ThreatExpert Report: Mal/EncPk-DZ, Trojan-Spy.Win32.Banker.anv, Backdoor.Win32.Rbot..

Visit ThreatExpert web site

Close Report

Submission Summary:

Submission details:

Submission received: 4 October 2011, 07:43:20
Processing time: 12 min 33 sec
Submitted sample:

File MD5: 0xDA65635810F1EB59A3D9581A07BFA95B
File SHA-1: 0xC8C12B01AA13AD30E5143EFA7DB07724ABF3688E
Filesize: 166,400 bytes
Alias & packer info:

Mal/EncPk-DZ [Sophos]
Trojan-Spy.Win32.Banker.anv [Ikarus]
packed with: PE_Patch [Kaspersky Lab]

Summary of the findings:

What's been found	Severity Level
Capability to send out email message(s) with the built-in SMTP client engine.
Produces outbound traffic.
Downloads/requests other files from Internet.
Creates a startup registry entry.
Contains characteristics of an identified security risk.

Technical Details:

Possible Security Risk

Attention! The following threat category was identified:

Threat Category	Description
	A hacktool that could be used by attackers to break into a system

File System Modifications

The following files were created in the system:

#	Filename(s)	File Size	File Hash	Alias
1	c:\%ComputerName%.txt	0 bytes	MD5: 0xD41D8CD98F00B204E9800998ECF8427E SHA-1: 0xDA39A3EE5E6B4B0D3255BFEF95601890AFD80709	(not available)
2	%System%\h4714log.txt	140 bytes	MD5: 0xE101D0AF75AFD4A96DC5C4AD0052D66A SHA-1: 0x12A38A87A982092C9DAF581BA9AAA038047B9F22	(not available)
3	%System%\loadb.exe	304,640 bytes	MD5: 0xF5FC2E167DB1AF6BEA88B7C633EDA7C1 SHA-1: 0xDB33E3243E86186D7C157B3E329E2492896801BF	Mal/EncPk-DZ [Sophos] Backdoor.Win32.Rbot [Ikarus] packed with PE_Patch [Kaspersky Lab]
4	%System%\loadki.exe	304,640 bytes	MD5: 0xC8EB1C616C9D873E6315EABA3625A432 SHA-1: 0xB7D8CCE1888A71A3B800A59E5825E4D185E705F7	Mal/EncPk-DZ [Sophos] Backdoor.Win32.Rbot [Ikarus] packed with PE_Patch [Kaspersky Lab]
5	%System%\loadne.exe	2,895,360 bytes	MD5: 0x4F55F9D08D9F079CC7022DBFBD29CE16 SHA-1: 0xC30066E397F07E0E000D1621A00F0FDCD2FD6F3B	Backdoor.Win32.Rbot [Ikarus] packed with PE_Patch [Kaspersky Lab]
6	%System%\loadwa.exe	405,504 bytes	MD5: 0xCC83A5B585B9D62B74276AC8BF171E88 SHA-1: 0x25FC86EC300EAC175AAB083F8FFDBCDE5C3D0C84	not-a-virus:PSWTool.Win32.MailPassView.as [Kaspersky Lab] Mal/Banker-Z [Sophos] PWS:Win32/Bawmaq.A [Microsoft] Trojan-PWS.Win32.Delf [Ikarus] packed with PE_Patch [Kaspersky Lab]
7	%System%\loadwe.exe	690,688 bytes	MD5: 0x3CAC8AE6349F861B7489B842A1DC4EF5 SHA-1: 0x6CD3FA426CB9A74F62DD0730A27A4B196DE9FE98	Backdoor.Win32.Rbot [Ikarus] packed with PE_Patch [Kaspersky Lab]
8	%System%\owner.exe	88,576 bytes	MD5: 0xBB5208189F45564AF76D7810A2E8B59C SHA-1: 0x76B9A6311C8A55FC5E9E3EEC7878F64C36291491	Trojan-Spy.Banker.GEN [PCTools] not-a-virus:PSWTool.Win32.MailPassView.as [Kaspersky Lab] Generic PWS.y!q [McAfee] HackTool:Win32/Mailpassview [Microsoft] not-a-virus:PSWTool.Win32.MailPassView [Ikarus]
9	[file and pathname of the sample #1]	166,400 bytes	MD5: 0xDA65635810F1EB59A3D9581A07BFA95B SHA-1: 0xC8C12B01AA13AD30E5143EFA7DB07724ABF3688E	Mal/EncPk-DZ [Sophos] Trojan-Spy.Win32.Banker.anv [Ikarus] packed with PE_Patch [Kaspersky Lab]
10	c:\winhelp.txt	350 bytes	MD5: 0xD85014068F786AF79A2682462DAE8500 SHA-1: 0xA4C9CF556401E9C2E635E2CA7CB7F63756FB4E62	(not available)
11	c:\winhelp32.txt	352 bytes	MD5: 0x913BDD2B2CF51A9031809C79016198FC SHA-1: 0x13427E43021DC30E3DB28C0EC80E02B0BA1908A2	(not available)
12	c:\winx.log	138 bytes	MD5: 0x55CE55C10C0CB60721763D56D952FC3A SHA-1: 0x908C5BFF10FDF26C736A8ED20D488D3808C38CD9	(not available)

Notes:

%ComputerName% is a variable that refers to the current computer name.
%System% is a variable that refers to the System folder. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

Memory Modifications

There were new processes created in the system:

Process Name	Process Filename	Main Module Size
loadne.exe	%System%\loadne.exe	17,203,200 bytes
loadwe.exe	%System%\loadwe.exe	9,060,352 bytes
loadb.exe	%System%\loadb.exe	688,128 bytes

The following system services were modified:

Service Name	Display Name	New Status	Service Filename
ALG	Application Layer Gateway Service	"Stopped"	%System%\alg.exe
SharedAccess	Windows Firewall/Internet Connection Sharing (ICS)	"Stopped"	%System%\svchost.exe -k netsvcs

Registry Modifications

The following Registry Keys were created:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSSQLServer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSSQLServer\Client
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSSQLServer\Client\SuperSocketNetLib
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSSQLServer\Client\SuperSocketNetLib\LastConnect
HKEY_LOCAL_MACHINE\SOFTWARE\Description
HKEY_LOCAL_MACHINE\SOFTWARE\Description\Microsoft
HKEY_LOCAL_MACHINE\SOFTWARE\Description\Microsoft\Rpc
HKEY_LOCAL_MACHINE\SOFTWARE\Description\Microsoft\Rpc\UuidTemporaryData
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\GbpSv
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\GbpSv
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\GbpSv
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\GbpSv
HKEY_CURRENT_USER\Software\Microsoft\GNkHMCGL
HKEY_CURRENT_USER\Software\Microsoft\JMkWNcaj
HKEY_CURRENT_USER\Software\Microsoft\jqejTKJg
HKEY_CURRENT_USER\Software\Microsoft\ShoeYJJn
HKEY_CURRENT_USER\Software\Microsoft\xPHQdxiM
HKEY_CURRENT_USER\Software\Microsoft\XWyeBKFM

The newly created Registry Values are:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

loadne.exe = "%System%\loadne.exe"
hotmail = "%System%\loadwe.exe"
process = "%System%\loadki.exe"
Microsoft Redirect = "%System%\loadb.exe"

so that loadne.exe runs every time Windows starts

so that loadwe.exe runs every time Windows starts

so that loadki.exe runs every time Windows starts

so that loadb.exe runs every time Windows starts

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSSQLServer\Client\SuperSocketNetLib\LastConnect]

200.98.196.199 = "-1609629686:tcp:200.98.196.199,1433"

[HKEY_LOCAL_MACHINE\SOFTWARE\Description\Microsoft\Rpc\UuidTemporaryData]

NetworkAddress = 9F DE EA 86 05 5B
NetworkAddressLocal = 0x00000001

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\GbpSv]

ImagePath = "C:\PROGRA~1\GbPlugin\GbpSvx.exe"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\GbpSv]

ImagePath = "C:\PROGRA~1\GbPlugin\GbpSvx.exe"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\GbpSv]

ImagePath = "C:\PROGRA~1\GbPlugin\GbpSvx.exe"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\GbpSv]

ImagePath = "C:\PROGRA~1\GbPlugin\GbpSvx.exe"

[HKEY_CURRENT_USER\Software\Microsoft\GNkHMCGL]

xSaKuCCX = 7A 94 D8 22 0D A6 14 E1 E1 CF BF 65 20 6F 9E B3 99 65 4A 53 FB F6 75 54 AD 23 CD 7E 9C 29 E7 FC E2 F9 4D D2 42 4E 06 C0 F8 9A 1C 62 38 74 24 00 55 DF 41 CB 01 A2 B7 F3 8F 8A DD AC 33 83 60 29 F3 78 24 3E 7A EB D3 E4 9D 9D 43 94 4A C7 45 6D 25 74 EB 0

[HKEY_CURRENT_USER\Software\Microsoft\JMkWNcaj]

pWGOveek = 7A 94 E2 22 0D A6 14 E1 E1 CF BF 65 20 6F 9E B3 99 65 4A 53 FB F6 75 54 AD 23 CD 7E 9C 29 E7 FC E2 F9 4D D2 42 4E 06 C0 F8 9A 1C 62 38 74 24 00 55 DF 41 CB 01 A2 B7 F3 8F 8A DD AC 33 83 60 29 F3 78 24 3E 7A EB D3 E4 9D 9D 43 94 4A C7 45 6D 25 74 EB 0

[HKEY_CURRENT_USER\Software\Microsoft\jqejTKJg]

dbMBcDhI = 7A 94 59 23 0D A6 14 E1 E1 CF BF 65 20 6F 9E B3 99 65 4A 53 FB F6 75 54 AD 23 CD 7E 9C 29 E7 FC E2 F9 4D D2 42 4E 06 C0 F8 9A 1C 62 38 74 24 00 55 DF 41 CB 01 A2 B7 F3 8F 8A DD AC 33 83 60 29 F3 78 24 3E 7A EB D3 E4 9D 9D 43 94 4A C7 45 6D 25 74 EB 0

[HKEY_CURRENT_USER\Software\Microsoft\ShoeYJJn]

yiMTuBtd = 7A 94 E5 22 0D A6 14 E1 E1 CF BF 65 20 6F 9E B3 99 65 4A 53 FB F6 75 54 AD 23 CD 7E 9C 29 E7 FC E2 F9 4D D2 42 4E 06 C0 F8 9A 1C 62 38 74 24 00 55 DF 41 CB 01 A2 B7 F3 8F 8A DD AC 33 83 60 29 F3 78 24 3E 7A EB D3 E4 9D 9D 43 94 4A C7 45 6D 25 74 EB 0

[HKEY_CURRENT_USER\Software\Microsoft\xPHQdxiM]

wJlOmbHb = 7A 94 BB 23 0D A6 14 E1 E1 CF BF 65 20 6F 9E B3 99 65 4A 53 FB F6 75 54 AD 23 CD 7E 9C 29 E7 FC E2 F9 4D D2 42 4E 06 C0 F8 9A 1C 62 38 74 24 00 55 DF 41 CB 01 A2 B7 F3 8F 8A DD AC 33 83 60 29 F3 78 24 3E 7A EB D3 E4 9D 9D 43 94 4A C7 45 6D 25 74 EB 0

[HKEY_CURRENT_USER\Software\Microsoft\XWyeBKFM]

cLhkdDPe = 7A 94 E4 22 0D A6 14 E1 E1 CF BF 65 20 6F 9E B3 99 65 4A 53 FB F6 75 54 AD 23 CD 7E 9C 29 E7 FC E2 F9 4D D2 42 4E 06 C0 F8 9A 1C 62 38 74 24 00 55 DF 41 CB 01 A2 B7 F3 8F 8A DD AC 33 83 60 29 F3 78 24 3E 7A EB D3 E4 9D 9D 43 94 4A C7 45 6D 25 74 EB 0

Other details

Analysis of the file resources indicate the following possible countries of origin:

	Brazil
	Israel

There were registered attempts to establish connection with the remote hosts. The connection details are:

Remote Host	Port Number
187.45.195.62	80
201.33.17.119	80
200.98.196.199	1433

The data identified by the following URLs was then requested from the remote web server:

http://animesenet.tempsite.ws/worm.php
http://netingwebcom.sitebr.net/dll/loadne.jpg
http://netingwebcom.sitebr.net/dll/loadki.jpg
http://netingwebcom.sitebr.net/dll/loadwe.jpg
http://netingwebcom.sitebr.net/dll/loadit.jpg
http://netingwebcom.sitebr.net/dll/loadb.jpg
http://netingwebcom.sitebr.net/dll/loadwa.jpg

Outbound traffic (potentially malicious)

There was an outbound traffic produced on port 80:

There was an outbound traffic produced on port 1433:

00000000 | 1201 0034 0000 0000 0000 1500 0601 001B | ...4............
00000010 | 0001 0200 1C00 0C03 0028 0004 FF08 0001 | .........(......
00000020 | 5500 0000 4D53 5351 4C53 6572 7665 7200 | U...MSSQLServer.
00000030 | D805 0000 1201 004E 0000 0000 1603 0100 | .......N........
00000040 | 4101 0000 3D03 014E 8B1B A1C7 6492 204A | A...=..N....d. J
00000050 | A431 69D3 652A 33DB A755 6E34 9782 75DD | .1i.e*3..Un4..u.
00000060 | D722 A140 10DE 9800 0016 0004 0005 000A | .".@............
00000070 | 0009 0064 0062 0003 0006 0013 0012 0063 | ...d.b.........c
00000080 | 0100 1201 00C2 0000 0000 1603 0100 8610 | ................
00000090 | 0000 8200 8057 9DE1 97BE 57D0 DDC4 328C | .....W....W...2.
000000A0 | C3D3 5A98 2CFF 9717 F77B 378B 1AE5 4738 | ..Z.,....{7...G8
000000B0 | 4876 9F7B BA6E 6CE9 3D39 FAD5 2FD2 8537 | Hv.{.nl.=9../..7
000000C0 | 4981 3BA8 252A 1836 DBDE 9717 A626 283B | I.;.%*.6.....&(;
000000D0 | C24E 1235 1ADD E250 6F91 F3B6 EC97 D94F | .N.5...Po......O
000000E0 | A67A 71EB E118 490C FADF 7069 D2B7 5754 | .zq...I...pi..WT
000000F0 | 6A56 6F71 7C59 E0ED C635 2700 A559 2391 | jVoq|Y...5'..Y#.
00000100 | F832 CE48 F302 E8C8 93D9 5F1B 6688 FDB5 | .2.H......_.f...
00000110 | B92E CAF0 B114 0301 0001 0116 0301 0024 | ...............$
00000120 | A8F6 F0B5 784E A4FC BCFF 4D7B 95E8 3A41 | ....xN....M{..:A
00000130 | 49E5 9023 4B24 3892 268B F905 3CBD 92E6 | I..#K$8.&...<...
00000140 | FA4B 0B9A 1703 0100 CC35 4BDB A6B1 7824 | .K.......5K...x$
00000150 | 4E1C A77E 410F A5E8 D9AA 70A8 3CD6 D91C | N..~A.....p.<...
00000160 | 3E82 9890 E4B8 68B4 551C E370 31CE 658B | >.....h.U..p1.e.
00000170 | 5AF6 5153 BC3F CC19 2730 34BF 72B7 CA56 | Z.QS.?..'04.r..V
00000180 | A46B 5170 A424 A229 088B 92CD 037F 80BC | .kQp.$.)........
00000190 | 8DE6 B034 3DA0 9D97 5D73 C6FF 1503 AD2E | ...4=...]s......
000001A0 | B599 52EC F14B C477 DE64 76B2 74EB 10D9 | ..R..K.w.dv.t...
000001B0 | 0671 CB6B A9C1 B799 7C75 F8D9 7BD2 99BF | .q.k....|u..{...
000001C0 | DCA2 1CB8 753C B2B2 236F 090C 39FB E4B0 | ....u<..#o..9...
000001D0 | EE2A 70BF F832 48DE 957B 9465 9148 CE89 | .*p..2H..{.e.H..
000001E0 | B294 D8B6 A40E 4794 E6B2 0875 54A3 EBAC | ......G....uT...
000001F0 | 1892 494D E235 C1E8 13E2 05BC 83E9 1758 | ..IM.5.........X
00000200 | E15D 5C04 A88E 4BF8 904D 5555 D43F E035 | .]\...K..MUU.?.5
00000210 | CBD5 249B 16                            | ..$..

All content ("Information") contained in this report is the copyrighted work of Threat Expert Ltd and its associated companies ("ThreatExpert") and may not be copied without the express permission of ThreatExpert.

The Information is provided on an "as is" basis. ThreatExpert disclaims all warranties, whether express or implied, to the maximum extent permitted by law, including the implied warranties that the Information is merchantable, of satisfactory quality, accurate, fit for a particular purpose or need, or non-infringing, unless such implied warranties are legally incapable of exclusion. Further, ThreatExpert does not warrant or make any representations regarding the use or the results of the use of the Information in terms of their correctness, accuracy, reliability, or otherwise.