Submission Summary:

• Submission details:
• Submission received: 20 October 2009, 18:35:19
• Processing time: 5 min 12 sec
• Submitted sample:
• File MD5: 0xEF4B41312E2AC37124B288F8007504A4
• File SHA-1: 0xC36D0BD3B8C084BC519338B39E634EFEEEA5E134
• Filesize: 102,829 bytes
• Alias: Trojan.Win32.Buzus.cilz [Kaspersky Lab]

• Summary of the findings:

What's been found	Severity Level
Communication with a remote IRC server.
Produces outbound traffic.
Downloads/requests other files from Internet.
Creates a startup registry entry.
Contains characteristics of an identified security risk.

Technical Details:

Possible Security Risk

• Attention! The following threat category was identified:

Threat Category	Description
	A malicious trojan horse or bot that may represent security risk for the compromised system and/or its network environment

File System Modifications

• The following files were created in the system:

#	Filename(s)	File Size	File Hash	Alias
1	%AppData%\Microsoft\Crypto\RSA\S-1-5-21-606747145-764733703-839522115-1003\699c4b9cdebca7aaea5193cae8a50098_a7bcc1a4-f7a4-4502-8650-8579e607f7f7	50 bytes	MD5: 0x5B63D4DD8C04C88C0E30E494EC6A609A SHA-1: 0x884D5A8BDC25FE794DC22EF9518009DCF0069D09	(not available)
2	%Temp%\eraseme_80608.exe %Windir%\conmsyrtl.exe	237,814 bytes	MD5: 0x6960CD76C7AD98BDBF2D894CE6475953 SHA-1: 0x19099C71455402303535332725D384822BF82844	(not available)
3	%Windir%\ahomep.exe	200,950 bytes	MD5: 0x03690CC9465708C4127F9A4E1855B99A SHA-1: 0x38D6CFF852B5405BF79FCD70CC332855B2599081	(not available)
4	[file and pathname of the sample #1]	102,829 bytes	MD5: 0xEF4B41312E2AC37124B288F8007504A4 SHA-1: 0xC36D0BD3B8C084BC519338B39E634EFEEEA5E134	Trojan.Win32.Buzus.cilz [Kaspersky Lab]

• Notes:
• %AppData% is a variable that refers to the file system directory that serves as a common repository for application-specific data. A typical path is C:\Documents and Settings\[UserName]\Application Data.
• %Temp% is a variable that refers to the temporary folder in the short path form. By default, this is C:\Documents and Settings\[UserName]\Local Settings\Temp\ (Windows NT/2000/XP).
• %Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows or C:\Winnt.

Memory Modifications

• There were new processes created in the system:

Process Name	Process Filename	Main Module Size
conmsyrtl.exe	%Windir%\conmsyrtl.exe	335,872 bytes
ahomep.exe	%Windir%\ahomep.exe	20,480 bytes
eraseme_80608.exe	%Temp%\eraseme_80608.exe	335,872 bytes

Registry Modifications

• The following Registry Keys were created:
• HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer
• HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Control Panel

• The newly created Registry Values are:
• [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
• Sistema de Comm = "conmsyrtl.exe"

so that conmsyrtl.exe runs every time Windows starts

• [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Run]
• Sistema de Comm = "conmsyrtl.exe"

so that conmsyrtl.exe runs every time Windows starts

• [HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Control Panel]
• HomePage = 0x00000001

• The following Registry Value was modified:
• [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
• Start Page =

Other details

• Analysis of the file resources indicate the following possible country of origin:

	Spain

• The following ports were open in the system:

• There were registered attempts to establish connection with the remote hosts. The connection details are:

• The data identified by the following URLs was then requested from the remote web server:
• http://musics.ignorelist.com/music/canal-delawich.exe
• http://musics.ignorelist.com/music/iniciodelawich.exe

Outbound traffic (potentially malicious)

• Attention! There was a new connection established with a remote IRC Server. The generated outbound IRC traffic is provided below:

• There was an outbound traffic produced on port 6567: