ThreatExpert Report: Trojan.VB, Downloader, Backdoor:Win32/Refpron.gen!C

Submission Summary:

Submission details:

Submission received: 27 May 2009, 18:06:51
Processing time: 6 min 24 sec
Submitted sample:

File MD5: 0xFD5C7C4623E7B4F314514D978C885EDB
File SHA-1: 0x54E02496A29E3BAFFCCCE7143B784EA8219521DD
Filesize: 223,178 bytes

Summary of the findings:

What's been found	Severity Level
Produces outbound traffic.
Contains characteristics of an identified security risk.

Technical Details:

Possible Security Risk

Attention! Characteristics of the following security risk was identified in the system:

Security Risk	Description
Trojan-Downloader.Adpclient	Trojan-Downloader.Adpclient on execution can download and execute additional malware onto a users computer without their knowledge.

Attention! The following threat category was identified:

Threat Category	Description
	A program that downloads files to the local computer that may represent security risk

File System Modifications

The following files were created in the system:

#	Filename(s)	File Size	File Hash	Alias
1	%Temp%\mpj83997.dll %Temp%\x1c33841.dll	612,352 bytes	MD5: 0x3F795D6FB4050C93CBBD0FF699A2635A SHA-1: 0xD6F6FF1E3809C980CA78710E842AC3F1C1697E92	(not available)
2	%System%\comsa32.sys	8 bytes	MD5: 0xCEE3959C5E3B0602BB7B181607F52CFD SHA-1: 0x793474642CB50B42320C47B7236AD70994B54660	(not available)
3	%System%\dpcxool64.sys	36,864 bytes	MD5: 0x0BDDDCEB4A3491EE15DE11BAF72F5C29 SHA-1: 0x1F4FD5F8A1DE2D1355AF295C56FD739F7EA0084D	Trojan.VB [Ikarus]
4	[file and pathname of the sample #1]	223,178 bytes	MD5: 0xFD5C7C4623E7B4F314514D978C885EDB SHA-1: 0x54E02496A29E3BAFFCCCE7143B784EA8219521DD	Trojan.VB [Ikarus]
5	%System%\sopidkc.exe	124,928 bytes	MD5: 0x2490D0E13DE4670E71C1F9AE13B60758 SHA-1: 0x2E547F360E4E8F14455A1AC246DB300B70D55666	Downloader [Symantec] Backdoor:Win32/Refpron.gen!C [Microsoft]
6	%System%\tpsaxyd.exe	158,720 bytes	MD5: 0xC439338C53E26CBA13AB9F0FECD9CAD5 SHA-1: 0xBBE2FA7E2B997D602D4AFC2D125FB11C8FA59945	Backdoor:Win32/Refpron.gen!C [Microsoft]

Notes:

%Temp% is a variable that refers to the temporary folder in the short path form. By default, this is C:\Documents and Settings\[UserName]\Local Settings\Temp\ (Windows NT/2000/XP).
%System% is a variable that refers to the System folder. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

Memory Modifications

There were new processes created in the system:

Process Name	Process Filename	Main Module Size
tpsaxyd.exe	%System%\tpsaxyd.exe	184,320 bytes
[filename of the sample #1]	[file and pathname of the sample #1]	155,648 bytes
sopidkc.exe	%System%\sopidkc.exe	147,456 bytes

Registry Modifications

The following Registry Key was created:

HKEY_CURRENT_USER\Software\WinRAR SFX

The newly created Registry Value is:

[HKEY_CURRENT_USER\Software\WinRAR SFX]

C%%WINDOWS%system32% = "%System%\"

Other details

Analysis of the file resources indicate the following possible country of origin:

China

To mark the presence in the system, the following Mutex objects were created:

uxa3ct4h
_SHuassist.mtx

The following Host Names were requested from a host database:

bfkq.com
74.54.201.210
174.133.72.250
jsactivity.com
74.55.37.210
174.133.126.2

There was registered attempt to establish connection with the remote host. The connection details are:

Remote Host	Port Number
bfkq.com	8392

Outbound traffic (potentially malicious)

There was an outbound traffic produced on port 8392:

All content ("Information") contained in this report is the copyrighted work of Threat Expert Ltd and its associated companies ("ThreatExpert") and may not be copied without the express permission of ThreatExpert.

The Information is provided on an "as is" basis. ThreatExpert disclaims all warranties, whether express or implied, to the maximum extent permitted by law, including the implied warranties that the Information is merchantable, of satisfactory quality, accurate, fit for a particular purpose or need, or non-infringing, unless such implied warranties are legally incapable of exclusion. Further, ThreatExpert does not warrant or make any representations regarding the use or the results of the use of the Information in terms of their correctness, accuracy, reliability, or otherwise.