ThreatExpert Report: W32.Ackantta!gen, P2P-Worm.Win32.BlackControl.d, BackDoor-DOQ, Mal/CryptBox-A..

Visit ThreatExpert web site

Close Report

Submission Summary:

Submission details:

Submission received: 5 November 2012, 02:48:30
Processing time: 7 min 8 sec
Submitted sample:

File MD5: 0xF5EBD99DB047D73A3C0E8B31B9E9BFC9
File SHA-1: 0x3A1AC775A2CA451F28E81563FCD38DFA4F28F8A2
Filesize: 460,296 bytes
Alias:

W32.Ackantta!gen [Symantec]
P2P-Worm.Win32.BlackControl.d [Kaspersky Lab]
BackDoor-DOQ [McAfee]
Mal/CryptBox-A, Mal/CryptBox-A [Sophos]
P2P-Worm.Win32.BlackControl [Ikarus]
Win32/Blackcontrol.worm.460296 [AhnLab]

Summary of the findings:

What's been found	Severity Level
Communication with a remote SMTP server and sending out email.
Mass-mailer that sends out email to the email addresses harvested from the local computer.
Downloads/requests other files from Internet.
Creates a startup registry entry.
Contains characteristics of an identified security risk.

Technical Details:

Possible Security Risk

Attention! The following threat category was identified:

Threat Category	Description
	A network-aware worm that attempts to replicate across the existing network(s)

Memory Modifications

There were new processes created in the system:

Process Name	Process Filename	Main Module Size
HPWuSchd8.exe	%System%\hpwuschd8.exe	475,136 bytes
lsass.exe	%AppData%\systemproc\lsass.exe	249,856 bytes
[filename of the sample #1]	[file and pathname of the sample #1]	475,136 bytes
hp-4270.exe	%System%\hp-4270.exe	249,856 bytes
IEXPLORE.EXE	%ProgramFiles%\Internet Explorer\IEXPLORE.EXE	102,400 bytes

Notes:

%System% is a variable that refers to the System folder. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
%AppData% is a variable that refers to the file system directory that serves as a common repository for application-specific data. A typical path is C:\Documents and Settings\[UserName]\Application Data.
%ProgramFiles% is a variable that refers to the Program Files folder. A typical path is C:\Program Files.

Attention! The following processes were intentionally hidden from the user:

Process Name	Main Module Size
HPWuSchd8.exe	380,928 bytes
[filename of the sample #1]	380,928 bytes
HPWuSchd8.exe	380,928 bytes

The following system services were modified:

Service Name	Display Name	New Status	Service Filename
ERSvc	Error Reporting Service	"Stopped"	%System%\svchost.exe -k netsvcs
wscsvc	Security Center	"Stopped"	%System%\svchost.exe -k netsvcs

Registry Modifications

The following Registry Keys were created:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
HKEY_LOCAL_MACHINE\SOFTWARE\HP8
HKEY_CURRENT_USER\Software\HP8

The newly created Registry Values are:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]

UACDisableNotify = 0x00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]

EnableLUA = 0x00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run]

RTHDBPL = "%AppData%\SystemProc\lsass.exe"

[HKEY_CURRENT_USER\Identities]

Curr version = "25"
Last Date = "5-11-2012"
Inst Date = "5-11-2012"
Popup count = "0"
Popup time = "0"
Popup date = "0"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]

HP Software Updater8 = "%System%\HPWuSchd8.exe"

so that %System%\HPWuSchd8.exe runs every time Windows starts

Other details

To mark the presence in the system, the following Mutex objects were created:

HPWuSchd8.exeDm28sf0V@XK$NX8hOu
SERPv2
_SHuassist.mtx

The following ports were open in the system:

Port	Protocol	Process
1074	TCP	HPWuSchd8.exe (%System%\HPWuSchd8.exe)
1080	TCP	HPWuSchd8.exe (%System%\HPWuSchd8.exe)
1081	TCP	HPWuSchd8.exe (%System%\HPWuSchd8.exe)
1082	TCP	HPWuSchd8.exe (%System%\HPWuSchd8.exe)

The following Host Names were requested from a host database:

www.whatismyip.com
mail.[user's domain]
[user's email address]
mx.[user's domain]
smtp.domain.com
smtp.[user's domain]
192.5.5.241
206.137.17.89
gto.net.om
microsoft.at
lebanon-online.com.lb
msdirectservices.com

The following Internet Connections were established:

Server Name	Server Port	Connect as User	Connection Password
a2.twimg.com	80	(null)	(null)
a1.twimg.com	80	(null)	(null)

The following GET requests were made:

a/1260393960/stylesheets/front.css?1260568804
a/1260393960/images/logo.png

The following HTTP URL was started reading:

http://whatismyip.com/automation/n09230945.asp

The data identified by the following URL was then requested from the remote web server:

http://controllqz.com/inst.php?aid=blackout

Generated SMTP traffic

Email Senders:

order-update@amazon.com
invitations@hi5.com
resume-thanks@google.com
update@facebookmail.com
e-cards@hallmark.com
invitations@twitter.com

Email Recipients:

mts@lebanon-online.com.lb
austria@msdirectservices.com
mswsgulf@microsoft.com
[user's email address]
msdn@microsoft.com
mspss@gto.net.om
infoservice@microsoft.at

Email Subjects:

Shipping update for your Amazon.com order
Laura would like to be your friend on hi5!
Thank you from Google!
You have got a new message on Facebook!
You have received A Hallmark E-Card!
Your friend invited you to Twitter!

Email Attachments:

Shipping documents.zip (520,659 bytes)
Invitation Card.zip (520,659 bytes)
CV-20100120-112.zip (520,659 bytes)
Facebook message.zip (520,659 bytes)
Postcard.zip (520,659 bytes)

Email Body:

Amazon.com Shipping update for your Amazon.com order 716-58716-2681 ‏ Please check the attachment and confirm your shipping details.

hi5 | Your Friends. Your World. #troubleloggingin{padding:0px 0px 20px 0px;font-size:25px;color:#369;font-weight:bold;margin:0;} .hi5-object-map{display:none;}.hi5-form,.hi5-form*,.hi5-auto-complete,.hi5-auto-complete*{margin:0;padding:0;}br.clear{line-height:0;height:0;clear:both;}div#video-pocket{position:absolute;top:0;left:-999px;}form.hi5-form{width:250px;float:left;margin:5px auto 5px auto;font-size:14px;position:relative;} ..hi5-form div.hi5-form-element{display:block;float:left;clear:left;width:100%;margin:6px 0;padding:0;position:relative;}.hi5-form div.hi5-form-element{z-index:1;}.hi5-form div.hi5-form-element label{display:block;float:left;width:100%;margin:0 0 2px 0;}.hi5-form input.text,.hi5-form textarea.hi5-text-input{border:1px solid #2e2e2e;}.hi5-form input.hi5-text-input,.hi5-form input.hi5-auto-input,.hi5-form textarea.hi5-text-input{padding:5px 3px 2px 3px;border:1px solid #2e2e2e;font-family:Helvetica,Arial,sans-serif;font-size:14px;width:250px;}.hi5-form textarea.hi5-text-input{overflow:auto;}div.hi5-auto-complete{display:block;float:left;clear:left;width:100%;margin:6px 0;padding:0;position:relative;z-index:999;}.hi5-auto-complete label{display:block;float:left;width:100%;margin:0 0 2px 0;}.hi5-auto-complete .hi5-halo{position:relative;padding:4px 3px;top:-4px;left:-3px;} ..hi5-auto-complete input.hi5-auto-input{background:aliceblue;}.hi5-auto-complete div.hi5-auto-meta{position:relative;display:none;width:auto;float:left;clear:left;}.hi5-auto-complete div.hi5-auto-data{width:99%;position:absolute;top:-1px;left:0;z-index:1;overflow:hidden;}.hi5-auto-complete .hi5-dropdown{width:100%;overflow:auto;position:relative;top:0;left:1px;}.hi5-auto-complete div.hi5-auto-data .hi5-backdrop{position:absolute;top:0;left:0;height:100%;width:100%;background:aliceblue;opacity:.97;filter:alpha(opacity=97);border:1px solid #888;}*html .hi5-auto-complete div.hi5-auto-data .hi5-backdrop{height:9999px;}.hi5-auto-complete div.hi5-auto-data .hi5-content{position:relative;z-index:1;width:97%;}.hi5-auto-complete .hi5-auto-data ul{list-style-type:none;position:relative;border-bottom:1px solid #888;}.hi5-auto-complete .hi5-auto-data ul li{line-height:20px;border-bottom:1px solid #ccc;} ..hi5-auto-complete div.hi5-auto-data span.data-source{display:none;}.hi5-auto-complete div.hi5-auto-data div.hi5-content li{position:relative;}.hi5-auto-complete div.hi5-auto-data div.hi5-content a{display:block;padding:0 5px;color:#333;text-decoration:none;}.hi5-auto-complete div.hi5-auto-data div.hi5-content a:hover,.hi5-auto-complete div.hi5-auto-data div.hi5-content a.selected{background:#0283ac!important;color:#efefef!important;cursor:pointer;cursor:hand;}.hi5-auto-complete .highlight{color:royalblue;}.hi5-auto-complete div.hi5-auto-data div.hi5-content a:hover .highlight,.hi5-auto-complete div.hi5-auto-data div.hi5-content a.selected .highlight{color:#fea616;color:#fff;} Join Log in HelpBalance: 0 Coins mobile alerts Click to Select Languagehi5 HomeHome My Profile Friends Photos Messages Games Groups Applications No applications installed Add Applications…165Searchtruetruetruefalse advanced TitlebodyYes No Meet new people and keep up with friends on hi5.Laura would like to be your friend on hi5! I set up a hi5 profile and I want to add you as a friend so we can share pictures and starjt building our network. First see your invitation card I attached! Once you join, you will have a chance to create a profile, share pictures, and find friends. #footer*{color:#cccccc!important;}#footer a{color:#085098!important;} About Us Blog Advertising Jobs People Privacy Policy | Terms of Service | Online Safety© 2003-2009 hi5 Networks

Gmail - Thank you from Google!body,td{font-family:arial,sans-serif;font-size:80%}a:link,a:active,a:visited{color:#0000CC}img{border:0}pre{white-space:pre;white-space:-moz-pre-wrap;white-space:-o-pre-wrap;white-space:pre-wrap;word-wrap:break-word;width:800px;overflow:auto;}We just received your resume and would like to thank you for your interest in working at Google. This email confirms that your application has been submitted for an open position. Our staffing team will carefully assess your qualifications for the role(s) you selected and others that may be a fit. Should there be a suitable match, we will be sure to get in touch with you. Click on the attached file to review your submitted application. Have fun and thanks again for applying to Google! Google Staffing

Facebookfacebook Hi,You have got a personal message on Facebook from your friend.To read it please check the attachment.Thanks, The Facebook Team

You have received A Hallmark E-Card. Hello!You have received a Hallmark E-Card from your friend.To see it, check the attachment. There's something special about that E-Card feeling. We invite you to make a friend's day and send one.Hope to see you soon,Your friends at Hallmark Hallmark.com | Privacy & Security | Customer Service | Store Locator

Amazon.com Shipping update for your Amazon.com order 463-19610-9937 ‏ Please check the attachment and confirm your shipping details.

TwitterNew to Twitter?Sign up nowHave an account? Sign inYour friend invited you to twitter! Twitter is a service for friends, family, and co-workers to communicate and stay connected through the exchange of quick, frequent answers to one simple question:What are you doing?To join or to see who invited you, check the attachment.

For example, the generated email message may look similar to the one shown below:

All content ("Information") contained in this report is the copyrighted work of Threat Expert Ltd and its associated companies ("ThreatExpert") and may not be copied without the express permission of ThreatExpert.

The Information is provided on an "as is" basis. ThreatExpert disclaims all warranties, whether express or implied, to the maximum extent permitted by law, including the implied warranties that the Information is merchantable, of satisfactory quality, accurate, fit for a particular purpose or need, or non-infringing, unless such implied warranties are legally incapable of exclusion. Further, ThreatExpert does not warrant or make any representations regarding the use or the results of the use of the Information in terms of their correctness, accuracy, reliability, or otherwise.