Submission Summary:

What's been foundSeverity Level
Downloads/requests other files from Internet.
Contains characteristics of an identified security risk.

 

Technical Details:

 

Possible Security Risk

Security RiskDescription
Worm.IM.Sohanad Worm.IM.Sohanad spreads via Yahoo Messenger and infects Windows. It sends a message to all Yahoo Messenger contacts of an infected user. The message contains a link enticing users to download the worm. The worm also disable certain Windows functionalities abd hijacks Internet Explorer homepage. It also downloads other maware and it will also attempt to propagate via the means of creating copies of itself onto removable devices such as USB flash and hard drives.

Threat CategoryDescription
A program that downloads files to the local computer that may represent security risk

 

File System Modifications

#Filename(s)File SizeFile HashAlias
1 %Temp%\icgamer.exe
%Temp%\iconvert.exe
125 bytes MD5: 0x7C5F5A68051F6B0C0E9A2AD33C40D415
SHA-1: 0x120865765927A61AF83F02B83DC297EEDE61EC41
(not available)
2 %Temp%\IXP000.TMP\icon+ic+lu.+miss1.EXE 343,552 bytes MD5: 0xCE9AC19F73E644AD8E12531AEA3F07C8
SHA-1: 0xE7A2CD49B4F6B344BA334D82BA927BF38FD8808A
Trojan-Downloader.MSIL.Agent.do [Kaspersky Lab]
Trojan-Downloader.MSIL [Ikarus]
3 %Temp%\IXP000.TMP\keygen.exe 118,272 bytes MD5: 0xA51C73E436C2151D19330189835C62E5
SHA-1: 0xFCE1D84A036257B166636CC71F11189595EEAFDC
packed with PE_Patch.UPX [Kaspersky Lab]
4 %Temp%\IXP001.TMP\ICON_I~2.EXE 242,176 bytes MD5: 0x627A1EAED8D14A6BC18E888895E40092
SHA-1: 0xEE25F49F808D0C00D1FC548AA553F26BB7333438
Trojan-Downloader.MSIL.Agent.dp [Kaspersky Lab]
Trojan-Downloader.MSIL [Ikarus]
5 %Temp%\IXP001.TMP\miss1.exe 146,536 bytes MD5: 0x7FBA514F4B93342CF40D5BA671B414DF
SHA-1: 0xDD2717F1AFF0954E154554763FD5CBBAF81E0C0F
Downloader [Symantec]
Trojan-Downloader.MSIL.Agent.do [Kaspersky Lab]
Generic Downloader.x [McAfee]
Mal/Generic-A [Sophos]
Trojan-Downloader.MSIL [Ikarus]
6 %Temp%\IXP002.TMP\ICON_I~1.EXE 140,800 bytes MD5: 0xCDA74D3151CCA001907F8A738060DC3F
SHA-1: 0x712C9BC0177234CF1732919EAA4929CE4A7492FC
Trojan-Downloader.MSIL.Agent.dq [Kaspersky Lab]
Trojan-Downloader.MSIL [Ikarus]
7 %Temp%\IXP002.TMP\lucat.exe 146,536 bytes MD5: 0x8986DDFAC5C176375525492E35656C2F
SHA-1: 0x556620F4625B2009F8F354451D5C3CE5DC93BA72
Downloader [Symantec]
Trojan-Downloader.MSIL.Agent.dp [Kaspersky Lab]
Generic Downloader.x [McAfee]
Trojan-Downloader.MSIL [Ikarus]
8 %Temp%\luxcat.exe 0 bytes MD5: 0xD41D8CD98F00B204E9800998ECF8427E
SHA-1: 0xDA39A3EE5E6B4B0D3255BFEF95601890AFD80709
(not available)
9 %Temp%\melt.bat 105 bytes MD5: 0x069CA0EAEB082400338D6588E1993EF3
SHA-1: 0xD601A70FDE75E369FEDAAA302BC65742AC84CE50
(not available)
10 [file and pathname of the sample #1] 487,424 bytes MD5: 0xDB4F8AAFE5AA3F5DEBE3F1CF585AE34E
SHA-1: 0x583D34EF7B4DD9F05C0D455F361D4A316A5D3865
Trojan-Downloader.MSIL.Agent.dr, Trojan-Downloader.MSIL.Agent.dq, Trojan-Downloader.MSIL.Agent.dp, Trojan-Downloader.MSIL.Agent.do [Kaspersky Lab]
Generic Downloader.x [McAfee]
Mal/Generic-A [Sophos]
Trojan-Downloader.MSIL [Ikarus]

 

Memory Modifications

Process NameProcess FilenameMain Module Size
[filename of the sample #1][file and pathname of the sample #1]499,712 bytes
icon+ic+lu.+miss1.EXE%Temp%\ixp000.tmp\icon+ic+lu.+miss1.exe356,352 bytes
ICON_I~2.EXE%Temp%\ixp001.tmp\icon_i~2.exe253,952 bytes
ICON_I~1.EXE%Temp%\IXP002.TMP\ICON_I~1.EXE155,648 bytes
lucat.exe%Temp%\ixp002.tmp\lucat.exeN/A

 

Registry Modifications

 

Other details

Brazil
Belgium

 

 

Downloaded File Summary:

What's been foundSeverity Level
Downloads/requests other files from Internet.
Contains characteristics of an identified security risk.

 

Technical Details:

 

Possible Security Risk

Threat CategoryDescription
A malicious trojan horse or bot that may represent security risk for the compromised system and/or its network environment
A program that downloads files to the local computer that may represent security risk

 

File System Modifications

#Filename(s)File SizeFile HashAlias
1 %Temp%\ovfsthvppetsetqd.tmp 133,120 bytes MD5: 0x49FDFA3FA6B7D027FD9AF347F005D9AB
SHA-1: 0xDB943CB383CB29D0716ADE98F5A93230AE577057
Trojan Horse [Symantec]
Trojan.Win32.Agent.bzpx [Kaspersky Lab]
Generic Dropper [McAfee]
Mal/TDSS-Fam [Sophos]
Trojan:Win32/Meredrop [Microsoft]
Trojan.Win32.Agent [Ikarus]
2 [file and pathname of the sample #2] 9,216 bytes MD5: 0x888336EB07D5DA2720FB7AE90C002771
SHA-1: 0x33C6B62E1DFC2089D9D599EF051961DC508BA830
Trojan.Vundo [Symantec]
Trojan-Downloader.Win32.Agent.bqqy [Kaspersky Lab]
Generic Downloader.x [McAfee]
Troj/MDrop-CAX [Sophos]
Trojan.Win32.Piptea [Ikarus]

 

Memory Modifications

Process NameProcess FilenameMain Module Size
[filename of the sample #2][file and pathname of the sample #2]180,224 bytes
[filename of the sample #1][file and pathname of the sample #1]147,456 bytes

 

Other details

 

 

Downloaded Files Summary (Generation #2):

What's been foundSeverity Level
Contains characteristics of an identified security risk.

 

Technical Details:

 

Possible Security Risk

Security RiskDescription
Trojan-Downloader.NUS Trojan-Downloader.NUS tries to contact a remote server in order to download additional malware onto a users computer without their knowledge.

Threat CategoryDescription
A malicious trojan horse or bot that may represent security risk for the compromised system and/or its network environment

 

File System Modifications

#Filename(s)File SizeFile HashAlias
1 [file and pathname of the sample #1] 705 bytes MD5: 0x102FF59F4530E084005A2E04B768E9C1
SHA-1: 0xCE177C806F37945EA7786116479D5B4D3FF2F07C
Trojan-Downloader.NUS [PCTools]
Trojan.Win32.Agent2.hoc [Kaspersky Lab]
Generic Packed [McAfee]
Troj/Agent-HAP [Sophos]
Virus.Win32.Virut.n [Ikarus]
Win-Trojan/Tinytro.705 [AhnLab]
2 [file and pathname of the sample #2] 7,680 bytes MD5: 0xC4723BF9B19108863C637D67AA57B4DE
SHA-1: 0x0FC87094109449059A4DBDF71D27D5972A6FB78C
packed with PE_Patch.UPX [Kaspersky Lab]

 

Memory Modifications

Process NameProcess FilenameMain Module Size
[filename of the sample #1][file and pathname of the sample #1]20,480 bytes

 

Other details

 

 

All content ("Information") contained in this report is the copyrighted work of Threat Expert Ltd and its associated companies ("ThreatExpert") and may not be copied without the express permission of ThreatExpert.

The Information is provided on an "as is" basis. ThreatExpert disclaims all warranties, whether express or implied, to the maximum extent permitted by law, including the implied warranties that the Information is merchantable, of satisfactory quality, accurate, fit for a particular purpose or need, or non-infringing, unless such implied warranties are legally incapable of exclusion. Further, ThreatExpert does not warrant or make any representations regarding the use or the results of the use of the Information in terms of their correctness, accuracy, reliability, or otherwise.

Copyright © 2014 ThreatExpert. All rights reserved.