ThreatExpert Report: Trojan.Gen.2, Worm.Win32.Ngrbot.hel, Worm.Win32.Dorkbot, Trojan.ADH..

Visit ThreatExpert web site

Close Report

Submission Summary:

Submission details:

Submission received: 30 November 2011, 18:07:02
Processing time: 14 min 26 sec
Submitted sample:

File MD5: 0xE87E6EE3BCB95A9851AE53D46DE583D6
File SHA-1: 0x8A2239F360D0F3A206D9ABE4550AD44A5343EA1D
Filesize: 1,903,189 bytes
Alias:

Trojan.Gen.2 [Symantec]
Worm.Win32.Ngrbot.hel [Kaspersky Lab]
Worm.Win32.Dorkbot [Ikarus]

Summary of the findings:

What's been found	Severity Level
Produces outbound traffic.
Downloads/requests other files from Internet.
Creates a startup registry entry.
Contains characteristics of an identified security risk.

Technical Details:

The new window was created, as shown below:

NOTICE: The content shown in the above window is captured automatically and is not controlled or endorsed by ThreatExpert.
Please contact us on this link should any material be offensive or inappropriate and we will ensure any such content is blocked from future viewers of the report.

Possible Security Risk

Attention! The following threat categories were identified:

Threat Category	Description
	A malicious trojan horse or bot that may represent security risk for the compromised system and/or its network environment
	A malicious backdoor trojan that runs in the background and allows remote access to the compromised system
	A network-aware worm that attempts to replicate across the existing network(s)

File System Modifications

The following files were created in the system:

#	Filename(s)	File Size	File Hash	Alias
1	%AppData%\1.tmp %AppData%\2.tmp %AppData%\Fbxaxf.exe	282,624 bytes	MD5: 0x4419BA71E46C2B6180D8C5FB5F14EFB0 SHA-1: 0x6187916D3C3511B9AE9874A3868B175659D46EC4	(not available)
2	%AppData%\3.exe	327,680 bytes	MD5: 0xACB887FE28C2D1206B8835935506E6B8 SHA-1: 0x9E0E8218B3BCAC5931CE448EE8FEFF1333813F2E	(not available)
3	%AppData%\5.exe	474,829 bytes	MD5: 0x2D04724F3EACF65CB140B8B3F36C5C97 SHA-1: 0xE195798A6F76010673B457B2D8CEADC29E3E22A5	(not available)
4	%AppData%\6.exe	388,535 bytes	MD5: 0x7781C1145869CDF87CF61D671247E80E SHA-1: 0xE2F76F546D3E4FF3E748FB6D4B1B3D2890C3B1DA	(not available)
5	%AppData%\7.exe	398,081 bytes	MD5: 0x37FBCA12ADFF251A3B0BC75EF81CE752 SHA-1: 0x951C62AB205B7CD0C783273170D1DEF56EA25AFE	Trojan.ADH [PCTools] Trojan.Gen.2 [Symantec] not-a-virus:RiskTool.Win32.HideExec.r [Kaspersky Lab] W32/IRCbot.gen.bc [McAfee] Trojan:Win32/Sisproc [Microsoft] Trojan.BAT.Miner [Ikarus]
6	%AppData%\9.tmp %AppData%\Wcxaxw.exe	294,912 bytes	MD5: 0xDAFF13B10AD87D9F578555B641758FA1 SHA-1: 0x377E0C14DCF65A9B027748775BC7ACD3E06BAB67	(not available)
7	%AppData%\A.exe	137,024 bytes	MD5: 0x7DBB979C1CBCFAEBC9792D47E05A841C SHA-1: 0xC73BB9319146F6AD76FFE143685578E51B097587	(not available)
8	%AppData%\kakao3\fuckHDZSDP.exe %Temp%\fuckHDZSDP.exe	278,528 bytes	MD5: 0xAE9C07D9B2EA9C1F58E32D3C44B0F33E SHA-1: 0xE1E72AE01919BC8F0BD236AA00EED4D029C7CCE7	Trojan.Gen [PCTools] Trojan.Gen [Symantec] Trojan.Win32.FakeAv.irgx [Kaspersky Lab] BackDoor-DOQ.gen.as [McAfee] Mal/Generic-L [Sophos] Trojan:Win32/Malagent [Microsoft] Trojan.Win32.Buzus [Ikarus]
9	%AppData%\kakao3\new.exe %Temp%\new.exe	57,344 bytes	MD5: 0xC31027010355FD8F52FE3640048ACD37 SHA-1: 0x5DD50D63D76B8E1CEFBC019CFD414C57FFFEAA72	(not available)
10	%AppData%\PickaVamMaterina2\HDZ.exe	57,344 bytes	MD5: 0x7A8DF56F23106AD0D9D786BAE4ED75BC SHA-1: 0xBD78A2F8FEAA92C5B18BBFFD0EB1399A0644F5BC	(not available)
11	%AppData%\PickaVamMaterina2\Ivo_Sanader.exe	389,120 bytes	MD5: 0x0A4EB0CB242A27AEC20A281F4293FC5E SHA-1: 0x4BA9C00EAC0317346A0AAC3AE8AFB7D4057863EA	(not available)
12	%AppData%\jqycpqe.exe %Temp%\zxjidmw.exe	344,576 bytes	MD5: 0x6D6BD4C8256D75B314BDD644C1240917 SHA-1: 0x1ACCD82D27F6511375F5635BDAAC8B3BAFF0E624	Trojan.FakeAV [PCTools] Trojan.FakeAV!gen64 [Symantec] Trojan.Win32.FakeAV.dvjc [Kaspersky Lab] FakeAlert-SecurityTool.bt [McAfee] Mal/FakeAV-KL [Sophos] Trojan.Win32.FakeAV [Ikarus]
13	%Temp%\about.exe	57,344 bytes	MD5: 0xC52F6C51034FD72CB65483DAB4E51438 SHA-1: 0xB0039E980891438B76419E0CEF9040FA1C413E93	(not available)
14	%Temp%\del.exe	159,232 bytes	MD5: 0x99D3FD2985012D43C3D532CF1F70B342 SHA-1: 0xD0018933F627CD668DFEBC1B3AAD8D4C25D2D82B	Malware.W95-CIH [PCTools] W95.CIH.damaged [Symantec] Generic.dx!xon [McAfee] Mal/Generic-L [Sophos] Trojan:Win32/Dynamer!dtc [Microsoft] Virus.Win9x.CIH [Ikarus]
15	%Temp%\hid.exe	44,040 bytes	MD5: 0xC1C769D742F88E441DED76BF57A5A45C SHA-1: 0x06872DABD41E70DC4EF8FD5131B334BE8A17DB3C	Net-Worm.SillyFDC [PCTools] not-a-virus:RiskTool.Win32.HideExec.r [Kaspersky Lab]
16	%Temp%\HRSearchC.exe	287,744 bytes	MD5: 0x5E03A535C8BEF1AB056074D68CE7A5E0 SHA-1: 0x689974AE94DF135E21F5711C06B5DC72DA3F9128	Trojan.Gen [PCTools] Trojan.Gen.2 [Symantec] Generic.dx!banc [McAfee] Trojan.ATRAPS [Ikarus] packed with PE_Patch.PECompact [Kaspersky Lab]
17	%Temp%\Jttetn.exe	139,264 bytes	MD5: 0x585F2F27EF6D87CD4CC9A8501EAAA6FE SHA-1: 0x0AB77FD8C68025F4E579C4C58C05874108F20F5A	Trojan.Gen [PCTools] Trojan.Gen [Symantec] Backdoor.Win32.Ruskill.g [Kaspersky Lab] Downloader-CMU.d [McAfee] Mal/Generic-L [Sophos] Worm:Win32/Dorkbot.A [Microsoft] Worm.Win32.Dorkbot [Ikarus]
18	%Temp%\Mstetq.exe	143,360 bytes	MD5: 0x167F4EF7C1225451EF69DB10D3B16611 SHA-1: 0xE5D356E142ED28AB5A0748CD04BB792C9514192A	Worm.Win32.Ngrbot.hdy [Kaspersky Lab] BackDoor-DOQ.gen.as [McAfee] Mal/EncPk-AAQ [Sophos] Worm:Win32/Dorkbot.A [Microsoft] Worm.Win32.Dorkbot [Ikarus]
19	%Temp%\newmoon17.exe	367,889 bytes	MD5: 0x1CE65C3C14F7F09C08C50FBB6A8C1CC4 SHA-1: 0x46E4FD565736FF96A94F5B762C1F875C32585A1B	Trojan.Win32.FakeAv.irgx [Kaspersky Lab] Generic FakeAlert!tz [McAfee] Mal/Generic-L [Sophos] Trojan.Win32.Buzus [Ikarus]
20	%Temp%\x30811.exe	1,012,224 bytes	MD5: 0x4BC19BC59EC9C4A987079A618CF18C68 SHA-1: 0xC4EC15672E96CEC3411CCE377BFFEAB55BA8C88D	Trojan.Gen [PCTools] Trojan.Gen.2 [Symantec] Generic.tfr!r [McAfee] Trojan:Win32/Orsam!rts [Microsoft] Win32.SuspectCrc [Ikarus]
21	%Temp%\yz.bat	180 bytes	MD5: 0xD6C231471750C153641E292D746814B5 SHA-1: 0x16EC0A913564D18A6D03711415B272FDECC3E867	Trojan.BAT.Miner.i [Kaspersky Lab] Trojan.BAT.Miner [Ikarus]
22	%Programs%\Startup\Demokratska2.exe	418,008 bytes	MD5: 0xCF4C9FA0F9B2AB5CA96C7C2AF8B26C75 SHA-1: 0x6B9F44527B91AD9DAC7AD1D396787496DBE37BEE	(not available)
23	%Programs%\Startup\dxdiag.exe	23,552 bytes	MD5: 0x9EA5BEFAB3FAB1D19D70F8D917463D13 SHA-1: 0xBCABE617AF58EFB8B0E759111044BDBB8F3F6152	Trojan.Gen [PCTools] Trojan.Gen [Symantec] Trojan.Win32.Jorik.Aspxor.y [Kaspersky Lab] Generic Downloader.z [McAfee] Troj/Bredo-IK [Sophos] Trojan.Agent_r [Ikarus]
24	%Programs%\Startup\stepx2.exe	348,530 bytes	MD5: 0x0764BEF5D967DCE3784E18D204BB90E6 SHA-1: 0x896A45B21C554B723503BC5865677733C025FC23	Trojan.ADH [PCTools] Trojan.Gen.2 [Symantec] Trojan.BAT.Miner.i, not-a-virus:RiskTool.Win32.HideExec.r [Kaspersky Lab] Generic.tfr!r [McAfee] Trojan.BAT.Miner [Ikarus]
25	%Programs%\Startup\taskmgr.exe	826,184 bytes	MD5: 0x47CFDF331A80B2028A1B8ACA61BD191B SHA-1: 0xD10BD40A735C6EFBFA4FBFA6C842B4DB5DBA9445	(not available)
26	[file and pathname of the sample #1]	1,903,189 bytes	MD5: 0xE87E6EE3BCB95A9851AE53D46DE583D6 SHA-1: 0x8A2239F360D0F3A206D9ABE4550AD44A5343EA1D	Trojan.Gen.2 [Symantec] Backdoor.Win32.Ruskill.g, Worm.Win32.Ngrbot.hdy, Trojan.Win32.Jorik.Aspxor.y, Trojan.Win32.FakeAv.irgx, Trojan.Win32.FakeAV.dvjc, Worm.Win32.Ngrbot.hel [Kaspersky Lab] Worm.Win32.Dorkbot [Ikarus]

Notes:

%AppData% is a variable that refers to the file system directory that serves as a common repository for application-specific data. A typical path is C:\Documents and Settings\[UserName]\Application Data.
%Temp% is a variable that refers to the temporary folder in the short path form. By default, this is C:\Documents and Settings\[UserName]\Local Settings\Temp\ (Windows NT/2000/XP).
%Programs% is a variable that refers to the file system directory that contains the user's program groups. A typical path is C:\Documents and Settings\[UserName]\Start Menu\Programs.

The following directories were created:

%AppData%\kakao3
%AppData%\PickaVamMaterina2

Memory Modifications

There was a new process created in the system:

Process Name	Process Filename	Main Module Size
del.exe	%Temp%\del.exe	184,320 bytes

Registry Modifications

The following Registry Keys were created:

HKEY_LOCAL_MACHINE\SOFTWARE\HRSearch
HKEY_LOCAL_MACHINE\SOFTWARE\HRSearch\Data
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_CURRENT_USER\Software\gnzyyfavskozwffiqimedkeykicvah
HKEY_CURRENT_USER\Software\jnbsjxsrphezdokcyofecvybrkjlrh
HKEY_CURRENT_USER\Software\WinRAR SFX

The newly created Registry Values are:

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]

Scxaxs = "%AppData%\Scxaxs.exe"
Lcxaxl = "%AppData%\Lcxaxl.exe"
Wcxaxw = "%AppData%\Wcxaxw.exe"
Fbxaxf = "%AppData%\Fbxaxf.exe"

so that Wcxaxw.exe runs every time Windows starts

so that Fbxaxf.exe runs every time Windows starts

[HKEY_CURRENT_USER\Software\gnzyyfavskozwffiqimedkeykicvah]

wfdijwaopfddvmieihccsyrbpsbqhy = ""

[HKEY_CURRENT_USER\Software\jnbsjxsrphezdokcyofecvybrkjlrh]

dncirhudbpmysvlqkzovzmfcsemsko = ""

[HKEY_CURRENT_USER\Software\WinRAR SFX]

C%%Documents and Settings%%UserName%%Application Data%kakao3 = "%AppData%\kakao3"
C%%Documents and Settings%%UserName%%Start Menu%Programs%Startup = "%Programs%\Startup"
C%%Documents and Settings%%UserName%%Application Data%PickaVamMaterina2 = "%AppData%\PickaVamMaterina2"
C%%DOCUME~1%%UserName%%LOCALS~1%Temp = "%UserProfile%\LOCALS~1\Temp"

Other details

There were registered attempts to establish connection with the remote hosts. The connection details are:

Remote Host	Port Number
199.15.234.7	80
70.38.98.239	80
92.243.20.57	3212

The data identified by the following URLs was then requested from the remote web server:

http://api.wipmania.com/
http://img105.herosh.com/2011/11/30/745759013.gif

Outbound traffic (potentially malicious)

There was an outbound traffic produced on port 3212:

00000000 | 1703 0000 1DAB E65A 5272 636E 2145 D536 | .......ZRrcn!E.6
00000010 | DE93 29D5 30B1 C61D 332C 9A67 949A BC7A | ..).0...3,.g...z
00000020 | 9E5B 1703 0000 274F ADFB BF5C 4E3A FB4E | .[....'O...\N:.N
00000030 | D8CC C0CA 0050 D50D 9575 5A23 C707 EC0B | .....P...uZ#....
00000040 | 7581 0719 F6AE 5AD5 F944 AE93 A1AA 1703 | u.....Z..D......
00000050 | 0000 2BD7 208A C1F7 256B F9F6 9CDE A553 | ..+. ...%k.....S
00000060 | 9E96 B39D A07E 1DAD B1C6 97A4 3724 EC7E | .....~......7$.~
00000070 | 3C85 F623 B80B 6153 9522 16E0 3A10 1703 | <..#..aS."..:...
00000080 | 0000 2B17 0300 0021 DA71 8326 C5E8 AA2A | ..+....!.q.&...*
00000090 | 9569 1FB6 841A 28FF 3CFD E0B3 CAED 2701 | .i....(.<.....'.
000000A0 | 1E3B 92FF EAA9 C7EA F58C F1E4 D1DA 5265 | .;............Re
000000B0 | 3174 9F17 0300 002B B706 D784 55DF CA99 | 1t.....+....U...
000000C0 | F14D 26E9 7B04 A824 A720 6035 1958 3851 | .M&.{..$. `5.X8Q
000000D0 | 62B7 EF3D D371 4100 05A9 261E 9405 6B9A | b..=.qA...&...k.
000000E0 | 391E C3A9 1497 5C92 EE8B FF97 4DC9 F64B | 9.....\.....M..K
000000F0 | 0686 843D 1503 0000 12C0 9AF5 9FE9 9F49 | ...=...........I
00000100 | D9E3 B6AD 3696 8DE8 80F7 AA16 0300 0041 | ....6..........A
00000110 | 0100 003D 0300 4ED6 E189 B267 390E FDB0 | ...=..N....g9...
00000120 | F1DE 8842 4A95 84E3 FB81 300E 64F0 39B7 | ...BJ.....0.d.9.
00000130 | A36E 5D63 987C 0000 1600 0400 0500 0A00 | .n]c.|..........
00000140 | 0900 6400 6200 0300 0600 1300 1200 6301 | ..d.b.........c.
00000150 | 0015 0300 0002 0129 1603 0000 8410 0000 | .......)........
00000160 | 807F CF33 A19D 39EE 435D ED5D 92EF 7B8E | ...3..9.C].]..{.
00000170 | 5BCF AB87 2357 E0F2 1505 1282 6EE9 A547 | [...#W......n..G
00000180 | 4E1F 9858 939A 5769 3956 3625 8F42 893B | N..X..Wi9V6%.B.;
00000190 | 1E8B 4CF4 FD81 33EA B29E F34C 60CE 341B | ..L...3....L`.4.
000001A0 | 1C77 896E 6C8B E959 F873 F09A 1E96 DB05 | .w.nl..Y.s......
000001B0 | 9A35 3ABB 0986 976E 5283 1942 1B35 58DC | .5:....nR..B.5X.
000001C0 | 1452 FBA5 76CA FEED 54E9 CD6D 3C4D FA84 | .R..v...T..m<M..
000001D0 | B3F1 6AE7 0CE6 9CA6 DA64 511A C0AE E2EF | ..j......dQ.....
000001E0 | EB14 0300 0001 0116 0300 0038 D6F1 B74A | ...........8...J
000001F0 | 6314 38F3 E899 A02A BF38 5088 2AF8 E066 | c.8....*.8P.*..f
00000200 | 2877 20CA DB84 5C66 E13C 6708 20C9 BD26 | (w ...\f.<g. ..&
00000210 | F737 82A8 5F21 37D8 A7B8 3AF5 7F65 2F82 | .7.._!7...:..e/.
00000220 | D0D9 7802                               | ..x.

All content ("Information") contained in this report is the copyrighted work of Threat Expert Ltd and its associated companies ("ThreatExpert") and may not be copied without the express permission of ThreatExpert.

The Information is provided on an "as is" basis. ThreatExpert disclaims all warranties, whether express or implied, to the maximum extent permitted by law, including the implied warranties that the Information is merchantable, of satisfactory quality, accurate, fit for a particular purpose or need, or non-infringing, unless such implied warranties are legally incapable of exclusion. Further, ThreatExpert does not warrant or make any representations regarding the use or the results of the use of the Information in terms of their correctness, accuracy, reliability, or otherwise.