Submission Summary:

• Submission details:
• Submission received: 27 April 2009, 03:37:39
• Processing time: 5 min 37 sec
• Submitted sample:
• File MD5: 0xDF823CC4148868DE2FB5F389054DB345
• File SHA-1: 0x28832C9A7A897DB754BBE2E5EFDBBEC0DD1556DD
• Filesize: 104,960 bytes
• Alias:
• Trojan-Spy.Win32.Agent.amhu [Kaspersky Lab]
• Mal/FakeVirPk-A [Sophos]

• Summary of the findings:

What's been found	Severity Level
Downloads/requests other files from Internet.
Contains characteristics of an identified security risk.

Technical Details:

Possible Security Risk

• Attention! Characteristics of the following security risk was identified in the system:

• Attention! The following threat category was identified:

Threat Category	Description
	A keylogger program that can capture all user keystrokes (including confidential details such username, password, credit card number, etc.)

File System Modifications

• The following files were created in the system:

#	Filename(s)	File Size	File Hash	Alias
1	%Temp%\mousehook.dll	27,648 bytes	MD5: 0x815908674B922F40C83D06A38C7CE1AF SHA-1: 0x18E9D171A2B650AD13EF08F9A5E25C2A735D729C	Trojan-Spy.Win32.Agent.amhu [Kaspersky Lab] Mal/Dorf-F, Mal/EncPk-HL, Mal/FakeVirPk-A [Sophos] Trojan.Crypt [Ikarus]
2	%Temp%\ntdll64.dll	57,856 bytes	MD5: 0xDF2CB92753659A2B6B1ECDCDA70ADFB6 SHA-1: 0x0E6547200B6602A5F2646C242E7DC7A3BF5676A9	Trojan-Spy.Win32.Agent.amhu [Kaspersky Lab] Mal/Dorf-F, Mal/EncPk-HL, Mal/FakeVirPk-A [Sophos] Trojan.Crypt [Ikarus]
3	%System%\dllcache\userinit.exe [file and pathname of the sample #1]	104,960 bytes	MD5: 0xDF823CC4148868DE2FB5F389054DB345 SHA-1: 0x28832C9A7A897DB754BBE2E5EFDBBEC0DD1556DD	Trojan-Spy.Win32.Agent.amhu [Kaspersky Lab] Mal/FakeVirPk-A [Sophos]
4	%System%\init32.exe	24,576 bytes	MD5: 0x39B1FFB03C2296323832ACBAE50D2AFF SHA-1: 0xE5AEDCBE25A97C89101F1F3860FF846E94D70445	(not available)

• Notes:
• %Temp% is a variable that refers to the temporary folder in the short path form. By default, this is C:\Documents and Settings\[UserName]\Local Settings\Temp\ (Windows NT/2000/XP).
• %System% is a variable that refers to the System folder. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

• The following file was modified:
• %System%\userinit.exe

Memory Modifications

• There were new processes created in the system:

Process Name	Process Filename	Main Module Size
[generic host process]	[generic host process filename]	20,480 bytes
[filename of the sample #1]	[file and pathname of the sample #1]	110,592 bytes
init32.exe	%System%\init32.exe	32,768 bytes
userinit.exe	%System%\dllcache\userinit.exe	110,592 bytes

• Notes:
• [generic host process filename] is a full path filename of [generic host process].

Registry Modifications

• The newly created Registry Values are:
• [HKEY_CURRENT_USER\Software]
• 2a422c91-6984-47e4-94be-04c4fad5f8d8 = 0x00000001
• 1099ce4a-ff51-4a8d-ab3c-c74b9c06e46f = 0x00000000
• [HKEY_CURRENT_USER\Software\Microsoft]
• WinId = "{089538EC-BDBA-4A19-B920-A3F500D32B19}"

• The following Registry Values were modified:
• [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Print\Providers]
• LogonTime = 52 30 D4 D5 2C C7 C9 01
• [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Providers]
• LogonTime = 52 30 D4 D5 2C C7 C9 01

Other details

• To mark the presence in the system, the following Mutex object was created:
• Config Mutex

• The following HTTP URLs were started reading:
• http://onlinescanxp.com/?a=html&code=00000005
• http://onlinescanxp.com/?a=pop&q=%s&code=00000005
• http://onlinescanxp.com/land/eurl/?code=00000005
• http://onlinescanxp.com/?a=404&code=00000005
• http://onlinescanxp.com/?a=ruler&code=00000005

• The data identified by the following URL was then requested from the remote web server:
• http://onlinescanxp.com/?a=conf&code=0

• There was application-defined hook procedure installed into the hook chain (e.g. to monitor keystrokes). The installed hook is handled by the following module:
• %Temp%\mousehook.dll