ThreatExpert Report: Trojan.Gendal

Submission Summary:

Submission details:

Submission received: 5 August 2012, 04:54:38
Processing time: 15 min 46 sec
Submitted sample:

File MD5: 0xE8DE27AB4891896D57D682857B280E2B
File SHA-1: 0x2E9ADB0998B3AE15450CEC758AD951165E9840AE
Filesize: 7,609,832 bytes
Alias: Trojan.Gendal [Ikarus]

Summary of the findings:

What's been found	Severity Level
Downloads/requests other files from Internet.

Technical Details:

The new window was created, as shown below:

NOTICE: The content shown in the above window is captured automatically and is not controlled or endorsed by ThreatExpert.
Please contact us on this link should any material be offensive or inappropriate and we will ensure any such content is blocked from future viewers of the report.

File System Modifications

The following files were created in the system:

#	Filename(s)	File Size	File Hash	Alias
1	%CommonAppData%\GLog_G.txt %ProgramFiles%\GDownService\GDownServiceInfo.ini	0 bytes	MD5: 0xD41D8CD98F00B204E9800998ECF8427E SHA-1: 0xDA39A3EE5E6B4B0D3255BFEF95601890AFD80709	(not available)
2	%DesktopDir%\?Âµ??.lnk	1,514 bytes	MD5: 0x21864D441C0FE591E19F8FB28AE20BDD SHA-1: 0x9C518245271BD480C5C830B767ECC7E7DE9F7881	(not available)
3	%Programs%\?Âµ??\?Âµ?? ????.lnk	1,539 bytes	MD5: 0x4D2DF09EE550D13E11BF74CF20E5DBD4 SHA-1: 0xB10B8C71CA0571C8267D1CA5A5A04E2DD28C98CD	(not available)
4	%Programs%\?Âµ??\?Âµ??.lnk	1,526 bytes	MD5: 0xDE0200213FA7D311F930F0BCFC95D873 SHA-1: 0x25F8857A3D783B9BE8073245C889BC621A8CCB9E	(not available)
5	%ProgramFiles%\GDownService\GDownService.dll	122,368 bytes	MD5: 0x2AF8341B52C9E3E03294856AE4E802B2 SHA-1: 0x27E0E160EC0100AE5C4EFE0DAD477596903A9F28	(not available)
6	%ProgramFiles%\GDownService\GDownService.exe	146,432 bytes	MD5: 0xF5BF4B3568F208B8600955EAEAF78ECD SHA-1: 0x2488C9F00D7860F9D70D46309F9253F5EF66E5B4	(not available)
7	%ProgramFiles%\OnDisk\az7z.dll	668,616 bytes	MD5: 0xC715562DE7F09AF27413EC808EAE3E62 SHA-1: 0xCDF9E826ACB9504762C4FC7368A09B0A1D1A3987	(not available)
8	%ProgramFiles%\OnDisk\AzCDImage.dll	472,336 bytes	MD5: 0x3E0A9329C02E2124BFEEC21BECD40305 SHA-1: 0xA1FAC57420FDAFC0B44273E1765374F7111BADAE	(not available)
9	%ProgramFiles%\OnDisk\AZMain.dll	817,152 bytes	MD5: 0x73BF4ABC41F055E29F8E1918EE5459D6 SHA-1: 0x6A67E2945D0B91ED6437F76EFFA05F2C58CB486A	(not available)
10	%ProgramFiles%\OnDisk\cabinet.dll	59,904 bytes	MD5: 0x08F0190AE201EC331B4CA3B0FA2D2CCE SHA-1: 0xED8834D0BCDCDCCDE014259E95758CE4B8B544CF	(not available)
11	%ProgramFiles%\OnDisk\ip_ver.ini %ProgramFiles%\OnDisk\ip_ver_.ini	2 bytes	MD5: 0x6512BD43D9CAA6E02C990B0A82652DCA SHA-1: 0x17BA0791499DB908433B80F37C5FBC89B870084B	(not available)
12	%ProgramFiles%\OnDisk\MediaInfo.dll	2,785,048 bytes	MD5: 0xFF48926311E1EE992C757B2F77CB5AD1 SHA-1: 0xB05801FCBADE384D11D79D02FFEE06DAAEC47F5F	(not available)
13	%ProgramFiles%\OnDisk\mfc90.dll	3,766,600 bytes	MD5: 0x5963633010616B25503EE126F55E8DE4 SHA-1: 0x1CB2080133AC915863E6988B0F377D46CD91E6D5	(not available)
14	%ProgramFiles%\OnDisk\Microsoft.VC90.CRT.manifest	1,826 bytes	MD5: 0xD1152C2C56A01F4D7CC0141A7375A191 SHA-1: 0xBA4E05C4127FC83CF80956C9CC27A03E4E357639	(not available)
15	%ProgramFiles%\OnDisk\Microsoft.VC90.MFC.manifest	2,323 bytes	MD5: 0x626040DD745EE8128C63E88877F48FB4 SHA-1: 0xDCF8CC87FE1F00DB31664F33C55C8B9951C36251	(not available)
16	%ProgramFiles%\OnDisk\msvcp90.dll	569,680 bytes	MD5: 0x4C39358EBDD2FFCD9132A30E1EC31E16 SHA-1: 0x70AC82988285F9F7069FAA9A0612AEBA7FB001C4	(not available)
17	%ProgramFiles%\OnDisk\msvcr90.dll	653,136 bytes	MD5: 0xCDBE9690CF2B8409FACAD94FAC9479C9 SHA-1: 0x4BCDFE2C1B354645314A4CE26B55B2B1A0212DB9	(not available)
18	%ProgramFiles%\OnDisk\OnDisk.ico	41,994 bytes	MD5: 0x86110388D62AA4D4A747B3632055DEB9 SHA-1: 0xEDF142164D6C9EDC6740F97874ABDBB599CD983E	(not available)
19	%ProgramFiles%\OnDisk\OnDiskDownClient.dll	111,616 bytes	MD5: 0x11E4EB17F16D6D101EB13B0E1554236C SHA-1: 0x0368A660D2EE5F5A3DABD4FB701289E3ED9C0F6E	Trojan.Gendal [Ikarus]
20	%ProgramFiles%\OnDisk\OnDiskGDown.exe	3,022,848 bytes	MD5: 0x749FB1019D3E30DF7754E1AF7C9106AE SHA-1: 0x27D3BC7AB68E19557D1C6CAE66FA1C8BE6F0C0DE	(not available)
21	%ProgramFiles%\OnDisk\OnDiskGDown.exe.manifest	859 bytes	MD5: 0x262430B646585C902A5D9E08565269D6 SHA-1: 0x59154FA7A046A45463494773E10EB0F0143CCBDA	(not available)
22	%ProgramFiles%\OnDisk\OnDiskUp.exe	2,441,728 bytes	MD5: 0x4A35D8030F533174441B7AE3B957D71C SHA-1: 0xA84E5B137B46F22CFB7C6316F58ABEDAAC167A45	(not available)
23	%ProgramFiles%\OnDisk\ongridsvr.dat	1,024 bytes	MD5: 0xFD612C737D8755DE62985D5DD071A71B SHA-1: 0x8794D184557F9749BE499E7F3049F1934F45BDAE	(not available)
24	%ProgramFiles%\OnDisk\sfdcd.dll	0 bytes	MD5: 0xD41D8CD98F00B204E9800998ECF8427E SHA-1: 0xDA39A3EE5E6B4B0D3255BFEF95601890AFD80709	(not available)
25	%ProgramFiles%\OnDisk\sfondisk.dll	589,824 bytes	MD5: 0xB42E0517A04428C0C86CED83C37AF5DC SHA-1: 0x056130617E421A054C83387AB8730BE1BF13D871	(not available)
26	%ProgramFiles%\OnDisk\UNACEV2.DLL	77,312 bytes	MD5: 0xDE02C4D04088B69E64ECC30A3D9E22E5 SHA-1: 0xA5F66D420B6A6EBB04242FB85CA462A99DBF89B6	(not available)
27	%ProgramFiles%\OnDisk\UnEGG32.dll	632,832 bytes	MD5: 0xB91FCE89DC6736A9E3A54E63892EF655 SHA-1: 0x962C7ACFA6F282BD77E5BBD565BF85E4D6DC1871	(not available)
28	%ProgramFiles%\OnDisk\Uninstall.exe	91,740 bytes	MD5: 0x928E9C8A7A94F0F0AAD78B65727E8D89 SHA-1: 0x7A72EA671A1FFB7C8D8BE972F8E018FF3FE14014	(not available)
29	%ProgramFiles%\OnDisk\unrar4.dll	162,304 bytes	MD5: 0xC94FE23DB7FE788FC521C3A4E8545A05 SHA-1: 0xA9EDE7241B6B05A02A2C7018119CEB54654032A7	(not available)
30	%ProgramFiles%\OnDisk\ver.ini %ProgramFiles%\OnDisk\_ver.ini	12 bytes	MD5: 0x358F86ED3E8B20FC820C280DB64053B2 SHA-1: 0xB60118C0083E57FD62C20FBE0F529C91C9AC16D3	(not available)
31	%ProgramFiles%\OnDisk\?Âµ??.url	103 bytes	MD5: 0x69C753BFBF05473A054854EF31208765 SHA-1: 0xCE7C607A2832971913D039FB0A09BAC9C7453ACE	(not available)
32	[file and pathname of the sample #1]	7,609,832 bytes	MD5: 0xE8DE27AB4891896D57D682857B280E2B SHA-1: 0x2E9ADB0998B3AE15450CEC758AD951165E9840AE	Trojan.Gendal [Ikarus]

Notes:

%CommonAppData% is a variable that refers to the file system directory containing application data for all users. A typical path is C:\Documents and Settings\All Users\Application Data.
%ProgramFiles% is a variable that refers to the Program Files folder. A typical path is C:\Program Files.
%DesktopDir% is a variable that refers to the file system directory used to physically store file objects on the desktop. A typical path is C:\Documents and Settings\[UserName]\Desktop.
%Programs% is a variable that refers to the file system directory that contains the user's program groups. A typical path is C:\Documents and Settings\[UserName]\Start Menu\Programs.

The following directories were created:

%Programs%\?Âµ??
%ProgramFiles%\GDownService
%ProgramFiles%\OnDisk

Memory Modifications

There were new processes created in the system:

Process Name	Process Filename	Main Module Size
gdownservice.exe	%ProgramFiles%\gdownservice\gdownservice.exe	176,128 bytes
[filename of the sample #1]	[file and pathname of the sample #1]	229,376 bytes
SetupHlpr.exe	%Temp%\nsg3.tmp\SetupHlpr.exe	110,592 bytes
ondiskgdown.exe	%ProgramFiles%\ondisk\ondiskgdown.exe	3,043,328 bytes
ondiskup.exe	%ProgramFiles%\ondisk\ondiskup.exe	2,469,888 bytes

Notes:

%Temp% is a variable that refers to the temporary folder in the short path form. By default, this is C:\Documents and Settings\[UserName]\Local Settings\Temp\ (Windows NT/2000/XP).

There was a new service created in the system:

Service Name	Display Name	Status	Service Filename
BNDownService	File Download Service	"Running"	%ProgramFiles%\GDownService\GDownService.exe /run BNDownService

Registry Modifications

The following Registry Keys were created:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Ondisk
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_BNDOWNSERVICE
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_BNDOWNSERVICE\0000
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_BNDOWNSERVICE\0000\Control
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\BNDownService
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\BNDownService\Security
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\BNDownService\Enum
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_BNDOWNSERVICE
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_BNDOWNSERVICE\0000
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_BNDOWNSERVICE\0000\Control
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BNDownService
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BNDownService\Security
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BNDownService\Enum
HKEY_USERS\.DEFAULT\Software\BNCP
HKEY_CURRENT_USER\Software\OnDisk

The newly created Registry Values are:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Ondisk]

DisplayName = "?Âµ??"
Publisher = "(??)??????"
DisplayIcon = ""%ProgramFiles%\OnDisk\Ondisk.ico""
UninstallString = ""%ProgramFiles%\OnDisk\uninstall.exe""

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_BNDOWNSERVICE\0000\Control]

*NewlyCreated* = 0x00000000
ActiveService = "BNDownService"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_BNDOWNSERVICE\0000]

Service = "BNDownService"
Legacy = 0x00000001
ConfigFlags = 0x00000000
Class = "LegacyDriver"
ClassGUID = "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
DeviceDesc = "File Download Service"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_BNDOWNSERVICE]

NextInstance = 0x00000001

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\BNDownService\Enum]

0 = "Root\LEGACY_BNDOWNSERVICE\0000"
Count = 0x00000001
NextInstance = 0x00000001

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\BNDownService\Security]

Security = 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 0

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\BNDownService]

Type = 0x00000110
Start = 0x00000002
ErrorControl = 0x00000001
ImagePath = "%ProgramFiles%\GDownService\GDownService.exe /run BNDownService"
DisplayName = "File Download Service"
ObjectName = "LocalSystem"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_BNDOWNSERVICE\0000\Control]

*NewlyCreated* = 0x00000000
ActiveService = "BNDownService"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_BNDOWNSERVICE\0000]

Service = "BNDownService"
Legacy = 0x00000001
ConfigFlags = 0x00000000
Class = "LegacyDriver"
ClassGUID = "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
DeviceDesc = "File Download Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_BNDOWNSERVICE]

NextInstance = 0x00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BNDownService\Enum]

0 = "Root\LEGACY_BNDOWNSERVICE\0000"
Count = 0x00000001
NextInstance = 0x00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BNDownService\Security]

Security = 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BNDownService]

Type = 0x00000110
Start = 0x00000002
ErrorControl = 0x00000001
ImagePath = "%ProgramFiles%\GDownService\GDownService.exe /run BNDownService"
DisplayName = "File Download Service"
ObjectName = "LocalSystem"

[HKEY_USERS\.DEFAULT\Software\BNCP]

rPort = 0x0000463F

[HKEY_CURRENT_USER\Software\OnDisk]

rCreateShortcut = 0x00000001
rPathBasic = "%DesktopDir%\"
rDownOverWrite = 0x00000001
rUpOverWrite = 0x00000001
rDwonAddItemPath = 0x00000000
rUpEndAutoClose = 0x00000001
rDownEndAutoClose = 0x00000001
rUpAutoTrans_ = 0x00000001
rUpTransSpeed = 0x00000000
rDownTransSpeed = 0x00000000
rUpExitCheck = 0x00000000
rDownExitCheck = 0x00000000
rDownTransBuffer = 0x00000003
rUpTransBuffer = 0x00000004
rPathLast = "%DesktopDir%\"

The following Registry Values were modified:

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\ServiceCurrent]

(Default) =

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ServiceCurrent]

(Default) =

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]

Cookies =
History =

Other details

To mark the presence in the system, the following Mutex objects were created:

OnDisk_mutex_down
_!SHMSFTHISTORY!_
OnDisk_mutex_upload

The following Host Names were requested from a host database:

110.45.189.112
110.45.187.102
110.45.187.105

There were registered attempts to establish connection with the remote hosts. The connection details are:

Remote Host	Port Number
110.45.189.112	1034
110.45.187.102	1035
110.45.187.105	1043

The following Internet Connections were established:

Server Name	Server Port	Connect as User	Connection Password
setup2.ondisk.co.kr	80	(null)	(null)
ondisk.co.kr	80	(null)	(null)

The following GET requests were made:

setup/banner.php?pg_mode=download
setup/help.php?userid=
setup/index.jpg
setup/banner.php?pg_mode=upload

The data identified by the following URLs was then requested from the remote web server:

http://www.ondisk.co.kr/setup/gdown/chkver.dat
localhost
http://www.ondisk.co.kr/setup/gdown/gsvrip.dat
http://setup2.ondisk.co.kr/setup_addition.exe
http://ondisk.co.kr/setup/gdown/threshold.dat
http://download.ondisk.co.kr/checkaps.php
http://download.ondisk.co.kr/checkuaps.php

Downloaded File Summary:

Download details:

Download retrieved: 5 August 2012 05:10:25
Processing time: 9 min 6 sec
Downloaded sample:

File MD5: 0x06A47EC1AA7352DD880720E1DAF48B08
File SHA-1: 0x0CA18B0903D39EDD8DD8615C52BE0310BF04327A
Filesize: 93,064 bytes

Technical Details:

File System Modifications

The following files were created in the system:

#	Filename(s)	File Size	File Hash
1	%Favorites%\?Âµ??.url	103 bytes	MD5: 0x90EA5CB3B5C72B766047032CDACD8902 SHA-1: 0x4830A24838DB61F70D838193EDEE5409911681C7
2	[file and pathname of the sample #1]	93,064 bytes	MD5: 0x06A47EC1AA7352DD880720E1DAF48B08 SHA-1: 0x0CA18B0903D39EDD8DD8615C52BE0310BF04327A

Note:

%Favorites% is a variable that refers to the file system directory that serves as a common repository for the user's favorite items. A typical path is C:\Documents and Settings\[UserName]\Favorites.

Memory Modifications

There was a new process created in the system:

Process Name	Process Filename	Main Module Size
[filename of the sample #1]	[file and pathname of the sample #1]	241,664 bytes

All content ("Information") contained in this report is the copyrighted work of Threat Expert Ltd and its associated companies ("ThreatExpert") and may not be copied without the express permission of ThreatExpert.

The Information is provided on an "as is" basis. ThreatExpert disclaims all warranties, whether express or implied, to the maximum extent permitted by law, including the implied warranties that the Information is merchantable, of satisfactory quality, accurate, fit for a particular purpose or need, or non-infringing, unless such implied warranties are legally incapable of exclusion. Further, ThreatExpert does not warrant or make any representations regarding the use or the results of the use of the Information in terms of their correctness, accuracy, reliability, or otherwise.