ThreatExpert Report: Gen.Trojan, Troj/Agent-KQM, Adware-BHO.gen.g, Mal/BHO-S

Visit ThreatExpert web site

Close Report

Submission Summary:

Submission details:

Submission received: 28 August 2009, 11:36:39
Processing time: 6 min 58 sec
Submitted sample:

File MD5: 0xF74708DA4F2D06C8114B1077F957DC68
File SHA-1: 0x0F88DDE2E1BE82E7C7CC476BFF8EBF9863BB4E71
Filesize: 1,369,630 bytes
Alias: Gen.Trojan [Ikarus]

Technical Details:

The new window was created, as shown below:

NOTICE: The content shown in the above window is captured automatically and is not controlled or endorsed by ThreatExpert.
Please contact us on this link should any material be offensive or inappropriate and we will ensure any such content is blocked from future viewers of the report.

File System Modifications

The following files were created in the system:

#	Filename(s)	File Size	File Hash	Alias
1	%Temp%\Seekapp\readme.html	5,019 bytes	MD5: 0xF973CD924863345B5E8A3382D18809B9 SHA-1: 0x6A99B669DE7C262686C2DBF2925C42F74D8742D7	packed with Edit [Kaspersky Lab]
2	%Temp%\Seekapp\seekapp.dll	589,824 bytes	MD5: 0xBD5422A6AB1ED411988D352F57FE0386 SHA-1: 0x9BD0F12C0C770EFA1ACC852C81F87A72F64B9E60	(not available)
3	%Temp%\Seekapp\seekapp.exe %Temp%\Seekapp\seekapp132.exe	54,760 bytes	MD5: 0xFBDC2DA56D7794963B74ED95EB0FFA20 SHA-1: 0x8C5161330BADC044CD7BCBE52F5C13E3682FE664	Troj/Agent-KQM [Sophos]
4	%Temp%\Seekapp\seekapp1.dll %Temp%\Seekapp\seekapp2.dll %Temp%\seekapp.dll	577,536 bytes	MD5: 0x6E30895BEE903D90CCF2AE20144A2BA5 SHA-1: 0x8ED15260DABF11910A3D61BF3F22F6DE911F7C77	Adware-BHO.gen.g [McAfee] Mal/BHO-S [Sophos] Gen.Trojan [Ikarus]
5	%Temp%\Seekapp\seekapp149.exe %Temp%\Seekapp\seekappsrch.exe	54,760 bytes	MD5: 0xF8F8B7B76C5C618BEBD0FA60BB1C115B SHA-1: 0x32D913160E3533DC927678D10A081FD52B56F0E3	(not available)
6	%Temp%\Seekapp\uninstall.exe	127,144 bytes	MD5: 0x4D37323BC4F7AB3EAB1D7397BA8FE604 SHA-1: 0xDB06F708D11B12E8625C4620C6BF2FBC7418449E	(not available)
7	%Temp%\seekapp.exe	33,280 bytes	MD5: 0x8358193945474F68A2D498CBED8EB97E SHA-1: 0xA905C9849147628387F6B1D5A7BF88FD5A64F15F	(not available)
8	[file and pathname of the sample #1]	1,369,630 bytes	MD5: 0xF74708DA4F2D06C8114B1077F957DC68 SHA-1: 0x0F88DDE2E1BE82E7C7CC476BFF8EBF9863BB4E71	Gen.Trojan [Ikarus]

Note:

%Temp% is a variable that refers to the temporary folder in the short path form. By default, this is C:\Documents and Settings\[UserName]\Local Settings\Temp\ (Windows NT/2000/XP).

The following directory was created:

%Temp%\Seekapp

Memory Modifications

There were new processes created in the system:

Process Name	Process Filename	Main Module Size
seekappsrch.exe	%Temp%\seekapp\seekappsrch.exe	49,152 bytes
seekapp.exe	%Temp%\seekapp\seekapp.exe	49,152 bytes
seekapp132.exe	%Temp%\seekapp\seekapp132.exe	49,152 bytes
seekapp149.exe	%Temp%\seekapp\seekapp149.exe	49,152 bytes
[generic host process]	[generic host process filename]	45,056 bytes
Au_.exe	%Temp%\~nsu.tmp\Au_.exe	258,048 bytes
seekapp.exe	%Temp%\seekapp.exe	45,056 bytes
uninstall.exe	%Temp%\Seekapp\uninstall.exe	258,048 bytes

Notes:

[generic host process filename] is a full path filename of [generic host process].

There was a new service created in the system:

Service Name	Display Name	Status	Service Filename
Seekapp Service	Seekapp Service	"Stopped"	"%CommonAppData%\Seekapp\seekapp132.exe" "seekapp.dll" Service

Notes:

%CommonAppData% is a variable that refers to the file system directory containing application data for all users. A typical path is C:\Documents and Settings\All Users\Application Data.

Registry Modifications

The following Registry Keys were created:

HKEY_LOCAL_MACHINE\SOFTWARE\Seekapp
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_SEEKAPP_SERVICE
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_SEEKAPP_SERVICE\0000
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_SEEKAPP_SERVICE\0000\Control
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Seekapp Service
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Seekapp Service\Security
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Seekapp Service\Enum
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SEEKAPP_SERVICE
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SEEKAPP_SERVICE\0000
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SEEKAPP_SERVICE\0000\Control
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Seekapp Service
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Seekapp Service\Security
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Seekapp Service\Enum

The newly created Registry Values are:

[HKEY_LOCAL_MACHINE\SOFTWARE\Seekapp]

Primary = 0x00005733
DllPath = "seekapp.dll"
Version = 0x00010020
Cid = "7ee622bcffd5425b9e5a967fdff085cb"
Partner = "SEEKAPP132"
Src = "rundll32"
Initial = 0x00000001
ShowToolbarButton = 0x00000000
ShowBarSign = 0x00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_SEEKAPP_SERVICE\0000\Control]

*NewlyCreated* = 0x00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_SEEKAPP_SERVICE\0000]

Service = "Seekapp Service"
Legacy = 0x00000001
ConfigFlags = 0x00000000
Class = "LegacyDriver"
ClassGUID = "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
DeviceDesc = "Seekapp Service"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_SEEKAPP_SERVICE]

NextInstance = 0x00000001

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Seekapp Service\Enum]

0 = "Root\LEGACY_SEEKAPP_SERVICE\0000"
Count = 0x00000001
NextInstance = 0x00000001

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Seekapp Service\Security]

Security = 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 0

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Seekapp Service]

Type = 0x00000010
Start = 0x00000002
ErrorControl = 0x00000000
ImagePath = ""%CommonAppData%\Seekapp\seekapp132.exe" "seekapp.dll" Service"
DisplayName = "Seekapp Service"
ObjectName = "LocalSystem"
Description = "Update and control for Seekapp"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SEEKAPP_SERVICE\0000\Control]

*NewlyCreated* = 0x00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SEEKAPP_SERVICE\0000]

Service = "Seekapp Service"
Legacy = 0x00000001
ConfigFlags = 0x00000000
Class = "LegacyDriver"
ClassGUID = "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
DeviceDesc = "Seekapp Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SEEKAPP_SERVICE]

NextInstance = 0x00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Seekapp Service\Enum]

0 = "Root\LEGACY_SEEKAPP_SERVICE\0000"
Count = 0x00000001
NextInstance = 0x00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Seekapp Service\Security]

Security = 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Seekapp Service]

Type = 0x00000010
Start = 0x00000002
ErrorControl = 0x00000000
ImagePath = ""%CommonAppData%\Seekapp\seekapp132.exe" "seekapp.dll" Service"
DisplayName = "Seekapp Service"
ObjectName = "LocalSystem"
Description = "Update and control for Seekapp"

Other details

To mark the presence in the system, the following Mutex objects were created:

m4gumdmsjm
Global\Internal_Seekappm
1w8k6kftn092t3xm
Seekapp_Uninst_mtx
Global\91auo+#>>&ltm

All content ("Information") contained in this report is the copyrighted work of Threat Expert Ltd and its associated companies ("ThreatExpert") and may not be copied without the express permission of ThreatExpert.

The Information is provided on an "as is" basis. ThreatExpert disclaims all warranties, whether express or implied, to the maximum extent permitted by law, including the implied warranties that the Information is merchantable, of satisfactory quality, accurate, fit for a particular purpose or need, or non-infringing, unless such implied warranties are legally incapable of exclusion. Further, ThreatExpert does not warrant or make any representations regarding the use or the results of the use of the Information in terms of their correctness, accuracy, reliability, or otherwise.