Submission Summary:

What's been foundSeverity Level
Sets the drive to autoplay by creating autorun.inf file in its root directory. If the drive is shared across the network then other remote computers can be infected any time they try to access this share.
Downloads/requests other files from Internet.
Compromises SafeBoot registry key(s) in an attempt to disable the Safe Mode.
Creates a startup registry entry.
Installs a default debugger that is injected into the execution sequence of a target application. If a threat is installed as a default debugger, it will be run every time a target application is attempted to be launched - either to mimic it and hide its own presence (e.g. an open port or a running process), or simply to be activated as often as possible.
Packed with a packer that is known to be used by malware (e.g. to complicate threat analysis or detection).
Contains characteristics of an identified security risk.

 

Technical Details:

 

Possible Security Risk

Threat CategoryDescription
A network-aware worm that attempts to replicate across the existing network(s)
A malicious trojan horse or bot that may represent security risk for the compromised system and/or its network environment

 

File System Modifications

#Filename(s)File SizeFile HashAlias
1 c:\AUTORUN.INF 151 bytes MD5: 0x9CA0AAB650128D05A2B39A2B53BEA49E
SHA-1: 0x724D0F2F2435402DCBCC2F2984C460BAF1C247EA
INF.Autorun.Gen [PCTools]
Generic!atr [McAfee]
2 %Profiles%\1010.pif
%Profiles%\11.pif
%Profiles%\22.pif
%Profiles%\3.pif
%Profiles%\4.pif
%Profiles%\5.pif
%Profiles%\66.pif
%Profiles%\7.pif
%Profiles%\8.pif
%Profiles%\99.pif
%ProgramFiles%\ccd.pif
125 bytes MD5: 0x7C5F5A68051F6B0C0E9A2AD33C40D415
SHA-1: 0x120865765927A61AF83F02B83DC297EEDE61EC41
(not available)
3 c:\HCZP.PIF 13,824 bytes MD5: 0x4ACA406F6BD699A7ED40CDD388E69831
SHA-1: 0x86EF0A9BAA57E0F0EA829235D86EBA29835FD6BB
(not available)
4 c:\ttmm.tep 57,856 bytes MD5: 0x7435B108B935E42EA92CA94F59C8E717
SHA-1: 0xC0C79C39A7F4D4E491BFF70810439C1AAE3E5006
(not available)
5 %System%\aktwkss.dll 612,352 bytes MD5: 0x3F795D6FB4050C93CBBD0FF699A2635A
SHA-1: 0xD6F6FF1E3809C980CA78710E842AC3F1C1697E92
(not available)
6 %System%\dllcache\spoolsv.exe
[file and pathname of the sample #1]
13,824 bytes MD5: 0xD849C641C10AEBC3DD498B33D7E6B375
SHA-1: 0x5E9F286014763EAC7985B3E2C615F27D8B78E75C
Trojan Horse [Symantec]
Worm.Win32.AutoRun.sla [Kaspersky Lab]
WORM_AUTORUN.BMY [Trend Micro]
Mal/Emogen-E, Mal/Basine-C [Sophos]
Worm:Win32/Autorun.gen!DI [Microsoft]
Win32.SuspectCrc [Ikarus]

 

Memory Modifications

Process NameProcess FilenameMain Module Size
[filename of the sample #1][file and pathname of the sample #1]65,536 bytes

Service NameDisplay NameNew StatusService Filename
ALGApplication Layer Gateway Service"Stopped"%System%\alg.exe
SharedAccessWindows Firewall/Internet Connection Sharing (ICS)"Stopped"%System%\svchost.exe -k netsvcs

 

Registry Modifications

 

Other details

China

Server NameServer PortConnect as UserConnection Password
w.cdd6.com80(null)(null)

 

 

Downloaded File Summary:

What's been foundSeverity Level
Downloads/requests other files from Internet.
Registers a 32-bit in-process server DLL.
Registers a Browser Helper Object (Microsoft's Internet Explorer plugin module).
Packed with a packer that is known to be used by malware (e.g. to complicate threat analysis or detection).
Contains characteristics of an identified security risk.

 

Technical Details:

 

Possible Security Risk

Security RiskDescription
Adware.Sogou Adware.Sogou comes bundled with various trojans and is secretly installed onto the unsuspecting users computer. It produces pop-up and pop-under advertisements.
Exploit.IMG-WMF!sd6 Exploit.IMG-WMF!sd6 is a detection of the code that takes advantage of an existing software vulnerability.
Trojan.Popuper Trojan.Popuper hijacks the default Internet Explorer settings and changes your Internet Explorer homepage. It also appears as a security alert notifying users that their PC has been compromised and then downloads rogue antispyware products onto their PC.
Trojan-Downloader.Small!sd6 Trojan-Downloader.Small!sd6 attempts to download malicious files to the local computer and execute them.
Adware.AdMedia!sd6 Adware.AdMedia!sd6 is a potentially unwanted adware program that could be used to display various pop-up advertisements.
Trojan-Downloader.Agent.AEN Trojan-Downloader.Agent.AEN is a trojan with rootkit capabilities which is able to hide malware on infected machines. It contacts a remote server to get a list of files to download and install other malware on the affected machine. It also attempts to disable security-related applications based on their filenames.

Threat CategoryDescription
A potentially unwanted adware program designed to deliver various advertisements to the users' systems
An exploit code that takes advantage of an existing software vulnerability
A program that downloads files to the local computer that may represent security risk
A malicious trojan horse or bot that may represent security risk for the compromised system and/or its network environment
A hacktool that could be used by attackers to break into a system

 

File System Modifications

#Filename(s)File SizeFile HashAlias
1 c:\DEL.bat 106 bytes MD5: 0xBFCAB4F7BFD63B25FE539FCD82EC5D83
SHA-1: 0x5B88C70C593606A6C9E110518C9D58854F16B50F
(not available)
2 %ProgramFiles%\Common Files\PushWare\cpush.dll 196,608 bytes MD5: 0x4210DB586A0D4AD0D943E7F0F5EE9842
SHA-1: 0xB30495A7264FEBDE5B94DD53275C5FE6D67E3B66
Adware.CPush [Symantec]
not-a-virus:AdWare.Win32.BHO.dzf [Kaspersky Lab]
AdClicker-BJ [McAfee]
Troj/AdClick-ER [Sophos]
Program:Win32/Sogou [Microsoft]
Virus.Win32.BHO.GG [Ikarus]
3 %ProgramFiles%\Common Files\PushWare\Uninst.exe 33,058 bytes MD5: 0xD10F0D03BD7E1C981874FE932E23E55B
SHA-1: 0x9B08F8A87ED06F1749BF8C343DEC8EC0389DFC4C
Generic PUP.x [McAfee]
Troj/FakeAV-CL [Sophos]
Win32.SuspectCrc [Ikarus]
4 %DownloadedProgramFiles%\svchost.exe 3,740 bytes MD5: 0xD2C3349A566A814A3D793F82AD7D8A65
SHA-1: 0x66F23C6633B21702B3EA3A936358907CA35A593E
Exploit.IMG-WMF!sd6 [PCTools]
Packed.Generic.181 [Symantec]
Exploit.Win32.IMG-WMF.fk [Kaspersky Lab]
Generic.dx [McAfee]
Trojan.Zlob [Ikarus]
packed with PE_Patch [Kaspersky Lab]
5 %FontsDir%\svchost.exe 13,744 bytes MD5: 0x3AD8A2755C0C9B6CA3BE26FE1F4DD473
SHA-1: 0x61D342C456861FF6F15A217D7E133B55DE2C2B98
Trojan.Popuper [PCTools]
Downloader [Symantec]
Trojan-GameThief.Win32.OnLineGames.trxn [Kaspersky Lab]
New Malware.aj [McAfee]
Mal/Generic-A [Sophos]
Trojan.Zlob [Ikarus]
6 %System%\350safe.exe 15,384 bytes MD5: 0x526C2F533CE9302C02325EF21BEDB81C
SHA-1: 0x39AC762DDBC19247A266EBCB217A51CCC4249518
Packed.Generic.181 [Symantec]
Trojan-GameThief.Win32.OnLineGames.ttgp [Kaspersky Lab]
Generic.dx [McAfee]
Trojan-PWS.Win32.Agent.hf [Ikarus]
packed with PE_Patch [Kaspersky Lab]
7 %System%\drivers\Atieccx.sys 13,696 bytes MD5: 0xC4B355714322B38A74491AA58FD3F943
SHA-1: 0xF698CB5054893DC8B35CDDC48F1DB510E13DFB69
Trojan-Downloader.Small!sd6 [PCTools]
Trojan.Drondog [Symantec]
Trojan-Downloader.Win32.Small.xxh [Kaspersky Lab]
Downloader-BJN.sys [McAfee]
Mal/Generic-A [Sophos]
Trojan:Win32/Abndog.A [Microsoft]
Trojan-Downloader.Win32.Small [Ikarus]
8 %System%\mshuahuaua.dll 18,432 bytes MD5: 0x313B44482474F88FE6827D3C363ACFCC
SHA-1: 0xE3A226D1E92BAD3A458D430BFF39E26E6F64EF67
Trojan-Dropper.SFU [Ikarus]
9 [file and pathname of the sample #1] 13,119 bytes MD5: 0x6DB408FEB7DD40C8D642A3A52CEA52F6
SHA-1: 0xD86A1D7600FE888F781F9799A81D2DE60C5D874A
Trojan-Downloader.Win32.Banload [Ikarus]
10 [file and pathname of the sample #2] 45,224 bytes MD5: 0xBEAFE9738265395B738159B0C02DB43A
SHA-1: 0xD8AFFE3D392A2F5BDFDAE39BC44F4F1200A544F1
Packed.Generic.181 [Symantec]
New Malware.aj [McAfee]
Trojan-PWS.Win32.OnLineGames [Ikarus]
packed with PE_Patch [Kaspersky Lab]
11 [file and pathname of the sample #3] 151,184 bytes MD5: 0x340D385B85BD438082E03C79DC01D4B3
SHA-1: 0xEF833633637FA2CE96A95E8C6955F1AE2D8C05C7
Adware.AdMedia!sd6 [PCTools]
Trojan.Cinmeng [Symantec]
not-a-virus:AdWare.Win32.AdMedia.ed [Kaspersky Lab]
Adware-Cinmus [McAfee]
Generic.Adw.Cinmus.2 [Ikarus]
12 [file and pathname of the sample #4] 139,092 bytes MD5: 0x4BEAC39548721A8D6DEFC0440B441A0D
SHA-1: 0x56991DD5EFDC2A37C55DA9489C53E390D3A84FA8
not-a-virus:AdWare.Win32.BHO.dzf [Kaspersky Lab]
13 [file and pathname of the sample #5] 184,832 bytes MD5: 0xE28C84D43BA8C9AEF02D48BE18C13816
SHA-1: 0xA7BA98F8590688C0C956026388F3B62963492C49
Packed.Generic.181 [Symantec]
New Malware.u [McAfee]
Mal/Packer [Sophos]
MalwareScope.Worm.Viking.4 [Ikarus]
packed with NSPack [Kaspersky Lab]
14 %System%\wacstdlt.exe 13,531 bytes MD5: 0xCA42539E85A7F9BB372DA8124F7A3254
SHA-1: 0x94ADA2EAF210D3669B9D6873A5463EDA6207A12A
Trojan-Downloader.Agent.AEN [PCTools]
Hacktool [Symantec]
not-a-virus:NetTool.Win32.Agent.b [Kaspersky Lab]
BackDoor-AWQ [McAfee]
Mal/EncPk-AI [Sophos]
Trojan:Win32/Pepatch.E [Microsoft]
Backdoor.Win32.Popwin [Ikarus]

 

Memory Modifications

Process NameProcess FilenameMain Module Size
svchost.exe%FontsDir%\svchost.exe102,400 bytes
cmdd%FontsDir%\cmdd118,784 bytes
[filename of the sample #4][file and pathname of the sample #4]3,854,336 bytes
[filename of the sample #5][file and pathname of the sample #5]749,568 bytes
wacstdlt.exe%System%\wacstdlt.exe61,440 bytes
[filename of the sample #2][file and pathname of the sample #2]204,800 bytes
[filename of the sample #3][file and pathname of the sample #3]626,688 bytes
svchost.exe%DownloadedProgramFiles%\svchost.exe57,344 bytes

Driver NameDriver Filename
MyDog%System%\Drivers\Atieccx.sys

 

Registry Modifications

 

Other details

China

Remote HostPort Number
push.cpushpop.com1138

Server NameServer PortConnect as UserConnection Password
liaobamm.com80(null)(null)
127.0.0.13880127.0.0.138127.0.0.138
127.0.0.13680127.0.0.136127.0.0.136

 

 

All content ("Information") contained in this report is the copyrighted work of Threat Expert Ltd and its associated companies ("ThreatExpert") and may not be copied without the express permission of ThreatExpert.

The Information is provided on an "as is" basis. ThreatExpert disclaims all warranties, whether express or implied, to the maximum extent permitted by law, including the implied warranties that the Information is merchantable, of satisfactory quality, accurate, fit for a particular purpose or need, or non-infringing, unless such implied warranties are legally incapable of exclusion. Further, ThreatExpert does not warrant or make any representations regarding the use or the results of the use of the Information in terms of their correctness, accuracy, reliability, or otherwise.

Copyright © 2014 ThreatExpert. All rights reserved.