Submission Summary:

What's been foundSeverity Level
Capability to block security-related software by modifying firewall settings and by disabling security services, such as Windows Update, Norton Autoprotect, Kaspersky Anti-Virus, etc.
Produces outbound traffic.
Downloads/requests other files from Internet.
Creates a startup registry entry.
There were some system executable files modified, which might indicate the presence of a PE-file infector.
Contains characteristics of an identified security risk.

 

Technical Details:

 

Possible Security Risk

Threat CategoryDescription
A virus capable to modify other files by infecting, prepending, or overwriting them them with its own body
A network-aware worm that attempts to replicate across the existing network(s)
A malicious trojan horse or bot that may represent security risk for the compromised system and/or its network environment

 

File System Modifications

#Filename(s)File SizeFile HashAlias
1 %AppData%\1ak7jacu.exe 69,632 bytes MD5: 0x3420DE55B8DE4B837C9CC61A8C7A3DD0
SHA-1: 0xD6B26EBBBE92459A2F57BA64CFEEFD169F21A1EB
Worm.Win32.WBNA.aot [Kaspersky Lab]
packed with ASPack [Kaspersky Lab]
2 %AppData%\7d6syyx1h.exe 100,864 bytes MD5: 0x25FDE072A8CD2A8B02F052C2696ADEA0
SHA-1: 0x368520933E1BFA228781A46E5255B005DDC4027D
Virus.Win32.Virut.ce [Kaspersky Lab]
3 %AppData%\7jlnhz94t.exe 101,376 bytes MD5: 0xF416E91C9BC662685F1C64ED90831BB5
SHA-1: 0xAA813F477F7DCEB639EC5B913A14FC1AD5DBF7F1
Virus.Win32.Virut.ce [Kaspersky Lab]
4 %AppData%\addons.dat 25,404 bytes MD5: 0x1010104E3EA400FD4FC748A9B4299698
SHA-1: 0xF1B76585BEB710547D29E0D9D147E6CBF58D5020
(not available)
5 %AppData%\conima.exe 100,864 bytes MD5: 0x813B2D26C419151120202FE179746F0E
SHA-1: 0x85C1803B68D95B3776AA914ADE8D5A01532FE020
Virus.Win32.Virut.ce [Kaspersky Lab]
6 %AppData%\inlog 1,419 bytes MD5: 0x3A40D838CCA2FB3FEC85BEFF9E455327
SHA-1: 0x0CC30E16E60A4AFC1A75FDBC6FE31807CB7EE979
(not available)
7 %AppData%\Input.bat 109 bytes MD5: 0xAC770FA3043EA082FEA28E51A3A5AEDD
SHA-1: 0x4CB88426FA4CEB33CF30170694B29CA4190455F8
(not available)
8 %AppData%\ir1o0qtb3.exe 101,376 bytes MD5: 0xC88E947E9BC687D1DBED73B0735736DE
SHA-1: 0x5484AF716AB01CF23D060C3C02BFD63A91144193
Virus.Win32.Virut.ce [Kaspersky Lab]
9 %AppData%\LocalAccountAuthority.bat 108 bytes MD5: 0x2C9B188DB3E8711956C33D9A699B0D7A
SHA-1: 0x306B8FB221FB3FC452C4C74388A51B6EC268FFFA
(not available)
10 %AppData%\lssas.exe 101,376 bytes MD5: 0x8D18B36CB8AEB2DCDBF0AB81B0865EBF
SHA-1: 0x0F49587FBD65F1AC680C0D2EAC0F8AB0122732AD
Virus.Win32.Virut.ce [Kaspersky Lab]
11 %AppData%\manager.exe 101,376 bytes MD5: 0x414D4D4B4AB52614AA84FDD521A99F3E
SHA-1: 0xEA09B5FAC0FDC44B75CF77E2B1BB9217E38E4B62
Virus.Win32.Virut.ce [Kaspersky Lab]
12 %AppData%\mgww9r.log 2,838 bytes MD5: 0xE45D6274FDD64AEDB4AE4FB07AFE5CB2
SHA-1: 0xB7BE659237BA2D1BF13CB34619EF28F7CBDFB567
(not available)
13 %AppData%\mlog 1,586 bytes MD5: 0xD6DAC3ED2B52D63A2FAE22AB8B4ADDCD
SHA-1: 0x6795EE6041AE48CDB2F550A0F4714F8F9D6D2A5C
(not available)
14 %AppData%\MouseDriver.bat 107 bytes MD5: 0x9220BF095ADC63E452029FCDA729BE5A
SHA-1: 0x5DC9C0778D112969D8F40BF15CB6CC85310E79C6
(not available)
15 %AppData%\Plug.bat 110 bytes MD5: 0xD3C617A5FEC470419DBE3A6C4168F433
SHA-1: 0x473D401A7FEB247851E20BF0E854DDE4915FEAB2
(not available)
16 %AppData%\pr5ps29nx.exe 69,632 bytes MD5: 0xBE505DF456A353F6759189736D3C9B82
SHA-1: 0xC9E40E52EE4B62A30DB350D847C84F8EB9629B13
packed with ASPack [Kaspersky Lab]
17 %AppData%\ty0g.exe 91,648 bytes MD5: 0xA45E5E0F0A10B02CDF70A24378570AB1
SHA-1: 0x5499A2A00DE8BFF45B14934F1E14A88B11DCFE18
Virus.Win32.Virut.ce [Kaspersky Lab]
Mal/HckPk-A [Sophos]
Trojan-Spy.Win32.VB [Ikarus]
18 %AppData%\x1hlqbkkv.exe 69,120 bytes MD5: 0x1515BC6DA91F1F31625AA606E0516288
SHA-1: 0xAFE49A0ED3BA7E78F78DEE8C14F01334715D81E3
Worm.Win32.WBNA.aou [Kaspersky Lab]
packed with ASPack [Kaspersky Lab]
19 %AppData%\ylog 1,761 bytes MD5: 0x1FE7876F587485D26EE4D21779ED2616
SHA-1: 0x4898CA524143883A7F9C33FE3C5010E084085F91
(not available)
20 %ProgramFiles%\�\server.exe
[file and pathname of the sample #1]
60,285 bytes MD5: 0xE1F1001E95E6A3D44C8272450F2D3E8F
SHA-1: 0x1231FEEC7F80D1F10FFE15080792AF1E4EB1CF22
Trojan.Win32.Refroso.djjg [Kaspersky Lab]
Backdoor-CEP.gen.u [McAfee]
Mal/Bifrose-Z [Sophos]
VirTool:Win32/Injector.gen!AG [Microsoft]
Virus.Trojan.Win32.Midgare [Ikarus]

 

Memory Modifications

Process NameProcess FilenameMain Module Size
ty0g.exe%AppData%\ty0g.exe229,376 bytes
lssas.exe%AppData%\lssas.exe258,048 bytes
manager.exe%AppData%\manager.exe258,048 bytes

Process NameProcess FilenameAllocated Size
explorer.exe%Windir%\explorer.exe40,960 bytes

Service NameDisplay NameStatusService Filename
MouseDriverMouseDriver"Stopped"%AppData%\MouseDriver.bat
Local Account Authority ServiceLocal Account Authority Service"Stopped"%AppData%\LocalAccountAuthority.bat
Plug ManagerPlug Manager"Stopped"%AppData%\Plug.bat

Service NameDisplay NameNew StatusService Filename
ALGApplication Layer Gateway Service"Stopped"%System%\alg.exe
SharedAccessWindows Firewall/Internet Connection Sharing (ICS)"Stopped"%System%\svchost.exe -k netsvcs
wscsvcSecurity Center"Stopped"%System%\svchost.exe -k netsvcs

 

Registry Modifications

 

Other details

China

PortProtocolProcess
1074UDPlssas.exe (%AppData%\lssas.exe)
1098TCPlssas.exe (%AppData%\lssas.exe)
1104TCPlssas.exe (%AppData%\lssas.exe)
1108TCPlssas.exe (%AppData%\lssas.exe)
1109TCPlssas.exe (%AppData%\lssas.exe)
1110TCPlssas.exe (%AppData%\lssas.exe)
1115TCPlssas.exe (%AppData%\lssas.exe)
1116TCPlssas.exe (%AppData%\lssas.exe)
1117TCPlssas.exe (%AppData%\lssas.exe)
1118TCPlssas.exe (%AppData%\lssas.exe)
1120TCPlssas.exe (%AppData%\lssas.exe)
1127UDPmanager.exe (%AppData%\manager.exe)
1132TCPlssas.exe (%AppData%\lssas.exe)
1133TCPlssas.exe (%AppData%\lssas.exe)
1141TCPmanager.exe (%AppData%\manager.exe)
1150TCPlssas.exe (%AppData%\lssas.exe)
1176TCPlssas.exe (%AppData%\lssas.exe)
1177TCPlssas.exe (%AppData%\lssas.exe)
1180TCPlssas.exe (%AppData%\lssas.exe)
1182TCPmanager.exe (%AppData%\manager.exe)
1183TCPmanager.exe (%AppData%\manager.exe)
1184TCPmanager.exe (%AppData%\manager.exe)
1185TCPmanager.exe (%AppData%\manager.exe)
1186TCPlssas.exe (%AppData%\lssas.exe)
1188TCPmanager.exe (%AppData%\manager.exe)

Remote HostPort Number
121.215.190.23981
60.190.222.13980
91.217.162.1680
94.63.149.15280
60.190.223.752011
60.190.223.752012
60.190.223.75888

 

Outbound traffic (potentially malicious)

 

 

All content ("Information") contained in this report is the copyrighted work of Threat Expert Ltd and its associated companies ("ThreatExpert") and may not be copied without the express permission of ThreatExpert.

The Information is provided on an "as is" basis. ThreatExpert disclaims all warranties, whether express or implied, to the maximum extent permitted by law, including the implied warranties that the Information is merchantable, of satisfactory quality, accurate, fit for a particular purpose or need, or non-infringing, unless such implied warranties are legally incapable of exclusion. Further, ThreatExpert does not warrant or make any representations regarding the use or the results of the use of the Information in terms of their correctness, accuracy, reliability, or otherwise.

Copyright © 2014 ThreatExpert. All rights reserved.