File System Modifications |
- The following file was created in the system:
# | Filename(s) | File Size | File MD5 | Alias | 1 | [file and pathname of the sample #1] | 55,296 bytes | 0x63D204B016098DF1C49C4CC0EB41DC3F | Trojan-Downloader.Win32.FraudLoad.vcnv [Kaspersky Lab]
Trojan.Zlob [Symantec]
Possible_DLDER [Trend Micro]
TrojanDownloader:Win32/Renos.EI [Microsoft] |
| Memory Modifications |
- There was a new process created in the system:
Process Name | Process Filename | Main Module Size | [filename of the sample #1] | [file and pathname of the sample #1] | 65,536 bytes |
| Other details |
- The data identified by the following URLs was then requested from the remote web server:
- http://domain5122.com/script1112.php?id=1350591802&adv=0&uid=cd1a4040eb4b8de2ac67e8681264f2c4b9cec0
- http://domain5122.com/file1112.php?id=1350591802&adv=0&uid=cd1a4040eb4b8de2ac67e8681264f2c4b9cec0
Downloaded File Summary:- Download details:
- Download retrieved: 13 October 2008 23:38:19
- Processing time: 7 min 55 sec
- Downloaded sample #1:
- File MD5: 0x39983CA8BA63BFC43A5C085896530D4E
- Filesize: 78,340 bytes
- Downloaded sample #2:
- File MD5: 0x173C8FD8385A5ED0BAAFDDF05AA0DCC4
- Filesize: 57,344 bytes
- Alias: Packed.Generic.182 [Symantec]
- Downloaded sample #3:
- File MD5: 0x5F796D97149716B604C8EC7B37E4764E
- Filesize: 181,779 bytes
What's been found | Severity Level | Downloads/requests other files from Internet. | | Creates a startup registry entry. | | Registers a 32-bit in-process server DLL. | | Registers a Browser Helper Object (Microsoft's Internet Explorer plugin module). | | Contains characteristics of an identified security risk. | |
Technical Details:
| Possible Security Risk |
- Attention! Characteristics of the following security risk was identified in the system:
Security Risk | Description | Trojan.FakeAlert | Trojan.FakeAlert will hijack the desktop background with an image alerting the user that their computer system has been infected with spyware. It also changes some settings of windows which include:- disabling permissions for the user to change the background image and setting the active desktop to 'show web content'. It is usually installed in conjunction with a rogue anti-spyware application. |
| File System Modifications |
- The following files were created in the system:
# | Filename(s) | File Size | File MD5 | Alias | 1 | %Temp%\nsf2.tmp\NSISdl.dll | 14,848 bytes | 0x2A2AF69379ED269C61893E8146E18F52 | (not available) | 2 | %Temp%\nsf2.tmp\System.dll | 10,240 bytes | 0x82F7926FD7D12E3EB8ED7B5232BCF956 | (not available) | 3 | %System%\azhuaikvguinvuk.dll | 156,672 bytes | 0xE993D6CB7705A609AD8B5B3B61437C2F | Adware:Win32/AdRotator [Microsoft] | 4 | %System%\rryjzzwhinv.exe | 79,086 bytes | 0xFCF0FE71152CD058C94C7AA974C85604 | (not available) | 5 | [file and pathname of the sample #1] | 78,340 bytes | 0x39983CA8BA63BFC43A5C085896530D4E | (not available) | 6 | [file and pathname of the sample #2] | 57,344 bytes | 0x173C8FD8385A5ED0BAAFDDF05AA0DCC4 | Packed.Generic.182 [Symantec] | 7 | [file and pathname of the sample #3] | 181,779 bytes | 0x5F796D97149716B604C8EC7B37E4764E | (not available) |
- Notes:
- %Temp% is a variable that refers to the temporary folder in the short path form. By default, this is C:\Documents and Settings\[UserName]\Local Settings\Temp\ (Windows NT/2000/XP).
- %System% is a variable that refers to the System folder. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
- The following directory was created:
| Memory Modifications |
- There were new processes created in the system:
Process Name | Process Filename | Main Module Size | [filename of the sample #1] | [file and pathname of the sample #1] | 200,704 bytes | rryjzzwhinv.exe | %System%\rryjzzwhinv.exe | 249,856 bytes | [filename of the sample #3] | [file and pathname of the sample #3] | 249,856 bytes | Au_.exe | %Temp%\~nsu.tmp\Au_.exe | 249,856 bytes | [filename of the sample #2] | [file and pathname of the sample #2] | 57,344 bytes |
- The following modules were loaded into the address space of other process(es):
Module Name | Module Filename | Address Space Details | azhuaikvguinvuk.dll | %System%\azhuaikvguinvuk.dll | Process name: [generic host process]
Process filename: [generic host process filename]
Address space: 0xAA0000 - 0xACC000 | azhuaikvguinvuk.dll | %System%\azhuaikvguinvuk.dll | Process name: IEXPLORE.EXE
Process filename: %ProgramFiles%\internet explorer\iexplore.exe
Address space: 0xF80000 - 0xFAC000 |
- Notes:
- [generic host process filename] is a full path filename of [generic host process].
- %ProgramFiles% is a variable that refers to the Program Files folder. A typical path is C:\Program Files.
| Registry Modifications |
- The following Registry Keys were created:
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8ffe07db-aa85-370c-b84a-20958d3de81e}
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8ffe07db-aa85-370c-b84a-20958d3de81e}\InProcServer32
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8ffe07db-aa85-370c-b84a-20958d3de81e}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\rryjzzwhinv
- HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla
- HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\MSFox
- HKEY_CURRENT_USER\Software\{8446438A-39C2-4406-3859-B1FA3B4F7CC4}
- The newly created Registry Values are:
- [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8ffe07db-aa85-370c-b84a-20958d3de81e}\InProcServer32]
- (Default) = "%System%\azhuaikvguinvuk.dll"
- ThreadingModel = "Apartment"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8ffe07db-aa85-370c-b84a-20958d3de81e}]
- (Default) = "offersfortoday browser enhancer"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8ffe07db-aa85-370c-b84a-20958d3de81e}]
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
- kwwcmxtssmt = "%System%\regsvr32.exe /s "%System%\azhuaikvguinvuk.dll""
so that azhuaikvguinvuk.dll runs every time Windows starts - [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\rryjzzwhinv]
- DisplayName = "RON Tool Offersfortoday"
- UninstallString = "%System%\rryjzzwhinv.exe"
- NoModify = 0x00000000
- NoRepair = 0x00000000
- DisplayVersion = "2.2.0.0"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\MSFox]
- Str4 = ""
- Str5 = "x6tVEq8nGbTmPkNQIrNNQAuuDXWX"
- Str9 = "zbZdFr5/CbjyPkNQIrNNQAuuDXWXEvOyhwYIMvYIWoHwgiUTaU8JbxpO"
- Str6 = "gKFdEw=="
- Str7 = "ga9ZFK1vCPLtfEhWbqZFVA=="
- Str8 = "mQ=="
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
- MSFox = "[file and pathname of the sample #1]"
so that [file and pathname of the sample #1] runs every time Windows starts - [HKEY_CURRENT_USER\Software\{8446438A-39C2-4406-3859-B1FA3B4F7CC4}]
- aff_id = "offersfortoday"
| Other details |
- To mark the presence in the system, the following Mutex objects were created:
- Pf8tEzRXY0MhbrHxmUXF
- jv2GUjP707bgyKtTPna2
- The following ports were open in the system:
Port | Protocol | Process | 1082 | TCP | [file and pathname of the sample #1] | 1083 | TCP | [file and pathname of the sample #1] |
- The following Host Names were requested from a host database:
- s2.offersfortoday.com
- pictures-library.com
- images-library.com
- picturesbase.com
- pictures-base.com
- The following Internet Connections were established:
Server Name | Server Port | Connect as User | Connection Password | s2.offersfortoday.com | 80 | (null) | (null) | image-big-library.com | 80 | (null) | (null) | 99.250.166.196 | 80 | (null) | (null) | 210.156.220.5 | 80 | (null) | (null) |
- The following HTTP URL was started reading:
- http://s2.offersfortoday.com/bc/nsi_install.php?aff_id=offersfortoday&inst_result=success&id=6d6e4b63202c4d80e79d8d0cb242523daf9b1101
- The data identified by the following URLs was then requested from the remote web server:
- http://bigimagecatalogue.com/en/us/shared/templates/components/cspMscomMasterNavigation/search_box.gif
- http://255.219.92.31/en/us/shared/templates/components/cspMscomMasterNavigation/search_box.gif
- http://38.45.54.159/en/us/shared/templates/components/cspMscomMasterNavigation/icon_search.gif
- http://bigimagecatalogue.com/icons/xsawbguubgz.gif
- http://38.45.54.159/en/us/shared/templates/components/cspMscomMasterNavigation/search_box.gif
- http://bigimagecatalogue.com/en/us/shared/templates/components/cspMscomMasterNavigation/icon_search.gif
- http://255.219.92.31/en/us/shared/templates/components/cspMscomMasterNavigation/icon_search.gif
Downloaded Files Summary (Generation #2):- Download details:
- Download retrieved: 13 October 2008 23:57:36
- Processing time: 3 min 49 sec
- Downloaded sample:
- File MD5: 0xBF3706540DCF09C88551BEE54B7CC1D4
- Filesize: 88,064 bytes
Technical Details:
| File System Modifications |
- The following file was created in the system:
# | Filename(s) | File Size | File MD5 | 1 | %Temp%\1.tmp | 0 bytes | 0xD41D8CD98F00B204E9800998ECF8427E |
- Note:
- %Temp% is a variable that refers to the temporary folder in the short path form. By default, this is C:\Documents and Settings\[UserName]\Local Settings\Temp\ (Windows NT/2000/XP).
|