ThreatExpert Report: New Malware.u, Worm.Win32.Downloader.fb

Submission Summary:

Submission details:

Submission received: 31 March 2008, 15:53:57
Processing time: 4 min 21 sec
Submitted sample:

File MD5: 0x36840570F89232BB36087A36851B8D1F
File SHA-1: 0xD49AB3D6E04273B1DC216ACF995D51E9167FC4AC
Filesize: 22,720 bytes
Alias: New Malware.u [McAfee]

Summary of the findings:

What's been found	Severity Level
Downloads/requests other files from Internet.
Compromises SafeBoot registry key(s) in an attempt to disable the Safe Mode.
Installs a default debugger that is injected into the execution sequence of a target application. If a threat is installed as a default debugger, it will be run every time a target application is attempted to be launched - either to mimic it and hide its own presence (e.g. an open port or a running process), or simply to be activated as often as possible.
Packed with a packer that is known to be used by malware (e.g. to complicate threat analysis or detection).
Contains characteristics of an identified security risk.

Technical Details:

Possible Security Risk

Attention! The following threat category was identified:

Threat Category	Description
	A network-aware worm that attempts to replicate across the existing network(s)

File System Modifications

The following files were created in the system:

#	Filename(s)	File Size	File Hash	Alias
1	c:\AUTORUN.INF	151 bytes	MD5: 0xAD1F59DE66D667130C908DA3A4419305 SHA-1: 0x25D75F719A1FCA10D9759FAF8E8B2092DBFB67F1	Worm.Win32.Downloader.fb [Kaspersky Lab]
2	c:\explorer.exe [file and pathname of the sample #1] %System%\wuauc1t.exe	22,720 bytes	MD5: 0x36840570F89232BB36087A36851B8D1F SHA-1: 0xD49AB3D6E04273B1DC216ACF995D51E9167FC4AC	New Malware.u [McAfee]
3	c:\system.pif c:\win1.pif c:\win10.pif c:\win11.pif c:\win12.pif c:\win2.pif c:\win3.pif c:\win4.pif c:\win5.pif c:\win6.pif c:\win7.pif c:\win8.pif c:\win9.pif	125 bytes	MD5: 0x7C5F5A68051F6B0C0E9A2AD33C40D415 SHA-1: 0x120865765927A61AF83F02B83DC297EEDE61EC41	(not available)
4	%System%\sssurl.dll	612,352 bytes	MD5: 0x3F795D6FB4050C93CBBD0FF699A2635A SHA-1: 0xD6F6FF1E3809C980CA78710E842AC3F1C1697E92	(not available)

Note:

%System% is a variable that refers to the System folder. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

Memory Modifications

There was a new process created in the system:

Process Name	Process Filename	Main Module Size
[filename of the sample #1]	[file and pathname of the sample #1]	98,304 bytes

Registry Modifications

The following Registry Keys were created:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360rpt.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360safe.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360tray.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ANTIARP.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ast.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AutoRunKiller.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AvMonitor.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVP.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CCenter.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Frameworkservice.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IceSword.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Iparmor.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KASARP.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KRegEx.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVMonxp.kxp
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVSrvXP.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVWSC.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Mmsk.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Navapsvc.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Nod32kui.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QQDOCTOR.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Regedit.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\VPC32.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\VPTRAY.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WOPTILITIES.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Wuauclt.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\~.EXE

The following Registry Keys were deleted:

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\{4D36E967-E325-11CE-BFC1-08002BE10318}
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E967-E325-11CE-BFC1-08002BE10318}

The newly created Registry Values are:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360rpt.EXE]

Debugger = "%System%\wuauc1t.exe"

so that wuauc1t.exe is injected into the execution sequence of 360rpt.EXE by being installed as its default debugger

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360safe.EXE]

Debugger = "%System%\wuauc1t.exe"

so that wuauc1t.exe is injected into the execution sequence of 360safe.EXE by being installed as its default debugger

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360tray.EXE]

Debugger = "%System%\wuauc1t.exe"

so that wuauc1t.exe is injected into the execution sequence of 360tray.EXE by being installed as its default debugger

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ANTIARP.exe]

Debugger = "%System%\wuauc1t.exe"

so that wuauc1t.exe is injected into the execution sequence of ANTIARP.exe by being installed as its default debugger

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ast.EXE]

Debugger = "%System%\wuauc1t.exe"

so that wuauc1t.exe is injected into the execution sequence of Ast.EXE by being installed as its default debugger

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AutoRunKiller.exe]

Debugger = "%System%\wuauc1t.exe"

so that wuauc1t.exe is injected into the execution sequence of AutoRunKiller.exe by being installed as its default debugger

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AvMonitor.EXE]

Debugger = "%System%\wuauc1t.exe"

so that wuauc1t.exe is injected into the execution sequence of AvMonitor.EXE by being installed as its default debugger

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVP.EXE]

Debugger = "%System%\wuauc1t.exe"

so that wuauc1t.exe is injected into the execution sequence of AVP.EXE by being installed as its default debugger

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CCenter.EXE]

Debugger = "%System%\wuauc1t.exe"

so that wuauc1t.exe is injected into the execution sequence of CCenter.EXE by being installed as its default debugger

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Frameworkservice.EXE]

Debugger = "%System%\wuauc1t.exe"

so that wuauc1t.exe is injected into the execution sequence of Frameworkservice.EXE by being installed as its default debugger

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IceSword.EXE]

Debugger = "%System%\wuauc1t.exe"

so that wuauc1t.exe is injected into the execution sequence of IceSword.EXE by being installed as its default debugger

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Iparmor.EXE]

Debugger = "%System%\wuauc1t.exe"

so that wuauc1t.exe is injected into the execution sequence of Iparmor.EXE by being installed as its default debugger

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KASARP.exe]

Debugger = "%System%\wuauc1t.exe"

so that wuauc1t.exe is injected into the execution sequence of KASARP.exe by being installed as its default debugger

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KRegEx.EXE]

Debugger = "%System%\wuauc1t.exe"

so that wuauc1t.exe is injected into the execution sequence of KRegEx.EXE by being installed as its default debugger

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVMonxp.kxp]

Debugger = "%System%\wuauc1t.exe"

so that wuauc1t.exe is injected into the execution sequence of KVMonxp.kxp by being installed as its default debugger

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVSrvXP.EXE]

Debugger = "%System%\wuauc1t.exe"

so that wuauc1t.exe is injected into the execution sequence of KVSrvXP.EXE by being installed as its default debugger

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVWSC.EXE]

Debugger = "%System%\wuauc1t.exe"

so that wuauc1t.exe is injected into the execution sequence of KVWSC.EXE by being installed as its default debugger

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Mmsk.EXE]

Debugger = "%System%\wuauc1t.exe"

so that wuauc1t.exe is injected into the execution sequence of Mmsk.EXE by being installed as its default debugger

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Navapsvc.EXE]

Debugger = "%System%\wuauc1t.exe"

so that wuauc1t.exe is injected into the execution sequence of Navapsvc.EXE by being installed as its default debugger

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Nod32kui.EXE]

Debugger = "%System%\wuauc1t.exe"

so that wuauc1t.exe is injected into the execution sequence of Nod32kui.EXE by being installed as its default debugger

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QQDOCTOR.EXE]

Debugger = "%System%\wuauc1t.exe"

so that wuauc1t.exe is injected into the execution sequence of QQDOCTOR.EXE by being installed as its default debugger

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Regedit.EXE]

Debugger = "%System%\wuauc1t.exe"

so that wuauc1t.exe is injected into the execution sequence of Regedit.EXE by being installed as its default debugger

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\VPC32.exe]

Debugger = "%System%\wuauc1t.exe"

so that wuauc1t.exe is injected into the execution sequence of VPC32.exe by being installed as its default debugger

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\VPTRAY.exe]

Debugger = "%System%\wuauc1t.exe"

so that wuauc1t.exe is injected into the execution sequence of VPTRAY.exe by being installed as its default debugger

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WOPTILITIES.EXE]

Debugger = "%System%\wuauc1t.exe"

so that wuauc1t.exe is injected into the execution sequence of WOPTILITIES.EXE by being installed as its default debugger

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Wuauclt.EXE]

Debugger = "%System%\wuauc1t.exe"

so that wuauc1t.exe is injected into the execution sequence of Wuauclt.EXE by being installed as its default debugger

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\~.EXE]

Debugger = "%System%\wuauc1t.exe"

so that wuauc1t.exe is injected into the execution sequence of ~.EXE by being installed as its default debugger

The following Registry Values were deleted:

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}]

(Default) = "DiskDrive"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\{4D36E967-E325-11CE-BFC1-08002BE10318}]

(Default) = "DiskDrive"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}]

(Default) = "DiskDrive"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E967-E325-11CE-BFC1-08002BE10318}]

(Default) = "DiskDrive"

The following Registry Values were modified:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL]

CheckedValue = 0x000006B8

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher]

TracesProcessed = 0x00000006
TracesSuccessful = 0x00000005
LastTraceFailure = 0x00000020

Other details

Analysis of the file resources indicate the following possible country of origin:

China

To mark the presence in the system, the following Mutex object was created:

system

The following Internet Connection was established:

Server Name	Server Port	Connect as User	Connection Password
www.sxblgg.com	80	(null)	(null)

All content ("Information") contained in this report is the copyrighted work of Threat Expert Ltd and its associated companies ("ThreatExpert") and may not be copied without the express permission of ThreatExpert.

The Information is provided on an "as is" basis. ThreatExpert disclaims all warranties, whether express or implied, to the maximum extent permitted by law, including the implied warranties that the Information is merchantable, of satisfactory quality, accurate, fit for a particular purpose or need, or non-infringing, unless such implied warranties are legally incapable of exclusion. Further, ThreatExpert does not warrant or make any representations regarding the use or the results of the use of the Information in terms of their correctness, accuracy, reliability, or otherwise.