Submission Summary:

What's been foundSeverity Level
Capability to block security-related software by modifying firewall settings and by disabling security services, such as Windows Update, Norton Autoprotect, Kaspersky Anti-Virus, etc.
Sets the drive to autoplay by creating autorun.inf file in its root directory. If the drive is shared across the network then other remote computers can be infected any time they try to access this share.
Produces outbound traffic.
Downloads/requests other files from Internet.
Creates a startup registry entry.
There were some system executable files modified, which might indicate the presence of a PE-file infector.
Contains characteristics of an identified security risk.

 

Technical Details:

 

Possible Security Risk

Threat CategoryDescription
A virus capable to modify other files by infecting, prepending, or overwriting them them with its own body
A malicious trojan horse or bot that may represent security risk for the compromised system and/or its network environment

 

File System Modifications

#Filename(s)File SizeFile HashAlias
1 c:\autorun.inf 55 bytes MD5: 0x24DE82EECA31C110970F9FE7EE760729
SHA-1: 0x9DEE53BD350C1AF8508AADF42C57D27E9AAA213C
Trojan.Win32.AutoRun.ama [Kaspersky Lab]
Troj/Taterf-D [Sophos]
2 %AppData%\3rs6qt3a.exe 28,160 bytes MD5: 0x0AEBF47E013A8219D0530C28DB20AFD3
SHA-1: 0x98445AB42595EE55B8FF757C05479FE1D4638558
W32.Virut.CF [Symantec]
Virus.Win32.Virut.ce [Kaspersky Lab]
W32/Virut.n.gen [McAfee]
W32/Scribble-B [Sophos]
Virus:Win32/Virut.BN [Microsoft]
Backdoor.Win32.VB [Ikarus]
Win32/Virut.F [AhnLab]
3 %AppData%\MouseDriver.bat 109 bytes MD5: 0x0A2049724DEC1945260B6784E0409F13
SHA-1: 0x649CC77116FD9E7B3D5FE8A2260BEABA5EA6B0B2
Generic BackDoor.se!bat [McAfee]
Troj/Runstub-A [Sophos]
4 %AppData%\osjk8s.exe 59,392 bytes MD5: 0x81A056D6CFEAA4D3FC99542D1A04C3F2
SHA-1: 0x52897620AB36100581DC2C6C3ECB34FEA403F286
W32.Virut.CF [Symantec]
Virus.Win32.Virut.ce [Kaspersky Lab]
W32/Virut.n.gen [McAfee]
W32/Scribble-B [Sophos]
Virus:Win32/Virut.BN [Microsoft]
Backdoor.Win32.VB [Ikarus]
Win32/Virut.F [AhnLab]
5 %AppData%\osjk8s.log 1,282 bytes MD5: 0x13C5B0170B1D88F1CCD545ADED70B772
SHA-1: 0x2CF188A9E0E5B11D93D8E576A4948B7F271EA439
(not available)
6 %AppData%\Plug.bat 110 bytes MD5: 0xDAF7BC42E7DF29FD6E3A3F8E60FFB40D
SHA-1: 0x0195BF60C9281A7862083130C1EEF38D79B0E4DF
Generic BackDoor.se!bat [McAfee]
Troj/Runstub-A [Sophos]
7 %AppData%\svchost.exe 138,752 bytes MD5: 0xC1451E42C4577F07FB64DEA9F51B2980
SHA-1: 0x16B33044E5F1ACA4849C3B857C5AC83F47358EEE
Generic PWS.yw [McAfee]
TrojanSpy:Win32/VB.BZ [Microsoft]
Trojan.Win32.VB [Ikarus]
8 %Temp%\dsoqq.exe
c:\g6jk.exe
[file and pathname of the sample #1]
141,312 bytes MD5: 0xFE9985A8D0F72249F22E35877DF0A24C
SHA-1: 0xA2D89196336B11838AAE2CB9AF2DC7F0450EE595
W32.Virut.CF [Symantec]
Virus.Win32.Virut.ce [Kaspersky Lab]
W32/Virut.n.gen [McAfee]
W32/Scribble-B [Sophos]
Virus:Win32/Virut.BN [Microsoft]
Trojan-GameThief.Win32.Taworm [Ikarus]
Win32/Virut.F [AhnLab]
9 %Temp%\dsoqq0.dll
%Temp%\dsoqq1.dll
%Temp%\dsoqq2.dll
76,800 bytes MD5: 0xAD5F4C488CC281EAA40585C77DDEF4DE
SHA-1: 0x298EC9F6F46BC7D7A895026CEDFFE0EC92E38419
W32.Gammima.AG [Symantec]
Trojan-GameThief.Win32.Magania.dlnb [Kaspersky Lab]
Generic PWS.ak [McAfee]
Mal/Taterf-B [Sophos]
Trojan-GameThief.Win32.Magania [Ikarus]
Win-Trojan/Onlinegamehack.76800.AD [AhnLab]
10 %System%\nwcwks.dll 8,192 bytes MD5: 0x560F8147E9BB5A728D8715120D2F7E7F
SHA-1: 0xBBE08F172EAE8F6E49A6E1B8BB121816C326F8E3
Trojan.Gen [Symantec]
Trojan.Win32.Inject.bgkf [Kaspersky Lab]
Generic BackDoor.s [McAfee]
Troj/Inject-OJ [Sophos]
Trojan:Win32/Orsam!rts [Microsoft]
Trojan.Win32.Inject [Ikarus]
11 %Windir%\Temp\datafile1 784 bytes MD5: 0xA77117B1555519ED69D7F899A8BD449E
SHA-1: 0xF7D3FF33ACA3B22742147E17154B1E7958774350
(not available)

 

Memory Modifications

Process NameProcess FilenameMain Module Size
osjk8s.exe%AppData%\osjk8s.exe135,168 bytes
svchost.exe%AppData%\svchost.exe57,344 bytes
3rs6qt3a.exe%AppData%\3rs6qt3a.exe53,248 bytes

Process NameProcess FilenameAllocated Size
IEXPLORE.EXE%ProgramFiles%\internet explorer\iexplore.exe36,864 bytes

Module NameModule FilenameAddress Space Details
nwcwks.dll%System%\nwcwks.dllProcess name: svchost.exe
Process filename: %System%\svchost.exe
Address space: 0x10000000 - 0x10006000

Service NameDisplay NameStatusService Filename
MouseDriverMouseDriver"Stopped"%AppData%\MouseDriver.bat
NWCWorkstationClient Service for NetWare"Running"%System%\svchost.exe -k netsvcs
Mshost ManagerMshost Manager"Stopped"%AppData%\Plug.bat

Service NameDisplay NameNew StatusService Filename
ALGApplication Layer Gateway Service"Stopped"%System%\alg.exe
SharedAccessWindows Firewall/Internet Connection Sharing (ICS)"Stopped"%System%\svchost.exe -k netsvcs
wscsvcSecurity Center"Stopped"%System%\svchost.exe -k netsvcs

 

Registry Modifications

 

Other details

China

PortProtocolProcess
1057UDPosjk8s.exe (%AppData%\osjk8s.exe)
1073UDPsvchost.exe (%AppData%\svchost.exe)
1127TCPsvchost.exe (%AppData%\svchost.exe)
1131TCPsvchost.exe (%AppData%\svchost.exe)
1134TCPsvchost.exe (%AppData%\svchost.exe)
1136TCPsvchost.exe (%AppData%\svchost.exe)
1151TCPsvchost.exe (%AppData%\svchost.exe)
1153TCPsvchost.exe (%AppData%\svchost.exe)
1154TCPsvchost.exe (%AppData%\svchost.exe)
1155TCPsvchost.exe (%AppData%\svchost.exe)
1156TCPsvchost.exe (%AppData%\svchost.exe)
1157TCPsvchost.exe (%AppData%\svchost.exe)
1161TCPsvchost.exe (%AppData%\svchost.exe)
1162TCPsvchost.exe (%AppData%\svchost.exe)
1167TCPsvchost.exe (%AppData%\svchost.exe)
1170TCPsvchost.exe (%AppData%\svchost.exe)
1177TCPsvchost.exe (%AppData%\svchost.exe)
1179TCPsvchost.exe (%AppData%\svchost.exe)
1182TCPsvchost.exe (%AppData%\svchost.exe)
1184TCPsvchost.exe (%AppData%\svchost.exe)
1185TCPsvchost.exe (%AppData%\svchost.exe)
1192TCPsvchost.exe (%AppData%\svchost.exe)

Remote HostPort Number
122.224.18.2088
210.83.81.17388
174.36.69.580
209.59.195.2080
23.2.17.14480
23.2.17.15380
23.2.17.15480
58.150.174.22280
64.38.232.18080
66.114.51.8780
68.178.232.9980
74.125.228.1380
210.83.81.173888
74.125.228.14443
74.125.228.16443
83.133.119.19765520

 

Outbound traffic (potentially malicious)

 

 

All content ("Information") contained in this report is the copyrighted work of Threat Expert Ltd and its associated companies ("ThreatExpert") and may not be copied without the express permission of ThreatExpert.

The Information is provided on an "as is" basis. ThreatExpert disclaims all warranties, whether express or implied, to the maximum extent permitted by law, including the implied warranties that the Information is merchantable, of satisfactory quality, accurate, fit for a particular purpose or need, or non-infringing, unless such implied warranties are legally incapable of exclusion. Further, ThreatExpert does not warrant or make any representations regarding the use or the results of the use of the Information in terms of their correctness, accuracy, reliability, or otherwise.

Copyright © 2014 ThreatExpert. All rights reserved.