| Visit ThreatExpert web site | | | Close Report |
[Symantec] [Kaspersky Lab] [Trend Micro], Mal/Basine-C [Sophos] [Microsoft] [Ikarus]| What's been found | Severity Level |
| Sets the drive to autoplay by creating autorun.inf file in its root directory. If the drive is shared across the network then other remote computers can be infected any time they try to access this share. |  |
| Downloads/requests other files from Internet. |  |
| Compromises SafeBoot registry key(s) in an attempt to disable the Safe Mode. |  |
| Creates a startup registry entry. |  |
| Installs a default debugger that is injected into the execution sequence of a target application. If a threat is installed as a default debugger, it will be run every time a target application is attempted to be launched - either to mimic it and hide its own presence (e.g. an open port or a running process), or simply to be activated as often as possible. | |
| Packed with a packer that is known to be used by malware (e.g. to complicate threat analysis or detection). | |
| Contains characteristics of an identified security risk. |  |
 | Possible Security Risk |
| Threat Category | Description |
 |
A network-aware worm that attempts to replicate across the existing network(s) |
 |
A malicious trojan horse or bot that may represent security risk for the compromised system and/or its network environment |
 | File System Modifications |
| # | Filename(s) | File Size | File Hash | Alias |
| 1 | c:\AUTORUN.INF | 151 bytes | MD5: 0x9CA0AAB650128D05A2B39A2B53BEA49E SHA-1: 0x724D0F2F2435402DCBCC2F2984C460BAF1C247EA |
INF.Autorun.Gen [PCTools] Generic!atr [McAfee] |
| 2 |
%Profiles%\1010.pif
%Profiles%\11.pif %Profiles%\22.pif %Profiles%\3.pif %Profiles%\4.pif %Profiles%\5.pif %Profiles%\66.pif %Profiles%\7.pif %Profiles%\8.pif %Profiles%\99.pif %ProgramFiles%\ccd.pif |
125 bytes | MD5: 0x7C5F5A68051F6B0C0E9A2AD33C40D415 SHA-1: 0x120865765927A61AF83F02B83DC297EEDE61EC41 |
(not available) |
| 3 | c:\HCZP.PIF | 13,824 bytes | MD5: 0x4ACA406F6BD699A7ED40CDD388E69831 SHA-1: 0x86EF0A9BAA57E0F0EA829235D86EBA29835FD6BB |
(not available) |
| 4 | c:\ttmm.tep | 57,856 bytes | MD5: 0x7435B108B935E42EA92CA94F59C8E717 SHA-1: 0xC0C79C39A7F4D4E491BFF70810439C1AAE3E5006 |
(not available) |
| 5 |
%System%\aktwkss.dll
|
612,352 bytes | MD5: 0x3F795D6FB4050C93CBBD0FF699A2635A SHA-1: 0xD6F6FF1E3809C980CA78710E842AC3F1C1697E92 |
(not available) |
| 6 |
%System%\dllcache\spoolsv.exe
[file and pathname of the sample #1] |
13,824 bytes | MD5: 0xD849C641C10AEBC3DD498B33D7E6B375 SHA-1: 0x5E9F286014763EAC7985B3E2C615F27D8B78E75C |
Trojan Horse [Symantec] Worm.Win32.AutoRun.sla [Kaspersky Lab]WORM_AUTORUN.BMY [Trend Micro]Mal/Emogen-E , Mal/Basine-C [Sophos]Worm:Win32/Autorun.gen!DI [Microsoft]Win32.SuspectCrc [Ikarus] |
 | Memory Modifications |
| Process Name | Process Filename | Main Module Size |
| [filename of the sample #1] | [file and pathname of the sample #1] | 65,536 bytes |
| Service Name | Display Name | New Status | Service Filename |
| ALG | Application Layer Gateway Service | "Stopped" | %System%\alg.exe |
| SharedAccess | Windows Firewall/Internet Connection Sharing (ICS) | "Stopped" | %System%\svchost.exe -k netsvcs |
 | Registry Modifications |
 | Other details |
 |
China |
| Server Name | Server Port | Connect as User | Connection Password |
| w.cdd6.com | 80 | (null) | (null) |
[Ikarus] [Symantec] [McAfee] [Ikarus] [PCTools] [Symantec] [Kaspersky Lab] [McAfee] [Ikarus] [Kaspersky Lab] [Symantec] [McAfee] [Sophos] [Ikarus]| What's been found | Severity Level |
| Downloads/requests other files from Internet. | |
| Registers a 32-bit in-process server DLL. | |
| Registers a Browser Helper Object (Microsoft's Internet Explorer plugin module). | |
| Packed with a packer that is known to be used by malware (e.g. to complicate threat analysis or detection). | |
| Contains characteristics of an identified security risk. | |
| Possible Security Risk |
| Security Risk | Description |
| Adware.Sogou |
Adware.Sogou comes bundled with various trojans and is secretly installed onto the unsuspecting users computer. It produces pop-up and pop-under advertisements. |
| Exploit.IMG-WMF!sd6 |
Exploit.IMG-WMF!sd6 is a detection of the code that takes advantage of an existing software vulnerability. |
| Trojan.Popuper |
Trojan.Popuper hijacks the default Internet Explorer settings and changes your Internet Explorer homepage. It also appears as a security alert notifying users that their PC has been compromised and then downloads rogue antispyware products onto their PC. |
| Trojan-Downloader.Small!sd6 |
Trojan-Downloader.Small!sd6 attempts to download malicious files to the local computer and execute them. |
| Adware.AdMedia!sd6 |
Adware.AdMedia!sd6 is a potentially unwanted adware program that could be used to display various pop-up advertisements. |
| Trojan-Downloader.Agent.AEN |
Trojan-Downloader.Agent.AEN is a trojan with rootkit capabilities which is able to hide malware on infected machines. It contacts a remote server to get a list of files to download and install other malware on the affected machine. It also attempts to disable security-related applications based on their filenames. |
| Threat Category | Description |
 |
A potentially unwanted adware program designed to deliver various advertisements to the users' systems |
 |
An exploit code that takes advantage of an existing software vulnerability |
 |
A program that downloads files to the local computer that may represent security risk |
|
A malicious trojan horse or bot that may represent security risk for the compromised system and/or its network environment |
 |
A hacktool that could be used by attackers to break into a system |
| File System Modifications |
| # | Filename(s) | File Size | File Hash | Alias |
| 1 | c:\DEL.bat | 106 bytes | MD5: 0xBFCAB4F7BFD63B25FE539FCD82EC5D83 SHA-1: 0x5B88C70C593606A6C9E110518C9D58854F16B50F |
(not available) |
| 2 |
%ProgramFiles%\Common Files\PushWare\cpush.dll
|
196,608 bytes | MD5: 0x4210DB586A0D4AD0D943E7F0F5EE9842 SHA-1: 0xB30495A7264FEBDE5B94DD53275C5FE6D67E3B66 |
Adware.CPush [Symantec] not-a-virus:AdWare.Win32.BHO.dzf [Kaspersky Lab]AdClicker-BJ [McAfee]Troj/AdClick-ER [Sophos]Program:Win32/Sogou [Microsoft]Virus.Win32.BHO.GG [Ikarus] |
| 3 |
%ProgramFiles%\Common Files\PushWare\Uninst.exe
|
33,058 bytes | MD5: 0xD10F0D03BD7E1C981874FE932E23E55B SHA-1: 0x9B08F8A87ED06F1749BF8C343DEC8EC0389DFC4C |
Generic PUP.x [McAfee] Troj/FakeAV-CL [Sophos]Win32.SuspectCrc [Ikarus] |
| 4 |
%DownloadedProgramFiles%\svchost.exe
|
3,740 bytes | MD5: 0xD2C3349A566A814A3D793F82AD7D8A65 SHA-1: 0x66F23C6633B21702B3EA3A936358907CA35A593E |
Exploit.IMG-WMF!sd6 [PCTools] Packed.Generic.181 [Symantec]Exploit.Win32.IMG-WMF.fk [Kaspersky Lab]Generic.dx [McAfee]Trojan.Zlob [Ikarus]packed with PE_Patch [Kaspersky Lab] |
| 5 |
%FontsDir%\svchost.exe
|
13,744 bytes | MD5: 0x3AD8A2755C0C9B6CA3BE26FE1F4DD473 SHA-1: 0x61D342C456861FF6F15A217D7E133B55DE2C2B98 |
Trojan.Popuper [PCTools] Downloader [Symantec]Trojan-GameThief.Win32.OnLineGames.trxn [Kaspersky Lab]New Malware.aj [McAfee]Mal/Generic-A [Sophos]Trojan.Zlob [Ikarus] |
| 6 |
%System%\350safe.exe
|
15,384 bytes | MD5: 0x526C2F533CE9302C02325EF21BEDB81C SHA-1: 0x39AC762DDBC19247A266EBCB217A51CCC4249518 |
Packed.Generic.181 [Symantec] Trojan-GameThief.Win32.OnLineGames.ttgp [Kaspersky Lab]Generic.dx [McAfee]Trojan-PWS.Win32.Agent.hf [Ikarus]packed with PE_Patch [Kaspersky Lab] |
| 7 |
%System%\drivers\Atieccx.sys
|
13,696 bytes | MD5: 0xC4B355714322B38A74491AA58FD3F943 SHA-1: 0xF698CB5054893DC8B35CDDC48F1DB510E13DFB69 |
Trojan-Downloader.Small!sd6 [PCTools] Trojan.Drondog [Symantec]Trojan-Downloader.Win32.Small.xxh [Kaspersky Lab]Downloader-BJN.sys [McAfee]Mal/Generic-A [Sophos]Trojan:Win32/Abndog.A [Microsoft]Trojan-Downloader.Win32.Small [Ikarus] |
| 8 |
%System%\mshuahuaua.dll
|
18,432 bytes | MD5: 0x313B44482474F88FE6827D3C363ACFCC SHA-1: 0xE3A226D1E92BAD3A458D430BFF39E26E6F64EF67 |
Trojan-Dropper.SFU [Ikarus] |
| 9 | [file and pathname of the sample #1] | 13,119 bytes | MD5: 0x6DB408FEB7DD40C8D642A3A52CEA52F6 SHA-1: 0xD86A1D7600FE888F781F9799A81D2DE60C5D874A |
Trojan-Downloader.Win32.Banload [Ikarus] |
| 10 | [file and pathname of the sample #2] | 45,224 bytes | MD5: 0xBEAFE9738265395B738159B0C02DB43A SHA-1: 0xD8AFFE3D392A2F5BDFDAE39BC44F4F1200A544F1 |
Packed.Generic.181 [Symantec] New Malware.aj [McAfee]Trojan-PWS.Win32.OnLineGames [Ikarus]packed with PE_Patch [Kaspersky Lab] |
| 11 | [file and pathname of the sample #3] | 151,184 bytes | MD5: 0x340D385B85BD438082E03C79DC01D4B3 SHA-1: 0xEF833633637FA2CE96A95E8C6955F1AE2D8C05C7 |
Adware.AdMedia!sd6 [PCTools] Trojan.Cinmeng [Symantec]not-a-virus:AdWare.Win32.AdMedia.ed [Kaspersky Lab]Adware-Cinmus [McAfee]Generic.Adw.Cinmus.2 [Ikarus] |
| 12 | [file and pathname of the sample #4] | 139,092 bytes | MD5: 0x4BEAC39548721A8D6DEFC0440B441A0D SHA-1: 0x56991DD5EFDC2A37C55DA9489C53E390D3A84FA8 |
not-a-virus:AdWare.Win32.BHO.dzf [Kaspersky Lab] |
| 13 | [file and pathname of the sample #5] | 184,832 bytes | MD5: 0xE28C84D43BA8C9AEF02D48BE18C13816 SHA-1: 0xA7BA98F8590688C0C956026388F3B62963492C49 |
Packed.Generic.181 [Symantec] New Malware.u [McAfee]Mal/Packer [Sophos]MalwareScope.Worm.Viking.4 [Ikarus]packed with NSPack [Kaspersky Lab] |
| 14 |
%System%\wacstdlt.exe
|
13,531 bytes | MD5: 0xCA42539E85A7F9BB372DA8124F7A3254 SHA-1: 0x94ADA2EAF210D3669B9D6873A5463EDA6207A12A |
Trojan-Downloader.Agent.AEN [PCTools] Hacktool [Symantec]not-a-virus:NetTool.Win32.Agent.b [Kaspersky Lab]BackDoor-AWQ [McAfee]Mal/EncPk-AI [Sophos]Trojan:Win32/Pepatch.E [Microsoft]Backdoor.Win32.Popwin [Ikarus] |
| Memory Modifications |
| Process Name | Process Filename | Main Module Size |
| svchost.exe | %FontsDir%\svchost.exe | 102,400 bytes |
| cmdd | %FontsDir%\cmdd | 118,784 bytes |
| [filename of the sample #4] | [file and pathname of the sample #4] | 3,854,336 bytes |
| [filename of the sample #5] | [file and pathname of the sample #5] | 749,568 bytes |
| wacstdlt.exe | %System%\wacstdlt.exe | 61,440 bytes |
| [filename of the sample #2] | [file and pathname of the sample #2] | 204,800 bytes |
| [filename of the sample #3] | [file and pathname of the sample #3] | 626,688 bytes |
| svchost.exe | %DownloadedProgramFiles%\svchost.exe | 57,344 bytes |
| Driver Name | Driver Filename |
| MyDog | %System%\Drivers\Atieccx.sys |
| Registry Modifications |
| Other details |
|
China |
| Remote Host | Port Number |
| push.cpushpop.com | 1138 |
| Server Name | Server Port | Connect as User | Connection Password |
| liaobamm.com | 80 | (null) | (null) |
| 127.0.0.138 | 80 | 127.0.0.138 | 127.0.0.138 |
| 127.0.0.136 | 80 | 127.0.0.136 | 127.0.0.136 |
All content ("Information") contained in this report is the copyrighted work of Threat Expert Ltd and its associated companies ("ThreatExpert") and may not be copied without the express permission of ThreatExpert.
The Information is provided on an "as is" basis. ThreatExpert disclaims all warranties, whether express or implied, to the maximum extent permitted by law, including the implied warranties that the Information is merchantable, of satisfactory quality, accurate, fit for a particular purpose or need, or non-infringing, unless such implied warranties are legally incapable of exclusion. Further, ThreatExpert does not warrant or make any representations regarding the use or the results of the use of the Information in terms of their correctness, accuracy, reliability, or otherwise.
Copyright © 2013 ThreatExpert. All rights reserved.