ThreatExpert Report: not-a-virus:FraudTool.Win32.XLGuarder.a

Submission Summary:

Submission details:

Submission received: 8 August 2008, 01:01:49
Processing time: 5 min 35 sec
Submitted sample:

File MD5: 0x252DC53F678B63B01265A479A38B7ADE
File SHA-1: 0xA014FF372374E7718CE92BE9BA97246A75BF052A
Filesize: 1,631,883 bytes
Alias: not-a-virus:FraudTool.Win32.XLGuarder.a [Kaspersky Lab]

Summary of the findings:

What's been found	Severity Level
Downloads/requests other files from Internet.
Creates a startup registry entry.
Registers a 32-bit in-process server DLL.
Registers a Browser Helper Object (Microsoft's Internet Explorer plugin module).

Technical Details:

File System Modifications

The following files were created in the system:

#	Filename(s)	File Size	File Hash	Alias
1	%Windir%\ieguard.dll	186,880 bytes	MD5: 0x68A64BFE1B412DDAEBD6FB592AA33B71 SHA-1: 0x92BFB9443D11D401B0D913FFCB67F171FB767B70	(not available)
2	%Windir%\sysguard\img\bg_fixed.jpg	36,490 bytes	MD5: 0xD843C5A31E589B8E9AEE096A3D833154 SHA-1: 0x8EDAB85AD094CBA7A4A9ED6719335074F903B442	(not available)
3	%Windir%\sysguard\img\bg_licence.jpg	43,733 bytes	MD5: 0xB872EA6B8AB4CD7DE82BD2BB2BFC17D4 SHA-1: 0x94A45772B66F7491EA2A8CE43310B5FE14EB81A9	(not available)
4	%Windir%\sysguard\img\bg_main.jpg	162,574 bytes	MD5: 0x645232F2A8AD4E919359E7BF0FFA675C SHA-1: 0xE833E2FB894BD41BD3E9DB565DDE2D66DCF3D8E8	(not available)
5	%Windir%\sysguard\img\bg_warning.jpg	38,164 bytes	MD5: 0x03455DBE4177F54E9781E4172BF09843 SHA-1: 0x34CB6DA405380E5F996CC4D36769A7ED435005E9	(not available)
6	%Windir%\sysguard\img\splash.jpg	88,471 bytes	MD5: 0x32127E64BB9841C9DA8F5EF105D99E7F SHA-1: 0x9906FA2140594E6D0B1222E30B60D2C8F7B525FC	(not available)
7	%Windir%\sysguard\settings.ini	90 bytes	MD5: 0x3337A423F165998A557CDBFEE810032F SHA-1: 0xDCBE78E77B64C42AA45AE3479AFCBC1A4F0EEB44	(not available)
8	%Windir%\sysguard\sounds\1.mp3	58,830 bytes	MD5: 0x289B099CDA4CF8DD36B3E847A6027831 SHA-1: 0xEDFCAE9EEA432EA050A533C430FBEC3EA5C6A636	(not available)
9	%Windir%\sysguard\sounds\2.mp3	103,760 bytes	MD5: 0xA290DBD927F5E0B738A107C5D330C2D4 SHA-1: 0x5A7F06EEC57593E21EF3453D2CC6D02D30D70A89	(not available)
10	%Windir%\sysguard\sounds\3.mp3	76,593 bytes	MD5: 0x4E75B108C3C5DDE51AD6E212F8C1EF39 SHA-1: 0xEBC523E6FA085DA5FF075C67283D61EB96D41440	(not available)
11	%Windir%\sysguard\sysguard.exe	409,088 bytes	MD5: 0x3DAE67A9D9FCAB60CB38E06168BED975 SHA-1: 0xE16E899439E95D26CE1788E4C3996B8B9A471801	(not available)
12	%Windir%\sysguard\sysguard_s.exe	313,344 bytes	MD5: 0x6BC4D5CBABADB8C2F020339F2B04A855 SHA-1: 0xFF5A73616445642B7E4A245855F205B6C5988D75	(not available)
13	%Windir%\sysguard\tipguard.exe	269,312 bytes	MD5: 0xD3EEFF97F1D215C21C7A4E8DC279B007 SHA-1: 0x1488CE52DEAEFDDAD764013D84038659C2DB1967	not-a-virus:FraudTool.Win32.XLGuarder.a [Kaspersky Lab]
14	%Windir%\sysguard\uninstall.exe	174,467 bytes	MD5: 0xE74F5EB5FF90B8A6EA38A9FC54F84786 SHA-1: 0x8B9A64E9FC43E7208F6E49C1A42BC283233DE94C	(not available)
15	%Windir%\sysguard\warning\alertpage.jpg	46,050 bytes	MD5: 0x3890604EED004CBFE86D207BD32E9484 SHA-1: 0x814E8885CED3CC1938AC32764C1F8F8DD17B7B42	(not available)
16	%Windir%\sysguard\warning\spacer.gif	43 bytes	MD5: 0xF7F26805DE1A1F270E665BF7873D7E19 SHA-1: 0xC32085898C6E36D361D4B8017087DE90E1B8465C	(not available)
17	%Windir%\sysguard\warning\warnpage.html	2,194 bytes	MD5: 0x104E2FB79452F39F0373C34FC9AA4566 SHA-1: 0xA6F6107C6F969BB4D33A7190F197E7B09942F169	(not available)
18	[file and pathname of the sample #1]	1,631,883 bytes	MD5: 0x252DC53F678B63B01265A479A38B7ADE SHA-1: 0xA014FF372374E7718CE92BE9BA97246A75BF052A	not-a-virus:FraudTool.Win32.XLGuarder.a [Kaspersky Lab]

Note:

%Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows or C:\Winnt.

The following directories were created:

%Windir%\sysguard
%Windir%\sysguard\img
%Windir%\sysguard\sounds
%Windir%\sysguard\warning

Memory Modifications

There were new processes created in the system:

Process Name	Process Filename	Main Module Size
sysguard_s.exe	%Windir%\sysguard\sysguard_s.exe	749,568 bytes
[filename of the sample #1]	[file and pathname of the sample #1]	327,680 bytes

The following module was loaded into the address space of other process(es):

Module Name	Module Filename	Address Space Details
ieguard.dll	%Windir%\ieguard.dll	Process name: IEXPLORE.EXE Process filename: %ProgramFiles%\internet explorer\iexplore.exe Address space: 0xF80000 - 0xFFB000

Notes:

%ProgramFiles% is a variable that refers to the Program Files folder. A typical path is C:\Program Files.

Registry Modifications

The following Registry Keys were created:

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D032570A-5F63-4812-A094-87D007C23012}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D032570A-5F63-4812-A094-87D007C23012}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D032570A-5F63-4812-A094-87D007C23012}\ProgID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ieguard.TIEAdvBHO
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ieguard.TIEAdvBHO\Clsid
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D032570A-5F63-4812-A094-87D007C23012}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\sysguard
HKEY_CURRENT_USER\Software\Microsoft\ActiveMovie\devenum\{4EFE2452-168A-11D1-BC76-00C04FB9453B}
HKEY_CURRENT_USER\Software\Microsoft\ActiveMovie\devenum\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device
HKEY_CURRENT_USER\Software\Microsoft\ActiveMovie\devenum\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}
HKEY_CURRENT_USER\Software\Microsoft\ActiveMovie\devenum\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device
HKEY_CURRENT_USER\Software\Microsoft\Multimedia\ActiveMovie
HKEY_CURRENT_USER\Software\Microsoft\Multimedia\ActiveMovie\Filter Cache
HKEY_CURRENT_USER\Software\sysguard

The newly created Registry Values are:

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D032570A-5F63-4812-A094-87D007C23012}\ProgID]

(Default) = "ieguard.TIEAdvBHO"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D032570A-5F63-4812-A094-87D007C23012}\InprocServer32]

(Default) = "%Windir%\ieguard.dll"
ThreadingModel = "Apartment"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D032570A-5F63-4812-A094-87D007C23012}]

(Default) = ""

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ieguard.TIEAdvBHO\Clsid]

(Default) = "{D032570A-5F63-4812-A094-87D007C23012}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ieguard.TIEAdvBHO]

(Default) = ""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D032570A-5F63-4812-A094-87D007C23012}]

(Default) = ""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\sysguard]

DisplayName = "XL Guarder"
UninstallString = "%Windir%\sysguard\uninstall.exe"
NoModify = 0x00000001
NoRepair = 0x00000001

[HKEY_CURRENT_USER\Software\Microsoft\ActiveMovie\devenum\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device]

FriendlyName = "Default MidiOut Device"
CLSID = "{07B65360-C445-11CE-AFDE-00AA006C14F4}"
FilterData = 02 00 00 00 00 00 80 00 01 00 00 00 00 00 00 00 30 70 69 33 02 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 30 74 79 33 00 00 00 00 38 00 00 00 48 00 00 00 6D 69 64 73 00 00 10 00 80 00 00 AA 00 38 9B 71 00 00 00 00 00 00 00 00 00 00 00 0
MidiOutId = 0xFFFFFFFF

[HKEY_CURRENT_USER\Software\Microsoft\ActiveMovie\devenum\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device]

FriendlyName = "Default DirectSound Device"
CLSID = "{79376820-07D0-11CF-A24D-0020AFD79767}"
FilterData = 02 00 00 00 00 00 80 00 01 00 00 00 00 00 00 00 30 70 69 33 02 00 00 00 00 00 00 00 08 00 00 00 00 00 00 00 00 00 00 00 30 74 79 33 00 00 00 00 A8 00 00 00 B8 00 00 00 31 74 79 33 00 00 00 00 A8 00 00 00 C8 00 00 00 32 74 79 33 00 00 00 00 A8 00 00 0
DSGuid = "{00000000-0000-0000-0000-000000000000}"

[HKEY_CURRENT_USER\Software\Microsoft\Multimedia\ActiveMovie\Filter Cache]

0 = E0 5A 00 00 65 68 63 66 00 00 00 00 00 00 00 00 02 01 00 00 00 00 00 00 01 00 20 00 49 00 00 00 40 00 64 00 65 00 76 00 69 00 63 00 65 00 3A 00 64 00 6D 00 6F 00 3A 00 7B 00 32 00 45 00 45 00 42 00 34 00 41 00 44 00 46 00 2D 00 34 00 35 00 37 00 38 0

[HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]

Shell = "%Windir%\sysguard\sysguard.exe"

so that sysguard.exe runs every time Windows starts

[HKEY_CURRENT_USER\Software\sysguard]

Path = "%Windir%\sysguard"
FirstLaunch = "no"

Other details

Analysis of the file resources indicate the following possible countries of origin:

	China
	Russian Federation

To mark the presence in the system, the following Mutex objects were created:

AMResourceMutex2
VideoRenderer

The following Host Name was requested from a host database:

piratas-numericos.info

The following HTTP URL was started reading:

http://piratas-numericos.info/handlers/software_response.php?uid=11

All content ("Information") contained in this report is the copyrighted work of Threat Expert Ltd and its associated companies ("ThreatExpert") and may not be copied without the express permission of ThreatExpert.

The Information is provided on an "as is" basis. ThreatExpert disclaims all warranties, whether express or implied, to the maximum extent permitted by law, including the implied warranties that the Information is merchantable, of satisfactory quality, accurate, fit for a particular purpose or need, or non-infringing, unless such implied warranties are legally incapable of exclusion. Further, ThreatExpert does not warrant or make any representations regarding the use or the results of the use of the Information in terms of their correctness, accuracy, reliability, or otherwise.