ThreatExpert Report: Mal/EncPk-JB, TrojanDownloader:Win32/Harnig.gen!P, Hoax.Win32.Renos.vchc..

Submission Summary:

Submission details:

Submission received: 24 July 2009, 21:10:59
Processing time: 8 min 9 sec
Submitted sample:

File MD5: 0xD9A878871B90C68F4A1A155A3015A8FE
File SHA-1: 0x85DFE45D6E72E44FAA632321306CDFCDF49229D6
Filesize: 113,664 bytes
Alias: Mal/EncPk-JB [Sophos]

Summary of the findings:

What's been found	Severity Level
Downloads/requests other files from Internet.
Modifies some system settings that may have negative impact on overall system security state.
Creates a startup registry entry.
Contains characteristics of an identified security risk.

Technical Details:

The new window was created, as shown below:

NOTICE: The content shown in the above window is captured automatically and is not controlled or endorsed by ThreatExpert.
Please contact us on this link should any material be offensive or inappropriate and we will ensure any such content is blocked from future viewers of the report.

Possible Security Risk

Attention! Characteristics of the following security risks were identified in the system:

Security Risk	Description
Adware.Agent.ZO	Adware.Agent.ZO lowers some IE security settings and downloads RogueAntiSpyware without user's permission.
Trojan-Downloader.Small.GEN	Trojan-Downloader.Small.GEN contacts remote servers in order to download additional malware onto a users computer without their knowledge.

Attention! The following threat categories were identified:

Threat Category	Description
	A malicious backdoor trojan that runs in the background and allows remote access to the compromised system
	A malicious trojan horse or bot that may represent security risk for the compromised system and/or its network environment

File System Modifications

The following files were created in the system:

#	Filename(s)	File Size	File Hash	Alias
1	%Temp%\4.tmp	13,824 bytes	MD5: 0xEAF033B22B399324F4A0E5E1F2A64487 SHA-1: 0x34380690F0F8608478C651A600AD692C6AD77600	TrojanDownloader:Win32/Harnig.gen!P [Microsoft]
2	%Temp%\WERee26.dir00\appcompat.txt	16,296 bytes	MD5: 0xF560A82E9385739415E085B4553CBA8F SHA-1: 0x958B55E9517896C07D689F6BDDED4EF10D0718A9	(not available)
3	%Temp%\WERee26.dir00\explorer.exe.hdmp	0 bytes	MD5: 0xD41D8CD98F00B204E9800998ECF8427E SHA-1: 0xDA39A3EE5E6B4B0D3255BFEF95601890AFD80709	(not available)
4	%Temp%\WERee26.dir00\explorer.exe.mdmp	60,061 bytes	MD5: 0xF1AA8A415EE2D41493F1C8DB3B53A1C3 SHA-1: 0x90834A75F567BF4648C1DDF441AB0384EADF28BE	(not available)
5	%Temp%\WERee26.dir00\manifest.txt	1,980 bytes	MD5: 0xEE4DE1856A189CD823C1FB285047F3B2 SHA-1: 0x8C71102780E7981EE576E844BD2546F6B83EE9B4	(not available)
6	%System%\braviax.exe	11,264 bytes	MD5: 0x61FEBE4C32CE9CB0DFCF55D373E0BAFD SHA-1: 0xBCB860C50F96E84D06866128FC4B2E93B121BD47	Packed.Generic.233 [Symantec] Hoax.Win32.Renos.vchc [Kaspersky Lab] FakeAlert-DA [McAfee] Mal/EncPk-IV [Sophos] Hoax.Win32.Renos [Ikarus]
7	%System%\delself.bat	156 bytes	MD5: 0x127C1143CDF778C331BDE08B3752ECE8 SHA-1: 0xCF2DB9ED201D49C4C79FE6153DE76777980877A0	(not available)
8	%System%\dllcache\beep.sys %System%\dllcache\figaro.sys	32,768 bytes	MD5: 0xB040B5812B6668A232B18D397F721741 SHA-1: 0xFC43B56B25CF0B83ACDFF11EDB8835B495AC2F0E	Trojan.Virantix.C [Symantec] Backdoor.Win32.UltimateDefender.xm [Kaspersky Lab] FakeAlert-C.dr [McAfee] Mal/FakeAle-C [Sophos] VirTool:WinNT/Xantvi.gen!A [Microsoft]
9	[file and pathname of the sample #1]	113,664 bytes	MD5: 0xD9A878871B90C68F4A1A155A3015A8FE SHA-1: 0x85DFE45D6E72E44FAA632321306CDFCDF49229D6	Mal/EncPk-JB [Sophos]
10	%System%\wbem\proquota.exe	35,840 bytes	MD5: 0x348BA619AAB3A92B99701335F95FE2A7 SHA-1: 0x0D349443338CEA889962B599F81ED40C78C5AD0C	Mal/EncPk-JB [Sophos]

Notes:

%Temp% is a variable that refers to the temporary folder in the short path form. By default, this is C:\Documents and Settings\[UserName]\Local Settings\Temp\ (Windows NT/2000/XP).
%System% is a variable that refers to the System folder. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

The following file was deleted:

%System%\proquota.exe

The following file was modified:

%System%\drivers\beep.sys

The following directory was created:

%Temp%\WERee26.dir00

Memory Modifications

There were new processes created in the system:

Process Name	Process Filename	Main Module Size
braviax.exe	%System%\braviax.exe	45,056 bytes
1.tmp	%Temp%\1.tmp	61,440 bytes
proquota.exe	%System%\wbem\proquota.exe	61,440 bytes
[filename of the sample #1]	%Temp%\[filename of the sample #1]	81,920 bytes
[filename of the sample #1]	[file and pathname of the sample #1]	106,496 bytes

There were new memory pages created in the address space of the system process(es):

Process Name	Process Filename	Allocated Size
svchost.exe	%System%\svchost.exe	65,536 bytes
svchost.exe	%System%\svchost.exe	65,536 bytes

Registry Modifications

The following Registry Key was created:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System

The newly created Registry Values are:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0]

1208 = 0x00000000
2500 = 0x00000003

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1]

1208 = 0x00000000
2500 = 0x00000003

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2]

1208 = 0x00000000
2500 = 0x00000003

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3]

1208 = 0x00000000
2500 = 0x00000003

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4]

1208 = 0x00000000
2500 = 0x00000003

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

braviax = "%System%\braviax.exe"

so that braviax.exe runs every time Windows starts

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]

Enable Browser Extensions = "yes"
Search Bar = "http://www.google.com/ie"

[HKEY_CURRENT_USER\Software\Microsoft\Security Center]

AntiVirusDisableNotify = 0x00000001
FirewallDisableNotify = 0x00000001
UpdatesDisableNotify = 0x00000001

to disable notification of firewall, antivirus and/or update status through the Windows Security Center

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]

EnableProfileQuota = 0x00000001

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]

braviax = "%System%\braviax.exe"

so that braviax.exe runs every time Windows starts

The following Registry Values were modified:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main]

Default_Search_URL = "http://www.google.com/ie"
Search Page = "http://www.google.com"
Start Page = "http://www.google.com"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Search]

SearchAssistant = "http://www.google.com"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0]

1201 = 0x00000000
1804 = 0x00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1]

1201 = 0x00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2]

1201 = 0x00000000
1804 = 0x00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3]

1201 = 0x00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4]

1200 = 0x00000000
1201 = 0x00000000
1608 = 0x00000000
1804 = 0x00000001

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]

Start Page = "http://www.google.com"
Search Page = "http://www.google.com"

Other details

Analysis of the file resources indicate the following possible country of origin:

Russian Federation

To mark the presence in the system, the following Mutex objects were created:

{432780427656663764673647663354632a}
{432780427656663764673647663354632}
DDrawWindowListMutex
DDrawDriverObjectListMutex
__DDrawExclMode__

The following Host Name was requested from a host database:

squatead.com

The data identified by the following URLs was then requested from the remote web server:

http://cbbugltjud.com/progs/xfcgtyylqd/czaarfj.php?adv=adv464
http://cbbugltjud.com/progs/xfcgtyylqd/yiwwnbsww.php
http://cbbugltjud.com/progs/xfcgtyylqd/cwwjobbg.php
http://cbbugltjud.com/progs/xfcgtyylqd/heebsfwko.php
http://cbbugltjud.com/progs/xfcgtyylqd/ziwwofwj.php
http://cbbugltjud.com/progs/xfcgtyylqd/atghycdqhi.php
http://cbbugltjud.com/progs/xfcgtyylqd/vfsgt.php
http://cbbugltjud.com/progs/xfcgtyylqd/iejwn
http://dbicrgzykf.net/progs/xfcgtyylqd/iejwn
http://dbicrgzykf.net/progs/xfcgtyylqd/vfsgt.php
http://dbicrgzykf.net/progs/xfcgtyylqd/atghycdqhi.php
http://dbicrgzykf.net/progs/xfcgtyylqd/ziwwofwj.php
http://dbicrgzykf.net/progs/xfcgtyylqd/heebsfwko.php
http://dbicrgzykf.net/progs/xfcgtyylqd/cwwjobbg.php
http://dbicrgzykf.net/progs/xfcgtyylqd/yiwwnbsww.php
http://dbicrgzykf.net/progs/xfcgtyylqd/czaarfj.php?adv=adv464

The following Internet downloads were started (the retrieved bits are saved into the local file):

URL to be downloaded	Filename for the downloaded bits
http://komalinovskatas.com/?wmid=1025&d=2&it=2&s=24	%System%\wisdstr.exe
http://nulermagolasenda.com/?wmid=1025&d=2&it=2&s=24	%System%\wisdstr.exe
http://amerikosamoder.com/?wmid=1025&d=2&it=2&s=24	%System%\wisdstr.exe
http://ertonagionalos.com/?wmid=1025&d=2&it=2&s=24	%System%\wisdstr.exe
http://wertubertagosad.com/?wmid=1025&d=2&it=2&s=24	%System%\wisdstr.exe
http://berdanovskalonas.com/?wmid=1025&d=2&it=2&s=24	%System%\wisdstr.exe

A system request is initiated to shut down and then restart the system.

Downloaded File Summary:

Download details:

Download retrieved: 24 July 2009 21:19:08
Processing time: 14 min 17 sec
Downloaded sample #1:

File MD5: 0xE68A91A3614435882DAAD5494CAE622E
File SHA-1: 0x39133A410B9474897CEAE95F10C529581686D428
Filesize: 181,488 bytes
Alias:

Packed.Generic.233 [Symantec]
FakeAlert-DA [McAfee]
Mal/EncPk-IV [Sophos]
Trojan-Downloader.Win32.FakeRean [Ikarus]

Downloaded sample #2:

File MD5: 0x102FF59F4530E084005A2E04B768E9C1
File SHA-1: 0xCE177C806F37945EA7786116479D5B4D3FF2F07C
Filesize: 705 bytes
Alias & packer info:

Generic Packed [McAfee]
Troj/Agent-HAP [Sophos]
Virus.Win32.Virut.n [Ikarus]
Win-Trojan/Tinytro.705 [AhnLab]
packed with: FSG [Kaspersky Lab]

Downloaded sample #3:

File MD5: 0xF03682A1CF59E4ACB99CEBE8214427A3
File SHA-1: 0xCD41E22C6B07C66B5A6089FA60E34CEA0115F705
Filesize: 89,600 bytes
Alias:

Trojan Horse [Symantec]
New Win32.g5 [McAfee]
Mal/Generic-A [Sophos]
Trojan.Win32.Sirefef [Ikarus]

Downloaded sample #4:

File MD5: 0x13F6C839B43E9EBBB808013BC97E3A52
File SHA-1: 0x76E693B3BDDD13EB8AC3AEB229CB2F588562D609
Filesize: 22,016 bytes
Alias:

Trojan Horse [Symantec]
FakeAlert-FH [McAfee]
Mal/EncPk-IV [Sophos]
Trojan.Crypt [Ikarus]
Win-Trojan/Xema.variant [AhnLab]

Downloaded sample #5:

File MD5: 0x6BE4585C480B5C840E99BE9B190F7846
File SHA-1: 0x30305643F5A2BF1718A2FA5E5249E57F3B642D73
Filesize: 11,264 bytes

Summary of the findings:

What's been found	Severity Level
Downloads/requests other files from Internet.
Modifies some system settings that may have negative impact on overall system security state.
Creates a startup registry entry.
Registers a 32-bit in-process server DLL.
Registers a Browser Helper Object (Microsoft's Internet Explorer plugin module).
Packed with a packer that is known to be used by malware (e.g. to complicate threat analysis or detection).
Contains characteristics of an identified security risk.

Technical Details:

Possible Security Risk

Attention! Characteristics of the following security risks were identified in the system:

Security Risk	Description
Trojan-Downloader.Small.GEN	Trojan-Downloader.Small.GEN contacts remote servers in order to download additional malware onto a users computer without their knowledge.
Trojan.Crypt.GEN	Trojan.Crypt.GEN downloads additional malicious components when executed and allows hackers to gain full access to the compromised computer.

Attention! The following threat category was identified:

Threat Category	Description
	A malicious trojan horse or bot that may represent security risk for the compromised system and/or its network environment

File System Modifications

The following files were created in the system:

#	Filename(s)	File Size	File Hash	Alias
1	%Temp%\cab124647DFW2S39JD.tmp	4 bytes	MD5: 0x12E65A331AA558C589F4F4EF9F1078AB SHA-1: 0x570DBBB98C41F0BA786DB9F91415293351B60195	(not available)
2	%Temp%\gbp61.exe	15,001 bytes	MD5: 0xD6B06D214827A8D97D733096F6151735 SHA-1: 0x7472F511E0CEE109CE33BDBC748520650B980C92	Trojan.Crypt.GEN [PCTools] Trojan Horse [Symantec] FakeAlert-FH [McAfee] Mal/EncPk-IV [Sophos] Trojan.Crypt [Ikarus] Win-Trojan/Xema.variant [AhnLab]
3	%Temp%\sfjh98w3jkdmfkd.exe	15,000 bytes	MD5: 0x4CEDC83F9395A4F85D8A69A606340D9C SHA-1: 0x82046AA5746F342F85870796A2570B4B8949A9AC	Trojan.Crypt.GEN [PCTools] Trojan Horse [Symantec] FakeAlert-FH [McAfee] Mal/EncPk-IV [Sophos] Trojan.Crypt [Ikarus] Win-Trojan/Xema.variant [AhnLab]
4	%System%\ghaf8jkdfd.dll	15,000 bytes	MD5: 0x97F3A87F0F203BFB1B7B0F1214CFC6DD SHA-1: 0xCB799F22ED02965EEF65E8512916AF3D32EC9888	Packed.Generic.233 [Symantec] Mal/EncPk-IV [Sophos]
5	%System%\ntelogon.dll	407,040 bytes	MD5: 0x96353FCECBA774BB8DA74A1C6507015A SHA-1: 0xBB28F6D22C3865420136CCFC720B9F53F91F81B6	(not available)
6	%System%\p2hhr.bat	46 bytes	MD5: 0x4EB5EEBA568B8C5912CCD65442C964CE SHA-1: 0xB4AF6DD121EF6A57E5799E812BB795DB0659A8A1	(not available)
7	[file and pathname of the sample #1]	181,488 bytes	MD5: 0xE68A91A3614435882DAAD5494CAE622E SHA-1: 0x39133A410B9474897CEAE95F10C529581686D428	Packed.Generic.233 [Symantec] FakeAlert-DA [McAfee] Mal/EncPk-IV [Sophos] Trojan-Downloader.Win32.FakeRean [Ikarus]
8	[file and pathname of the sample #2]	705 bytes	MD5: 0x102FF59F4530E084005A2E04B768E9C1 SHA-1: 0xCE177C806F37945EA7786116479D5B4D3FF2F07C	Generic Packed [McAfee] Troj/Agent-HAP [Sophos] Virus.Win32.Virut.n [Ikarus] Win-Trojan/Tinytro.705 [AhnLab] packed with FSG [Kaspersky Lab]
9	[file and pathname of the sample #3]	89,600 bytes	MD5: 0xF03682A1CF59E4ACB99CEBE8214427A3 SHA-1: 0xCD41E22C6B07C66B5A6089FA60E34CEA0115F705	Trojan Horse [Symantec] New Win32.g5 [McAfee] Mal/Generic-A [Sophos] Trojan.Win32.Sirefef [Ikarus]
10	[file and pathname of the sample #4]	22,016 bytes	MD5: 0x13F6C839B43E9EBBB808013BC97E3A52 SHA-1: 0x76E693B3BDDD13EB8AC3AEB229CB2F588562D609	Trojan Horse [Symantec] FakeAlert-FH [McAfee] Mal/EncPk-IV [Sophos] Trojan.Crypt [Ikarus] Win-Trojan/Xema.variant [AhnLab]
11	[file and pathname of the sample #5]	11,264 bytes	MD5: 0x6BE4585C480B5C840E99BE9B190F7846 SHA-1: 0x30305643F5A2BF1718A2FA5E5249E57F3B642D73	(not available)

Notes:

%Temp% is a variable that refers to the temporary folder in the short path form. By default, this is C:\Documents and Settings\[UserName]\Local Settings\Temp\ (Windows NT/2000/XP).
%System% is a variable that refers to the System folder. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

The following file was modified:

%System%\netlogon.dll

The following directories were created:

%ProgramFiles%\HomeAntivirus2010
%Windir%\addins\{29F8DDC1-9487-49b8-B27E-3E0C3C1298FF}

Notes:

%ProgramFiles% is a variable that refers to the Program Files folder. A typical path is C:\Program Files.
%Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows or C:\Winnt.

Memory Modifications

There were new processes created in the system:

Process Name	Process Filename	Main Module Size
gbp61.exe	%Temp%\gbp61.exe	135,168 bytes
[filename of the sample #4]	[file and pathname of the sample #4]	69,632 bytes
[filename of the sample #3]	[file and pathname of the sample #3]	106,496 bytes
[filename of the sample #2]	[file and pathname of the sample #2]	20,480 bytes
sfjh98w3jkdmfkd.exe	%Temp%\sfjh98w3jkdmfkd.exe	135,168 bytes
[generic host process]	[generic host process filename]	20,480 bytes

Notes:

[generic host process filename] is a full path filename of [generic host process].

The following modules were loaded into the address space of other process(es):

Module Name	Module Filename	Address Space Details
ghaf8jkdfd.dll	%System%\ghaf8jkdfd.dll	Process name: explorer.exe Process filename: %Windir%\explorer.exe Address space: 0x1A00000 - 0x1A0B000
ghaf8jkdfd.dll	%System%\ghaf8jkdfd.dll	Process name: sdnsmain.exe Process filename: %Windir%\dns\sdnsmain.exe Address space: 0x1620000 - 0x162B000

Registry Modifications

The following Registry Keys were created:

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A36D2A01-00F3-42BD-F434-00BBC39C8953}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A36D2A01-00F3-42BD-F434-00BBC39C8953}\InProcServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A36D2A01-00F3-42BD-F434-00BBC39C8953}
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_{79007602-0CDB-4405-9DBF-1257BB3226ED}
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_{79007602-0CDB-4405-9DBF-1257BB3226ED}\0000
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_{79007602-0CDB-4405-9DBF-1257BB3226ED}\0000\Control
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_{79007602-0CDB-4405-9DBF-1257BB3226EE}
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_{79007602-0CDB-4405-9DBF-1257BB3226EE}\0000
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_{79007602-0CDB-4405-9DBF-1257BB3226EE}\0000\Control
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_{79007602-0CDB-4405-9DBF-1257BB3226ED}
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_{79007602-0CDB-4405-9DBF-1257BB3226ED}\0000
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_{79007602-0CDB-4405-9DBF-1257BB3226ED}\0000\Control
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_{79007602-0CDB-4405-9DBF-1257BB3226EE}
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_{79007602-0CDB-4405-9DBF-1257BB3226EE}\0000
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_{79007602-0CDB-4405-9DBF-1257BB3226EE}\0000\Control
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows NT
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows NT\SystemRestore

The newly created Registry Values are:

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A36D2A01-00F3-42BD-F434-00BBC39C8953}\InProcServer32]

(Default) = "%System%\ghaf8jkdfd.dll"
ThreadingModel = "Apartment"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A36D2A01-00F3-42BD-F434-00BBC39C8953}]

(Default) = "%System%\ghaf8jkdfd.dll"
ThreadingModel = "Apartment"

[[pathname with a string SHARE]\SharedTaskScheduler]

{A36D2A01-00F3-42BD-F434-00BBC39C8953} = "kjhsf87fhjdsfn93rjkndfdf"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_{79007602-0CDB-4405-9DBF-1257BB3226ED}\0000\Control]

*NewlyCreated* = 0x00000000
ActiveService = "{79007602-0CDB-4405-9DBF-1257BB3226ED}"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_{79007602-0CDB-4405-9DBF-1257BB3226ED}\0000]

Service = "{79007602-0CDB-4405-9DBF-1257BB3226ED}"
Legacy = 0x00000001
ConfigFlags = 0x00000000
Class = "LegacyDriver"
ClassGUID = "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
DeviceDesc = "{79007602-0CDB-4405-9DBF-1257BB3226ED}"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_{79007602-0CDB-4405-9DBF-1257BB3226ED}]

NextInstance = 0x00000001

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_{79007602-0CDB-4405-9DBF-1257BB3226EE}\0000\Control]

*NewlyCreated* = 0x00000000
ActiveService = "{79007602-0CDB-4405-9DBF-1257BB3226EE}"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_{79007602-0CDB-4405-9DBF-1257BB3226EE}\0000]

Service = "{79007602-0CDB-4405-9DBF-1257BB3226EE}"
Legacy = 0x00000001
ConfigFlags = 0x00000000
Class = "LegacyDriver"
ClassGUID = "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
DeviceDesc = "{79007602-0CDB-4405-9DBF-1257BB3226EE}"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_{79007602-0CDB-4405-9DBF-1257BB3226EE}]

NextInstance = 0x00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_{79007602-0CDB-4405-9DBF-1257BB3226ED}\0000\Control]

*NewlyCreated* = 0x00000000
ActiveService = "{79007602-0CDB-4405-9DBF-1257BB3226ED}"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_{79007602-0CDB-4405-9DBF-1257BB3226ED}\0000]

Service = "{79007602-0CDB-4405-9DBF-1257BB3226ED}"
Legacy = 0x00000001
ConfigFlags = 0x00000000
Class = "LegacyDriver"
ClassGUID = "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
DeviceDesc = "{79007602-0CDB-4405-9DBF-1257BB3226ED}"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_{79007602-0CDB-4405-9DBF-1257BB3226ED}]

NextInstance = 0x00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_{79007602-0CDB-4405-9DBF-1257BB3226EE}\0000\Control]

*NewlyCreated* = 0x00000000
ActiveService = "{79007602-0CDB-4405-9DBF-1257BB3226EE}"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_{79007602-0CDB-4405-9DBF-1257BB3226EE}\0000]

Service = "{79007602-0CDB-4405-9DBF-1257BB3226EE}"
Legacy = 0x00000001
ConfigFlags = 0x00000000
Class = "LegacyDriver"
ClassGUID = "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
DeviceDesc = "{79007602-0CDB-4405-9DBF-1257BB3226EE}"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_{79007602-0CDB-4405-9DBF-1257BB3226EE}]

NextInstance = 0x00000001

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]

mswindows restore service = "%Temp%\gbp61.exe"

so that gbp61.exe runs every time Windows starts

[HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows NT\SystemRestore]

DisableSR = 0x00000001

to disable the System Restore tools on the Start menu

The following Registry Value was modified:

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{46C166AA-3108-11D4-9348-00C04F8EEB71}\InProcServer32]

(Default) = "%System%\hnetcfg.dll"

Other details

To mark the presence in the system, the following Mutex objects were created:

DDrawWindowListMutex
DDrawDriverObjectListMutex
__DDrawExclMode__

The data identified by the following URLs was then requested from the remote web server:

http://mcsmc.org/ndw/dm.php?id=1CA0CE789127F70&ver=d00
http://mcsmc.org/ndw/ndw.php?id=1CA0CE789127F70&ver=d03
http://micronetsys.org/ndw/ndw.php?id=1CA0CE789127F70&ver=d03
http://mnprfix.cn/ndw/ndw.php?id=1CA0CE789127F70&ver=d03

The following Internet downloads were started (the retrieved bits are saved into the local file):

URL to be downloaded	Filename for the downloaded bits
http://bureltanovaderta.com/files/HomeAntivirus2010/Binaries1.cab	%Temp%\tmpwr2
http://bureltanovaderta.com/files/BinariesAVE.cab	%Temp%\tmpwr3
http://bureltanovaderta.com/files/BinariesAdd.cab	%Temp%\tmpwr4
http://bureltanovaderta.com/files/HomeAntivirus2010/BinariesGUI.cab	%Temp%\tmpwr5
http://bureltanovaderta.com/files/BinariesSC.cab	%Temp%\tmpwr6
http://bureltanovaderta.com/files/BinariesUpd.cab	%Temp%\tmpwr7

There was application-defined hook procedure installed into the hook chain (e.g. to monitor keystrokes). The installed hook is handled by the following module:

%System%\ghaf8jkdfd.dll

All content ("Information") contained in this report is the copyrighted work of Threat Expert Ltd and its associated companies ("ThreatExpert") and may not be copied without the express permission of ThreatExpert.

The Information is provided on an "as is" basis. ThreatExpert disclaims all warranties, whether express or implied, to the maximum extent permitted by law, including the implied warranties that the Information is merchantable, of satisfactory quality, accurate, fit for a particular purpose or need, or non-infringing, unless such implied warranties are legally incapable of exclusion. Further, ThreatExpert does not warrant or make any representations regarding the use or the results of the use of the Information in terms of their correctness, accuracy, reliability, or otherwise.