文件夹图标执行程序[MD5: 3E98DC]

smallzxc

教师U盘中发现，即文件夹图标后缀为.exe，但并非隐藏原文件夹，似乎是删除了。大小皆为1.43MB。使用KIS2009（病毒库升级到10月22日0728时）扫描未报，USBCleaner6.0.1019扫描提示可疑上报。双击执行在system32下生成XP-671BBFF6.EXE（文件夹图标），进程中也有。被卡巴直接添加到高受限组。

Palkia

病毒        2008-10-22  18:56:57        病毒在文件C:\Documents and Settings\Administrator\桌面\样本\还原.exe中        Worm.Agent.wm.1509098        处理成功（操作：删除）

欠妳緈諨

欠妳緈諨

无尽藏海

又直接点上了……

sqsszzq

看来NAB还是有点太保守啊。。。。诺顿2009与NAB均无反应，第一张是助手扫描的

aerbeisi

BING126

McAfee  miss

aerbeisi

Submission Summary:

• Submission details:
  • Submission received: 22 October 2008, 22:57:15
  • Processing time: 7 min 50 sec
  • Submitted sample:
    • File MD5: 0x3E98DC5CA9A87E18BB20F3AE147C2C82
    • Filesize: 1,509,098 bytes
    • Alias: Worm:Win32/Autorun.DM [Microsoft]

• Summary of the findings:

What's been found	Severity Level
Capability to send out email message(s) with the built-in SMTP client engine.
Downloads/requests other files from Internet.
Creates a startup registry entry.
Contains characteristics of an identified security risk.

Technical Details:

• The new window was created, as shown below:

NOTICE: The content shown in the above window is captured automatically and is not controlled or endorsed by ThreatExpert.
Please contact us on this link should any material be offensive or inappropriate and we will ensure any such content is blocked from future viewers of the report.

Possible Security Risk

• Attention! Characteristics of the following security risk was identified in the system:

Security Risk	Description
Trojan-Dropper.Agent.BPF	Trojan-Dropper.Agent.BPF drops additional malware onto infected computers.

File System Modifications

• The following files were created in the system:

#	Filename(s)	File Size	File MD5	Alias
1	%Temp%\E_4\com.run %System%\com.run	270,336 bytes	0xDAD6119F6B8762CEADE3EAD14B13946F	BackDoor-CJV [McAfee]
2	%Temp%\E_4\dp1.fne %System%\dp1.fne	114,688 bytes	0xC4625F024B619010A8390097A1AE24E9	(not available)
3	%Temp%\E_4\eAPI.fne %System%\eAPI.fne	323,584 bytes	0xD008137238405B65855ED8C2C2DEEB36	Mal/Behav-027, Mal/Behav-010 [Sophos]
4	%Temp%\E_4\internet.fne %System%\internet.fne	184,320 bytes	0x221B0EF7E023EA869475A2A75EBD3C5F	(not available)
5	%Temp%\E_4\krnln.fnr %System%\krnln.fnr	1,097,728 bytes	0x49E5171B6DFE96AA33379CF0A0631631	(not available)
6	%Temp%\E_4\RegEx.fnr %System%\RegEx.fnr	217,088 bytes	0x7C81FCD2DC4FEF10827557DA75852F6C	(not available)
7	%Temp%\E_4\shell.fne %System%\shell.fne	40,960 bytes	0xBEA1A61B59B855463188B2E2B4105A37	(not available)
8	%Temp%\E_4\spec.fne %System%\spec.fne	73,728 bytes	0x07738CCB071F9BB8D94926FA40B91042	(not available)
9	%Programs%\Startup\������.lnk	625 bytes	0x55DEC300A94381B634056E79765E88D4	(not available)
10	%System%\og.dll	692 bytes	0xAFAE5A34F0035F8241EB150D07B108C4	(not available)
11	%System%\og.EDT	512 bytes	0xD2C384C2F4C3B5DB83047A3A38C159B3	(not available)
12	[file and pathname of the sample #1] %System%\XP-C300C3AC.EXE	1,509,098 bytes	0x3E98DC5CA9A87E18BB20F3AE147C2C82	Worm:Win32/Autorun.DM [Microsoft]
13	%System%\ul.dll	1,868 bytes	0x599B6371F06395478761728DA860925C	(not available)

• Notes:
  • %Temp% is a variable that refers to the temporary folder in the short path form. By default, this is C:\Documents and Settings\[UserName]\Local Settings\Temp\ (Windows NT/2000/XP).
  • %System% is a variable that refers to the System folder. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
  • %Programs% is a variable that refers to the file system directory that contains the user's program groups. A typical path is C:\Documents and Settings\[UserName]\Start Menu\Programs.

• The following directory was created:
  • %Temp%\E_4

Memory Modifications

• There were new processes created in the system:

Process Name	Process Filename	Main Module Size
XP-C300C3AC.EXE	%System%\xp-c300c3ac.exe	180,224 bytes
[filename of the sample #1]	[file and pathname of the sample #1]	180,224 bytes
XP-EF35F93A.EXE	%System%\XP-EF35F93A.EXE	180,224 bytes

Registry Modifications

• The newly created Registry Value is:
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    • XP-C300C3AC = "%System%\XP-C300C3AC.EXE"
    
    so that XP-C300C3AC.EXE runs every time Windows starts
    

Other details

• Analysis of the file resources indicate the following possible country of origin:

China

• The following Internet Connections were established:

Server Name	Server Port	Connect as User	Connection Password
hi.baidu.com	0	(null)	(null)
www.hidatabase.cn	0	(null)	(null)
www.yeanqin.com	0	(null)	(null)

• The following GET requests were made:
  • siletoyou
  • ul.htm

aerbeisi

&#36824 : Not detected by Sandbox (Signature: NO_VIRUS)


[ DetectionInfo ]
    * Sandbox name: NO_MALWARE
    * Signature name: NO_VIRUS
    * Compressed: NO
    * TLS hooks: NO
    * Executable type: Application
    * Executable file structure: OK
    * Filetype: PE_I386

[ General information ]
    * File length:      1509098 bytes.
    * MD5 hash: 3e98dc5ca9a87e18bb20f3ae147c2c82.

[ Changes to filesystem ]
    * Creates directory C:\WINDOWS\TEMP\E_00000004.