Toolbar_Uninstaller

All content ("Information") contained in this report is the copyrighted work of Threat Expert Ltd and its associated companies ("ThreatExpert") and may not be copied without the express permission of ThreatExpert.

The Information is provided on an "as is" basis. ThreatExpert disclaims all warranties, whether express or implied, to the maximum extent permitted by law, including the implied warranties that the Information is merchantable, of satisfactory quality, accurate, fit for a particular purpose or need, or non-infringing, unless such implied warranties are legally incapable of exclusion. Further, ThreatExpert does not warrant or make any representations regarding the use or the results of the use of the Information in terms of their correctness, accuracy, reliability, or otherwise.