ThreatExpert Report: Backdoor.Delf.WZW, Virus.Win32.Nakuru.a, W32.Tupofse.B!inf, W32/Kespo.a..

Visit ThreatExpert web site

Close Report

Submission Summary:

Submission details:

Submission received: 6 November 2008, 11:27:02
Processing time: 6 min 2 sec
Submitted sample:

File MD5: 0xAD9748D267C4D05636A330E0217D1E08
File SHA-1: 0x4C6FB9A8D14149A7DEA99CB7051018BFCFCB99B5
Filesize: 304,163 bytes
Alias:

Backdoor.Delf.WZW [PCTools]
W32.Tupofse.B!inf [Symantec]
Virus.Win32.Nakuru.a [Kaspersky Lab]
W32/Kespo.a [McAfee]
PE_KESPO.C [Trend Micro]
Troj/Bckdr-QIX [Sophos]
Virus:Win32/Nakuru.A [Microsoft]
Virus.Win32.Nakuru.a [Ikarus]

Summary of the findings:

What's been found	Severity Level
Contains characteristics of an identified security risk.

Technical Details:

Possible Security Risk

Attention! The following threat category was identified:

Threat Category	Description
	A virus capable to modify other files by infecting, prepending, or overwriting them them with its own body

File System Modifications

The following files were created in the system:

#	Filename(s)	File Size	File Hash	Alias
1	%UserProfile%\[filename of the sample #1 without extension].doc	37,888 bytes	MD5: 0x0B6D3BE2341FCFA1F3E01F76DEC48EA9 SHA-1: 0x0F0A47AD660991E451704B25148967B24060F0E0	(not available)
2	%System%\kspoold.exe	220,160 bytes	MD5: 0xE340E6C3430E9578EF39AFE0A59D1CFD SHA-1: 0x3D2E7FABE662FACFE882BE47B3458D32AB90AFF9	W32.Tupofse.B [Symantec] Virus.Win32.Nakuru.a [Kaspersky Lab] Generic BackDoor.d [McAfee] PE_KESPO.C-O [Trend Micro] W32/Kespo-A [Sophos] Virus.Win32.Nakuru.a [Ikarus]
3	[file and pathname of the sample #1]	304,163 bytes	MD5: 0xAD9748D267C4D05636A330E0217D1E08 SHA-1: 0x4C6FB9A8D14149A7DEA99CB7051018BFCFCB99B5	Backdoor.Delf.WZW [PCTools] W32.Tupofse.B!inf [Symantec] Virus.Win32.Nakuru.a [Kaspersky Lab] W32/Kespo.a [McAfee] PE_KESPO.C [Trend Micro] Troj/Bckdr-QIX [Sophos] Virus:Win32/Nakuru.A [Microsoft] Virus.Win32.Nakuru.a [Ikarus]
4	%Windir%\Temp\UninstallC.TMP	1,313 bytes	MD5: 0x364E05AA92E3A2251BF040738BCA3183 SHA-1: 0x6E9F1D5C27F28FA1FCDD8D25BAC45A058278BEA3	(not available)

Notes:

%UserProfile% is a variable that specifies the current user's profile folder. By default, this is C:\Documents and Settings\[UserName] (Windows NT/2000/XP).
%System% is a variable that refers to the System folder. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
%Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows or C:\Winnt.

Memory Modifications

There were new processes created in the system:

Process Name	Process Filename	Main Module Size
kspoold.exe	%System%\kspoold.exe	573,440 bytes
[filename of the sample #1]	[file and pathname of the sample #1]	73,728 bytes

There was a new service created in the system:

Service Name	Display Name	Status	Service Filename
kspooldaemon	K Print Spooler	"Running"	%System%\kspoold.exe

Registry Modifications

The following Registry Keys were created:

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_KSPOOLDAEMON
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_KSPOOLDAEMON\0000
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_KSPOOLDAEMON\0000\Control
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\kspooldaemon
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\kspooldaemon\Security
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\kspooldaemon\Enum
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_KSPOOLDAEMON
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_KSPOOLDAEMON\0000
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_KSPOOLDAEMON\0000\Control
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\kspooldaemon
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\kspooldaemon\Security
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\kspooldaemon\Enum
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Applets\Wordpad
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Applets\Wordpad\IP
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Applets\Wordpad\Options
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Applets\Wordpad\RTF
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Applets\Wordpad\Settings
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Applets\Wordpad\Text
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Applets\Wordpad\Word6
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Applets\Wordpad\Write

The newly created Registry Values are:

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_KSPOOLDAEMON\0000\Control]

*NewlyCreated* = 0x00000000
ActiveService = "kspooldaemon"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_KSPOOLDAEMON\0000]

Service = "kspooldaemon"
Legacy = 0x00000001
ConfigFlags = 0x00000000
Class = "LegacyDriver"
ClassGUID = "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
DeviceDesc = "K Print Spooler"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_KSPOOLDAEMON]

NextInstance = 0x00000001

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\kspooldaemon\Enum]

0 = "Root\LEGACY_KSPOOLDAEMON\0000"
Count = 0x00000001
NextInstance = 0x00000001

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\kspooldaemon\Security]

Security = 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 0

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\kspooldaemon]

Type = 0x00000110
Start = 0x00000002
ErrorControl = 0x00000001
ImagePath = "%System%\kspoold.exe"
DisplayName = "K Print Spooler"
ObjectName = "LocalSystem"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_KSPOOLDAEMON\0000\Control]

*NewlyCreated* = 0x00000000
ActiveService = "kspooldaemon"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_KSPOOLDAEMON\0000]

Service = "kspooldaemon"
Legacy = 0x00000001
ConfigFlags = 0x00000000
Class = "LegacyDriver"
ClassGUID = "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
DeviceDesc = "K Print Spooler"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_KSPOOLDAEMON]

NextInstance = 0x00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\kspooldaemon\Enum]

0 = "Root\LEGACY_KSPOOLDAEMON\0000"
Count = 0x00000001
NextInstance = 0x00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\kspooldaemon\Security]

Security = 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\kspooldaemon]

Type = 0x00000110
Start = 0x00000002
ErrorControl = 0x00000001
ImagePath = "%System%\kspoold.exe"
DisplayName = "K Print Spooler"
ObjectName = "LocalSystem"

The following Registry Values were modified:

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\ServiceCurrent]

(Default) = 0x0000000C

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ServiceCurrent]

(Default) = 0x0000000C

All content ("Information") contained in this report is the copyrighted work of Threat Expert Ltd and its associated companies ("ThreatExpert") and may not be copied without the express permission of ThreatExpert.

The Information is provided on an "as is" basis. ThreatExpert disclaims all warranties, whether express or implied, to the maximum extent permitted by law, including the implied warranties that the Information is merchantable, of satisfactory quality, accurate, fit for a particular purpose or need, or non-infringing, unless such implied warranties are legally incapable of exclusion. Further, ThreatExpert does not warrant or make any representations regarding the use or the results of the use of the Information in terms of their correctness, accuracy, reliability, or otherwise.