ThreatExpert Report: Win32.Virut.Gen.4, Virus.Win32.Virut.be, W32.SillyFDC, W32/Virut.j..

Visit ThreatExpert web site

Close Report

Submission Summary:

Submission details:

Submission received: 22 August 2008, 10:36:42
Processing time: 5 min 37 sec
Submitted sample:

File MD5: 0xE72562F7120EBE8A0DF590A1F5032F56
File SHA-1: 0xE17D56D6BFD4449CBD0E72738485EE27FACA53B8
Filesize: 299,008 bytes
Alias:

Win32.Virut.Gen.4 [PCTools]
W32.SillyFDC [Symantec]
Virus.Win32.Virut.be [Kaspersky Lab]
W32/Virut.j [McAfee]
PE_VIRUT.CEL [Trend Micro]
W32/Virut-X [Sophos]
Virus:Win32/Virut.BA [Microsoft]

Summary of the findings:

What's been found	Severity Level
Creates a startup registry entry.
Installs a default debugger that is injected into the execution sequence of a target application. If a threat is installed as a default debugger, it will be run every time a target application is attempted to be launched - either to mimic it and hide its own presence (e.g. an open port or a running process), or simply to be activated as often as possible.
Contains characteristics of an identified security risk.

Technical Details:

Possible Security Risk

Attention! The following threat category was identified:

Threat Category	Description
	A virus capable to modify other files by infecting, prepending, or overwriting them them with its own body

File System Modifications

The following files were created in the system:

#	Filename(s)	File Size	File Hash	Alias
1	c:\autorun.inf %System%\dllcache\autorun.inf	118 bytes	MD5: 0x4EB846BE89A1520B7D0181F0736F9A96 SHA-1: 0x869A156F9BD21B06D896CAFA66DB628F7B5E9679	W32/Autorun-EW [Sophos]
2	c:\MS-DOS.com %FontsDir%\Fonts.exe %FontsDir%\tskmgr.exe %Windir%\Help\microsoft.hlp %Windir%\Media\rndll32.pif %Windir%\pchealth\Global.exe %Windir%\pchealth\helpctr\binaries\HelpHost.com %Windir%\system\KEYBOARD.exe %System%\dllcache\Default.exe %System%\dllcache\Global.exe %System%\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}\Global.exe %System%\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}\svchost.exe %System%\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}\system.exe %System%\dllcache\svchost.exe %System%\drivers\drivers.cab.exe %System%\regedit.exe [file and pathname of the sample #1]	299,008 bytes	MD5: 0xE72562F7120EBE8A0DF590A1F5032F56 SHA-1: 0xE17D56D6BFD4449CBD0E72738485EE27FACA53B8	Win32.Virut.Gen.4 [PCTools] W32.SillyFDC [Symantec] Virus.Win32.Virut.be [Kaspersky Lab] W32/Virut.j [McAfee] PE_VIRUT.CEL [Trend Micro] W32/Virut-X [Sophos] Virus:Win32/Virut.BA [Microsoft]
3	%Windir%\Cursors\Boom.vbs	4,356 bytes	MD5: 0xE72C9789AC7232E3B36766EB2A8F8DA6 SHA-1: 0xA37A9F18E227D103BB4E1ECAC0834C2CDF99D112	W32.SillyFDC [Symantec] Trojan.VBS.Runner.be [Kaspersky Lab] VBS_AUTORUN.DMS [Trend Micro] Trojan:VBS/Autorun.A [Microsoft]
4	%FontsDir%\wav.wav	39,382 bytes	MD5: 0x19B1FE35E57567843009857DF3BA1CDB SHA-1: 0xF80815C6D8B832EEA9F1E30473AF13405D2EFFD3	(not available)
5	%System%\dllcache\rndll32.exe	158,208 bytes	MD5: 0x4FD22142F54692463A7B98B7DE175573 SHA-1: 0x21D079909EEFFDA4B79DACE30EAFA0860BBD4C62	(not available)
6	%System%\dllcache\tskmgr.exe	135,680 bytes	MD5: 0xFC160ACE21C81837692B339D230DD4BE SHA-1: 0x28E0652D35FCD1E5ABD1AA23BB5EE2B180A6693B	(not available)

Notes:

%System% is a variable that refers to the System folder. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
%FontsDir% is a variable that refers to a virtual folder containing fonts. A typical path is C:\Windows\Fonts.
%Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows or C:\Winnt.

The following directory was created:

%System%\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}

Memory Modifications

There were new processes created in the system:

Process Name	Process Filename	Main Module Size
Fonts.exe	%FontsDir%\fonts.exe	323,584 bytes
tskmgr.exe	%FontsDir%\tskmgr.exe	323,584 bytes
HelpHost.com	%Windir%\pchealth\helpctr\binaries\helphost.com	323,584 bytes
KEYBOARD.exe	%Windir%\system\keyboard.exe	323,584 bytes
global.exe	%Windir%\pchealth\global.exe	323,584 bytes
Default.exe	%System%\dllcache\Default.exe	323,584 bytes
[filename of the sample #1]	[file and pathname of the sample #1]	323,584 bytes

Registry Modifications

The following Registry Keys were created:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\auto.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\autorun.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\autoruns.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\boot.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ctfmon.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System\Scripts
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System\Scripts\Shutdown
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System\Scripts\Shutdown\0
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System\Scripts\Shutdown\0\0
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System\Scripts\Startup
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System\Scripts\Startup\0
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System\Scripts\Startup\0\0
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System\Scripts
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System\Scripts\Logoff
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System\Scripts\Logoff\0
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System\Scripts\Logoff\0\0

The newly created Registry Values are:

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\comfile]

NeverShowExt = "1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile]

NeverShowExt = "1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MSCFile\Shell\Open\Command]

(Default) = "%FontsDir%\Fonts.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]

DisableStatusMessages = 0x00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run]

sys = "%FontsDir%\Fonts.exe"

so that Fonts.exe runs every time Windows starts

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

(Default) = "%Windir%\system\KEYBOARD.exe"

so that KEYBOARD.exe runs every time Windows starts

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

(Default) = "%System%\dllcache\Default.exe"

so that Default.exe runs every time Windows starts

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\auto.exe]

Debugger = "%System%\drivers\drivers.cab.exe"

so that drivers.cab.exe is injected into the execution sequence of auto.exe by being installed as its default debugger

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\autorun.exe]

Debugger = "%System%\drivers\drivers.cab.exe"

so that drivers.cab.exe is injected into the execution sequence of autorun.exe by being installed as its default debugger

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\autoruns.exe]

Debugger = "%System%\drivers\drivers.cab.exe"

so that drivers.cab.exe is injected into the execution sequence of autoruns.exe by being installed as its default debugger

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\boot.exe]

Debugger = "%FontsDir%\fonts.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ctfmon.exe]

Debugger = "%FontsDir%\Fonts.exe"

so that Fonts.exe is injected into the execution sequence of ctfmon.exe by being installed as its default debugger

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe]

Debugger = "%Windir%\Media\rndll32.pif"

so that rndll32.pif is injected into the execution sequence of msconfig.exe by being installed as its default debugger

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe]

Debugger = "%Windir%\pchealth\helpctr\binaries\HelpHost.com"

so that HelpHost.com is injected into the execution sequence of procexp.exe by being installed as its default debugger

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe]

Debugger = "%FontsDir%\tskmgr.exe"

so that tskmgr.exe is injected into the execution sequence of taskmgr.exe by being installed as its default debugger

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System\Scripts\Shutdown\0\0]

Parameters = ""
Script = "%Windir%\Cursors\Boom.vbs"

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System\Scripts\Shutdown\0]

DisplayName = "Local Group Policy"
FileSysPath = ""
GPO-ID = "LocalGPO"
GPOName = "Local Group Policy"
SOM-ID = "Local"

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System\Scripts\Startup\0\0]

Parameters = ""
Script = "%Windir%\Cursors\Boom.vbs"

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System\Scripts\Startup\0]

DisplayName = "Local Group Policy"
FileSysPath = ""
GPO-ID = "LocalGPO"
GPOName = "Local Group Policy"
SOM-ID = "Local"

[HKEY_CURRENT_USER\Control Panel\Desktop]

SCRNSAVE.EXE = "%Windir%\pchealth\helpctr\binaries\HelpHost.com"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce]

(Default) = "%System%\dllcache\Default.exe"

so that Default.exe runs every time Windows starts

[HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System\Scripts\Logoff\0\0]

Parameters = ""
Script = "%Windir%\Cursors\Boom.vbs"

[HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System\Scripts\Logoff\0]

DisplayName = "Local Group Policy"
FileSysPath = ""
GPO-ID = "LocalGPO"
GPOName = "Local Group Policy"
SOM-ID = "Local"

The following Registry Value was deleted:

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MSCFile\Shell\Open\Command]

(Default) = "%SystemRoot%\system32\mmc.exe "%1" %*"

The following Registry Values were modified:

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\regfile\shell\open\command]

(Default) = "%Windir%\pchealth\Global.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\SuperHidden]

ValueName = "ShowSuperHiden"

[HKEY_CURRENT_USER\Control Panel\Desktop]

AutoEndTasks = "1"
ScreenSaveTimeOut = "30"

Other details

To mark the presence in the system, the following Mutex object was created:

NTShell Taskman Startup Mutex

All content ("Information") contained in this report is the copyrighted work of Threat Expert Ltd and its associated companies ("ThreatExpert") and may not be copied without the express permission of ThreatExpert.

The Information is provided on an "as is" basis. ThreatExpert disclaims all warranties, whether express or implied, to the maximum extent permitted by law, including the implied warranties that the Information is merchantable, of satisfactory quality, accurate, fit for a particular purpose or need, or non-infringing, unless such implied warranties are legally incapable of exclusion. Further, ThreatExpert does not warrant or make any representations regarding the use or the results of the use of the Information in terms of their correctness, accuracy, reliability, or otherwise.