ThreatExpert Report: Bat/sdel, AntiVirus2008, Winfixer, TROJ

Submission Summary:

Submission details:

Submission received: 30 June 2008, 21:32:44
Processing time: 9 min 20 sec
Submitted sample:

File MD5: 0xAFFFD33EE5C74F3E6FF16BB074942FB5
File SHA-1: 0x4463AA7E20E0A6774BCDCF5EC35F0C357031F438
Filesize: 1,398,817 bytes

Summary of the findings:

What's been found	Severity Level
Creates a startup registry entry.

Technical Details:

File System Modifications

The following files were created in the system:

#	Filename(s)	File Size	File Hash	Alias
1	%CommonDesktopDir%\Antivirus XP 2008.lnk	1,612 bytes	MD5: 0x77BAB7BF08C1307CDB4E6CF61AD6372A SHA-1: 0xBF99086A5A701AB20D14D58AF2BD170DAA9ACA0A	(not available)
2	%CommonPrograms%\Antivirus XP 2008\Antivirus XP 2008.lnk	1,624 bytes	MD5: 0x78EBD1AFBD0B496AD5CE05946B9F4219 SHA-1: 0x36C86DF698B975FBD45A32B44066E0CDF16B626D	(not available)
3	%CommonPrograms%\Antivirus XP 2008\How to Register Antivirus XP 2008.lnk	1,142 bytes	MD5: 0x062B6F75454551533912CEE5DAA193A2 SHA-1: 0x81C19DB9363EE7EE308E4D8FB1735DA2C72128F5	(not available)
4	%CommonPrograms%\Antivirus XP 2008\License Agreement.lnk	1,587 bytes	MD5: 0x40ED620B3468C543CFE34AF33A3183CE SHA-1: 0xE161FE8C1F9781D6D543715EC24097E3D0149E54	(not available)
5	%CommonPrograms%\Antivirus XP 2008\Register Antivirus XP 2008.lnk	1,644 bytes	MD5: 0x5D0905E61240C9B5D98A4AEB1532CA36 SHA-1: 0xDF7E27DB0B5510F2472F10A6B80F544E7CD72A88	(not available)
6	%CommonPrograms%\Antivirus XP 2008\Uninstall.lnk	1,603 bytes	MD5: 0x8910D9AA42EC433048B931694C0D61D8 SHA-1: 0x31966842E8714FFBA74588644766236C37E5FAD2	(not available)
7	%CommonPrograms%\Antivirus XP 2008.lnk	1,618 bytes	MD5: 0xFED676FEA0453764D6743709EE621098 SHA-1: 0x53C24175E9F4DBF4E113BB8F97DF6B86BF35AA32	(not available)
8	%Temp%\gill.bat	70 bytes	MD5: 0xBC5ACA38E505DA47E1EA8BCFB9DF5BBB SHA-1: 0x67DD2324979FF2C2DFC97F89DB0FB939BD08C87A	Bat/sdel [McAfee]
9	%ProgramFiles%\rhc75dj0erc1\database.dat	1,701 bytes	MD5: 0xC19B001E6FE6C082E5069E4490898CCC SHA-1: 0x67A845BC07A68F04736B81BA45FF9D8186AE5314	(not available)
10	%ProgramFiles%\rhc75dj0erc1\license.txt	19,052 bytes	MD5: 0xA4CEABD89CABE614F390DD8C7E1B26D2 SHA-1: 0xA4A45BA0807E9613984328C54E95A12AB6964308	(not available)
11	%ProgramFiles%\rhc75dj0erc1\MFC71.dll	1,060,864 bytes	MD5: 0xF35A584E947A5B401FEB0FE01DB4A0D7 SHA-1: 0x664DC99E78261A43D876311931694B6EF87CC8B9	(not available)
12	%ProgramFiles%\rhc75dj0erc1\MFC71ENU.DLL	57,344 bytes	MD5: 0xBAF751E7061FF626AA60F56D1D5D1FDC SHA-1: 0xB0382C3AC0C0DAD7D793C9A3335316B5FCAE2690	(not available)
13	%ProgramFiles%\rhc75dj0erc1\msvcp71.dll	499,712 bytes	MD5: 0x561FA2ABB31DFA8FAB762145F81667C2 SHA-1: 0xC8CCB04EEDAC821A13FAE314A2435192860C72B8	(not available)
14	%ProgramFiles%\rhc75dj0erc1\msvcr71.dll	348,160 bytes	MD5: 0x86F1895AE8C5E8B17D99ECE768A70732 SHA-1: 0xD5502A1D00787D68F548DDEEBBDE1ECA5E2B38CA	(not available)
15	%ProgramFiles%\rhc75dj0erc1\rhc75dj0erc1.exe	1,214,976 bytes	MD5: 0xA0F0843ABF523AEEAB43423D618DAFE0 SHA-1: 0x9FC9875DCC6902353E825394397E801C9D627F50	AntiVirus2008 [Symantec]
16	%ProgramFiles%\rhc75dj0erc1\rhc75dj0erc1.exe.local %System%\6A.tmp %System%\A0.tmp	0 bytes	MD5: 0xD41D8CD98F00B204E9800998ECF8427E SHA-1: 0xDA39A3EE5E6B4B0D3255BFEF95601890AFD80709	(not available)
17	%ProgramFiles%\rhc75dj0erc1\rhc75dj0erc1Skin.dll	8,245,248 bytes	MD5: 0x317BBD8489A60112CF4958F40CF040D1 SHA-1: 0x19CE75EFD3019896B2E3BBE15A365A574103E66E	Winfixer [McAfee] TROJ_RENOS.ZQ [Trend Micro]
18	%ProgramFiles%\rhc75dj0erc1\Uninstall.exe	77,377 bytes	MD5: 0x0ECDF1EA405BD0AD6D42355715F6237E SHA-1: 0x5651B2EEDC74809562919F6CAA592BE52ACE67A0	(not available)
19	%System%\10.tmp %System%\11.tmp %System%\12.tmp %System%\13.tmp %System%\14.tmp %System%\15.tmp %System%\16.tmp %System%\17.tmp %System%\18.tmp %System%\19.tmp %System%\1A.tmp %System%\1B.tmp %System%\1C.tmp %System%\1D.tmp %System%\1E.tmp %System%\1F.tmp %System%\20.tmp %System%\21.tmp %System%\22.tmp %System%\23.tmp %System%\24.tmp %System%\25.tmp %System%\26.tmp %System%\27.tmp %System%\28.tmp %System%\29.tmp %System%\2A.tmp %System%\2B.tmp %System%\2C.tmp %System%\2D.tmp %System%\2E.tmp %System%\2F.tmp %System%\30.tmp %System%\31.tmp %System%\32.tmp %System%\33.tmp %System%\34.tmp %System%\35.tmp %System%\36.tmp %System%\37.tmp %System%\38.tmp %System%\39.tmp %System%\3A.tmp %System%\3B.tmp %System%\3C.tmp %System%\3D.tmp %System%\3E.tmp %System%\3F.tmp %System%\40.tmp %System%\41.tmp %System%\42.tmp %System%\43.tmp %System%\44.tmp %System%\45.tmp %System%\46.tmp %System%\47.tmp %System%\48.tmp %System%\49.tmp %System%\4A.tmp %System%\4B.tmp %System%\4C.tmp %System%\4D.tmp %System%\4E.tmp %System%\4F.tmp %System%\5.tmp %System%\50.tmp %System%\51.tmp %System%\53.tmp %System%\54.tmp %System%\55.tmp %System%\56.tmp %System%\57.tmp %System%\58.tmp %System%\59.tmp %System%\5A.tmp %System%\5B.tmp %System%\5C.tmp %System%\5D.tmp %System%\5E.tmp %System%\5F.tmp %System%\60.tmp %System%\61.tmp %System%\62.tmp %System%\63.tmp %System%\64.tmp %System%\65.tmp %System%\66.tmp %System%\67.tmp %System%\68.tmp %System%\69.tmp %System%\6B.tmp %System%\6C.tmp %System%\6D.tmp %System%\6E.tmp %System%\6F.tmp %System%\7.tmp %System%\70.tmp %System%\73.tmp %System%\74.tmp %System%\75.tmp	94,208 bytes	MD5: 0x45684E238403D720EAD129A0FB2E2258 SHA-1: 0x1ADAB6088F394487D6E57C73931DA3D471C30B72	MalwareProtector2008 [Symantec] FakeAlert-AG [McAfee] TROJ_RENOS.ZQ [Trend Micro]
20	[file and pathname of the sample #1]	1,398,817 bytes	MD5: 0xAFFFD33EE5C74F3E6FF16BB074942FB5 SHA-1: 0x4463AA7E20E0A6774BCDCF5EC35F0C357031F438	(not available)

Notes:

%CommonDesktopDir% is a variable that refers to the file system directory that contains files and folders that appear on the desktop for all users. A typical path is C:\Documents and Settings\All Users\Desktop (Windows NT/2000/XP).
%CommonPrograms% is a variable that refers to the file system directory that contains the directories for the common program groups that appear on the Start menu for all users. A typical path is C:\Documents and Settings\All Users\Start Menu\Programs (Windows NT/2000/XP).
%Temp% is a variable that refers to the temporary folder in the short path form. By default, this is C:\Documents and Settings\[UserName]\Local Settings\Temp\ (Windows NT/2000/XP).
%ProgramFiles% is a variable that refers to the Program Files folder. A typical path is C:\Program Files.
%System% is a variable that refers to the System folder. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

The following directories were created:

%CommonPrograms%\Antivirus XP 2008
%AppData%\rhc75dj0erc1
%ProgramFiles%\rhc75dj0erc1
%AppData%\rhc75dj0erc1\Quarantine
%AppData%\rhc75dj0erc1\Quarantine\Autorun
%AppData%\rhc75dj0erc1\Quarantine\Autorun\HKCU
%AppData%\rhc75dj0erc1\Quarantine\Autorun\HKCU\RunOnce
%AppData%\rhc75dj0erc1\Quarantine\Autorun\HKLM
%AppData%\rhc75dj0erc1\Quarantine\Autorun\HKLM\RunOnce
%AppData%\rhc75dj0erc1\Quarantine\Autorun\StartMenuAllUsers
%AppData%\rhc75dj0erc1\Quarantine\Autorun\StartMenuCurrentUser
%AppData%\rhc75dj0erc1\Quarantine\BrowserObjects
%AppData%\rhc75dj0erc1\Quarantine\Packages

Notes:

%AppData% is a variable that refers to the file system directory that serves as a common repository for application-specific data. A typical path is C:\Documents and Settings\[UserName]\Application Data.

Memory Modifications

There were new processes created in the system:

Process Name	Process Filename	Main Module Size
rhc75dj0erc1.exe	%ProgramFiles%\rhc75dj0erc1\rhc75dj0erc1.exe	1,662,976 bytes
[filename of the sample #1]	[file and pathname of the sample #1]	200,704 bytes

Attention! The following process was intentionally hidden from the user:

Process Name	Main Module Size
pphc35dj0erc1.e	98,304 bytes

The following modules were loaded into the address space of other process(es):

Module Name	Module Filename	Address Space Details
MSVCP71.dll	%ProgramFiles%\rhc75dj0erc1\MSVCP71.dll	Process name: rhc75dj0erc1.exe Process filename: %ProgramFiles%\rhc75dj0erc1\rhc75dj0erc1.exe Address space: 0x7C3A0000 - 0x7C41B000
MSVCR71.dll	%ProgramFiles%\rhc75dj0erc1\MSVCR71.dll	Process name: rhc75dj0erc1.exe Process filename: %ProgramFiles%\rhc75dj0erc1\rhc75dj0erc1.exe Address space: 0x7C340000 - 0x7C396000
MFC71.DLL	%ProgramFiles%\rhc75dj0erc1\MFC71.DLL	Process name: rhc75dj0erc1.exe Process filename: %ProgramFiles%\rhc75dj0erc1\rhc75dj0erc1.exe Address space: 0x7C140000 - 0x7C243000
MFC71ENU.DLL	%ProgramFiles%\rhc75dj0erc1\MFC71ENU.DLL	Process name: rhc75dj0erc1.exe Process filename: %ProgramFiles%\rhc75dj0erc1\rhc75dj0erc1.exe Address space: 0x5D360000 - 0x5D36E000
rhc75dj0erc1Skin.Dll	%ProgramFiles%\rhc75dj0erc1\rhc75dj0erc1Skin.Dll	Process name: rhc75dj0erc1.exe Process filename: %ProgramFiles%\rhc75dj0erc1\rhc75dj0erc1.exe Address space: 0x1810000 - 0x1FED000

Registry Modifications

The following Registry Keys were created:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\rhc75dj0erc1
HKEY_LOCAL_MACHINE\SOFTWARE\rhc75dj0erc1
HKEY_LOCAL_MACHINE\SOFTWARE\rhc75dj0erc1\Settings
HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host
HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings

The newly created Registry Values are:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion]

rhc75dj0erc1 = 75 C4 68 48

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]

AntivirXP08 = "AntivirXP08"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

SMrhc75dj0erc1 = "%ProgramFiles%\rhc75dj0erc1\rhc75dj0erc1.exe"

so that rhc75dj0erc1.exe runs every time Windows starts

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\rhc75dj0erc1]

DisplayName = "AntivirXP08"
UninstallString = ""%ProgramFiles%\rhc75dj0erc1\uninstall.exe""

[HKEY_LOCAL_MACHINE\SOFTWARE\rhc75dj0erc1]

RegistrationUrl = "http://www.AntivirusXP08.com/buy/"
RegistrationDiscUrl = "http://www.AntivirusXP08.com/purchase/"
ADVid = ""
(Default) = "%ProgramFiles%\rhc75dj0erc1"
InstallDir = "%ProgramFiles%\rhc75dj0erc1"
domain = "AntivirusXP08.com"
SoftID = "AntivirXP08"
DatabaseVersion = "2.1"
ProgramVersion = "2.1"
EngineVersion = "2.1"
GuiVersion = "2.1"
ProxyName = ""
ProxyPort = 0x00000000
ScanPriority = 0x00000001
DaysInterval = 0x00000007
ScanDepth = 0x00000002
ScanSystemOnStartup = 0x00000001
AutomaticallyUpdates = 0x00000001
MinimizeOnStart = 0x00000000
BackgroundScan = 0x00000001
BackgroundScanTimeout = 0x00000001
MGuid = "{782E524E-4174-4E61-A4FA-E8E67FA821FD}"
InstallationID = "{4A877B89-5005-4F5D-A8FE-E39B77360108}"
LastTimeStamp = 0x000000D2

Other details

To mark the presence in the system, the following Mutex objects were created:

{CAASD444E-7822-49c1-840A-97A82C3F4D10}
{427dbde0-7799-4611-9789-deb36156d1ad}

All content ("Information") contained in this report is the copyrighted work of Threat Expert Ltd and its associated companies ("ThreatExpert") and may not be copied without the express permission of ThreatExpert.

The Information is provided on an "as is" basis. ThreatExpert disclaims all warranties, whether express or implied, to the maximum extent permitted by law, including the implied warranties that the Information is merchantable, of satisfactory quality, accurate, fit for a particular purpose or need, or non-infringing, unless such implied warranties are legally incapable of exclusion. Further, ThreatExpert does not warrant or make any representations regarding the use or the results of the use of the Information in terms of their correctness, accuracy, reliability, or otherwise.