ThreatExpert Report: Mal/VBDrop-I, Mal/VBInject-D, Troj/Banker-EWZ, Win32.SuspectCrc

Submission Summary:

Submission details:

Submission received: 6 April 2010, 16:40:51
Processing time: 7 min 28 sec
Submitted sample:

File MD5: 0xF48E7073F2BB68C060E977FF4B537C10
File SHA-1: 0x9608380688F042414D12AD33381D38E93A776F92
Filesize: 61,467 bytes
Packer info: packed with: PE_Patch [Kaspersky Lab]

Summary of the findings:

What's been found	Severity Level
Downloads/requests other files from Internet.

Technical Details:

File System Modifications

The following files were created in the system:

#	Filename(s)	File Size	File Hash	Alias
1	%System%\[filename of the sample #1 without extension].bat	140 bytes	MD5: 0x8B77378506A0C6D1B7E3957F29E70527 SHA-1: 0xE124482FCE298DE18B14AA90C202150D01B03610	(not available)
2	[file and pathname of the sample #1]	61,467 bytes	MD5: 0xF48E7073F2BB68C060E977FF4B537C10 SHA-1: 0x9608380688F042414D12AD33381D38E93A776F92	packed with PE_Patch [Kaspersky Lab]

Note:

%System% is a variable that refers to the System folder. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

Memory Modifications

There were new processes created in the system:

Process Name	Process Filename	Main Module Size
[generic host process]	[generic host process filename]	20,480 bytes
[filename of the sample #1]	[file and pathname of the sample #1]	90,112 bytes

Notes:

[generic host process filename] is a full path filename of [generic host process].

Other details

Analysis of the file resources indicate the following possible country of origin:

Spain

The following Internet downloads were started (the retrieved bits are saved into the local file):

URL to be downloaded	Filename for the downloaded bits
http://www.noiteflash.com/plugins/system/jwupf/cannabis.jpg	%ProgramFiles%\Common Files\conta.exe
http://www.noiteflash.com/plugins/system/jwupf/acannabis.jpg	%ProgramFiles%\Common Files\wrt.exe
http://www.noiteflash.com/plugins/system/jwupf/NissanModule.dll	%ProgramFiles%\Common Files\nsafrt32.dll

Notes:

%ProgramFiles% is a variable that refers to the Program Files folder. A typical path is C:\Program Files.

Downloaded File Summary:

Download details:

Download retrieved: 6 April 2010 16:48:19
Processing time: 7 min 29 sec
Downloaded sample #1:

File MD5: 0x2B21E120937F43F20F7F4CFA152B3F65
File SHA-1: 0x1C277DACC80BF8CFB8DF7B5F5F66E9E5FDAEDE44
Filesize: 1,593,856 bytes

Downloaded sample #2:

File MD5: 0x653815C1C217E096F5A21E582CAFF5DD
File SHA-1: 0x1E75B594AD83F8875312BD3D5AE5022BEF56DC8B
Filesize: 1,213,467 bytes
Packer info: packed with: PE_Patch [Kaspersky Lab]

Downloaded sample #3:

File MD5: 0x23B64C82B636868922D66A7D293A3CFD
File SHA-1: 0xDA0FF41C600838CBA178B57C8337D08BFD690A25
Filesize: 876,544 bytes
Alias: Mal/VBDrop-I, Mal/VBInject-D [Sophos]

Summary of the findings:

What's been found	Severity Level
Hosts file modification that may block access to the security web sites.

Technical Details:

File System Modifications

The following files were created in the system:

#	Filename(s)	File Size	File Hash	Alias
1	%Temp%\nsafrt.dll	756,224 bytes	MD5: 0x5B0426AE59A9E5DC73E5B277AD874361 SHA-1: 0xD1489C619E0D7FAD5AF4CD0305D0901E23651017	Troj/Banker-EWZ [Sophos] Win32.SuspectCrc [Ikarus]
2	%ProgramFiles%\Common Files\safemode	552 bytes	MD5: 0xF847207DF0B2E5228D8F122FB5DBDA3F SHA-1: 0x9E9FD581D494D56F1AFDE998CD33738601EA8F29	(not available)
3	[file and pathname of the sample #1]	1,593,856 bytes	MD5: 0x2B21E120937F43F20F7F4CFA152B3F65 SHA-1: 0x1C277DACC80BF8CFB8DF7B5F5F66E9E5FDAEDE44	(not available)
4	%System%\[filename of the sample #2 without extension].bat	140 bytes	MD5: 0xF103BF428A0C3F6A8815157D610283A7 SHA-1: 0x378A6C0DFCB64A9F7432959C198103A41C7A9C54	(not available)
5	[file and pathname of the sample #2]	1,213,467 bytes	MD5: 0x653815C1C217E096F5A21E582CAFF5DD SHA-1: 0x1E75B594AD83F8875312BD3D5AE5022BEF56DC8B	packed with PE_Patch [Kaspersky Lab]
6	[file and pathname of the sample #3]	876,544 bytes	MD5: 0x23B64C82B636868922D66A7D293A3CFD SHA-1: 0xDA0FF41C600838CBA178B57C8337D08BFD690A25	Mal/VBDrop-I, Mal/VBInject-D [Sophos]

Notes:

%Temp% is a variable that refers to the temporary folder in the short path form. By default, this is C:\Documents and Settings\[UserName]\Local Settings\Temp\ (Windows NT/2000/XP).
%ProgramFiles% is a variable that refers to the Program Files folder. A typical path is C:\Program Files.
%System% is a variable that refers to the System folder. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

The following file was modified:

%System%\drivers\etc\hosts

Memory Modifications

There were new processes created in the system:

Process Name	Process Filename	Main Module Size
[filename of the sample #1]	[file and pathname of the sample #1]	1,622,016 bytes
[filename of the sample #2]	[file and pathname of the sample #2]	1,224,704 bytes
[filename of the sample #3]	[file and pathname of the sample #3]	880,640 bytes

Registry Modifications

The following Registry Key was created:

HKEY_CURRENT_USER\full

The newly created Registry Value is:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

winFile = "%ProgramFiles%\Common Files\system32\winFile.exe"

Other details

Analysis of the file resources indicate the following possible countries of origin:

	Brazil
	Spain

The HOSTS file was updated with the following URL-to-IP mappings:

# Copyright (c) 1993-1999 Microsoft Corp.
#
# Este ï¿½ um exemplo do arquivo HOSTS utilizado pela Microsoft TCP/IP
# para o Windows.
# Este arquivo contï¿½m  os endereï¿½os IP no nome dos hï¿½spedes.
# Cada entrada deve ser feita  em uma linha em branco. O endereï¿½o IP deve ser colocado
# na primeira coluna, seguido pelo nome do hï¿½spede correspondente. O endereï¿½o
# IP e o nome do hï¿½spede devem ficar separados por, pelo menos, um espaï¿½o.
# Alï¿½m disso, os comentï¿½rios (como este) podem ser inseridos em
# linhas em branco ou depois do nome do computador. Eles sï¿½o indicados pelo
# sï¿½mbolo #.
# Por exemplo :
#      102.54.94.97     rhino.acme.com          # servidor de origem
#       38.25.63.10     x.acme.com              # hï¿½spede cliente x
213.175.197.210     www.itau.com.br
127.0.0.1     localhost
213.175.197.210     www.itaupersonnalite.com.br
213.175.197.210     itau.com.br
213.175.197.210     itaupersonnalite.com.br
213.175.197.210     www.bancoreal.com.br
213.175.197.210     www.real.com.br
213.175.197.210     bancoreal.com.br
213.175.197.210     real.com.br
213.175.197.210     www.banrisul.com.br
213.175.197.210     banrisul.com.br
213.175.197.210     www.bradesco.com.br
213.175.197.210     www.bradescoprime.com.br
213.175.197.210     www.prime.com.br
213.175.197.210     bradesco.com.br
213.175.197.210     bradescoprime.com.br
213.175.197.210     prime.com.br
213.175.197.210     www.santander.com.br
213.175.197.210     www.banespa.com.br
213.175.197.210     www.santanderbanespa.com.br
213.175.197.210     santander.com.br
213.175.197.210     banespa.com.br
213.175.197.210     santanderbanespa.com.br
213.175.197.210     www.americanexpress.com.br
213.175.197.210     americanexpress.com.br
213.175.197.210     www.americanexpress.com
213.175.197.210     americanexpress.com
213.175.197.210     www.cef.com.br
213.175.197.210     www.caixa.com.br
213.175.197.210     www.caixa.gov.br
213.175.197.210     www.caixa.com
213.175.197.210     www.caixaeconomicafederal.com.br
213.175.197.210     www.caixaeconomicafederal.gov.br
213.175.197.210     cef.com.br
213.175.197.210     caixa.com.br
213.175.197.210     caixa.gov.br
213.175.197.210     caixa.com
213.175.197.210     caixaeconomicafederal.com.br
213.175.197.210     caixaeconomicafederal.gov.br
213.175.197.210    www4.itau.com.br
213.175.197.210    www4.bancoreal.com.br
213.175.197.210    www4.banrisul.com.br
213.175.197.210    www4.bradesco.com.br
213.175.197.210    www4.santander.com.br
213.175.197.210    www4.americanexpress.com.br
213.175.197.210    www4.caixa.gov.br

The following Host Name was requested from a host database:

www.aabbcomunidade.com.br

All content ("Information") contained in this report is the copyrighted work of Threat Expert Ltd and its associated companies ("ThreatExpert") and may not be copied without the express permission of ThreatExpert.

The Information is provided on an "as is" basis. ThreatExpert disclaims all warranties, whether express or implied, to the maximum extent permitted by law, including the implied warranties that the Information is merchantable, of satisfactory quality, accurate, fit for a particular purpose or need, or non-infringing, unless such implied warranties are legally incapable of exclusion. Further, ThreatExpert does not warrant or make any representations regarding the use or the results of the use of the Information in terms of their correctness, accuracy, reliability, or otherwise.