Submission Summary:
Submission details:
Submission received: 25 August 2008, 22:40:19
Processing time: 5 min 11 sec
Submitted sample:
File MD5: 0x4DC711D5D45B7710E06CB4E7C88D4AEB
Filesize: 314,573 bytes
Alias: New Malware.n [McAfee], Mal/EncPk-BW [Sophos]
Summary of the findings:
What's been found Severity Level
Produces outbound traffic.
Packed with a packer that is known to be used by malware (e.g. to complicate threat analysis or detection).
Contains characteristics of an identified security risk.
Technical Details:
Possible Security Risk
Attention! Characteristics of the following security risk was identified in the system:
Security Risk Description
Trojan.KillAV!sd6 Trojan.KillAV!sd6 is a malicious program that does not infect other files but may represents security risk for your computer and/or network environment.
Attention! The following threat categories were identified:
Threat Category Description
A malicious trojan horse or bot that may represent security risk for the compromised system and/or its network environment
A malicious backdoor trojan that runs in the background and allows remote access to the compromised system
File System Modifications
The following files were created in the system:
# Filename(s) File Size File MD5 Alias
1 %Temp%\1.exe 3,072 bytes 0xA01E8EF82C711CF553B8662F42C59C09 Trojan.KillAV!sd6 [PCTools]
Trojan.Win32.KillAV.aer [Kaspersky Lab]
2 %Temp%\2.exe
%Windir%\windows services.exe 307,200 bytes 0x7FA81DD4013C694F6508393CC818B1CE Backdoor.Win32.Bifrose.kt [Kaspersky Lab]
Bloodhound.W32.EP [Symantec]
BackDoor-AWQ [McAfee]
Mal/Hupig-E, Mal/Behav-058, Mal/DSpy-B, Mal/Behav-157, Mal/Behav-043 [Sophos]
TrojanDropper:Win32/Hupigon.gen!A [Microsoft]
3 [file and pathname of the sample #1] 314,573 bytes 0x4DC711D5D45B7710E06CB4E7C88D4AEB New Malware.n [McAfee]
Mal/EncPk-BW [Sophos]
Note:
%Temp% is a variable that refers to the temporary folder in the short path form. By default, this is C:\Documents and Settings\[UserName]\Local Settings\Temp\ (Windows NT/2000/XP).
Memory Modifications
There were new processes created in the system:
Process Name Process Filename Main Module Size
windows services.exe %Windir%\windows services.exe 905,216 bytes
2.exe %Temp%\2.exe 905,216 bytes
1.exe %Temp%\1.exe 8,192 bytes
[filename of the sample #1] [file and pathname of the sample #1] 704,512 bytes
There was a new service created in the system:
Service Name Display Name Status Service Filename
windows services windows services "Stopped" %Windir%\windows services.exe
Registry Modifications
The following Registry Keys were created:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_WINDOWS_SERVICES
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_WINDOWS_SERVICES\0000
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_WINDOWS_SERVICES\0000\Control
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\windows services
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\windows services\Security
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\windows services\Enum
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINDOWS_SERVICES
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINDOWS_SERVICES\0000
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINDOWS_SERVICES\0000\Control
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\windows services
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\windows services\Security
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\windows services\Enum
The newly created Registry Values are:
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_WINDOWS_SERVICES\0000\Control]
*NewlyCreated* = 0x00000000
ActiveService = "windows services"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_WINDOWS_SERVICES\0000]
Service = "windows services"
Legacy = 0x00000001
ConfigFlags = 0x00000000
Class = "LegacyDriver"
ClassGUID = "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
DeviceDesc = "windows services"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_WINDOWS_SERVICES]
NextInstance = 0x00000001
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\windows services\Enum]
0 = "Root\LEGACY_WINDOWS_SERVICES\0000"
Count = 0x00000001
NextInstance = 0x00000001
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\windows services\Security]
Security = 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 0
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\windows services]
Type = 0x00000110
Start = 0x00000002
ErrorControl = 0x00000000
ImagePath = "%Windir%\windows services.exe"
DisplayName = "windows services"
ObjectName = "LocalSystem"
Description = "windows �������"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINDOWS_SERVICES\0000\Control]
*NewlyCreated* = 0x00000000
ActiveService = "windows services"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINDOWS_SERVICES\0000]
Service = "windows services"
Legacy = 0x00000001
ConfigFlags = 0x00000000
Class = "LegacyDriver"
ClassGUID = "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
DeviceDesc = "windows services"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINDOWS_SERVICES]
NextInstance = 0x00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\windows services\Enum]
0 = "Root\LEGACY_WINDOWS_SERVICES\0000"
Count = 0x00000001
NextInstance = 0x00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\windows services\Security]
Security = 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 0
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\windows services]
Type = 0x00000110
Start = 0x00000002
ErrorControl = 0x00000000
ImagePath = "%Windir%\windows services.exe"
DisplayName = "windows services"
ObjectName = "LocalSystem"
Description = "windows �������"
The following Registry Values were modified:
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\ServiceCurrent]
(Default) = 0x0000000C
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ServiceCurrent]
(Default) = 0x0000000C
Other details
Analysis of the file resources indicate the following possible country of origin:
China
To mark the presence in the system, the following Mutex object was created:
Hacker.com.cn_MUTEX
The following Host Name was requested from a host database:
fv2205736.3322.org
There was registered attempt to establish connection with the remote host. The connection details are:
Remote Host Port Number
fv2205736.3322.org 8000 |
楼主: fv2205736
发表于 2008-8-25 20:45:49
发表于 2008-8-25 20:48:10
楼主
