Saturday, April 18, 2009

hldrrr.exe srosa.sys bagle

Submission Summary:

  • Submission details:
    • Submission received: 19 April 2009, 12:09:13
    • Processing time: 9 min 24 sec
    • Submitted sample:
      • File MD5: 0x113554AB42E9EF2B530284E51370C507
      • File SHA-1: 0x661783D44061A4AD2077F6C47DBFDDA5AF57A1FE
      • Filesize: 655,360 bytes
      • Alias:
  • Summary of the findings:

What's been found
Severity Level

Capability to terminate Antivirus, Firewall and other security related processes.

Is protected with Themida in order to prevent the sample from being reverse-engineered. Themida protection can potentially be used by a threat to complicate the manual threat analysis (e.g. the sample would not run under the Virtual Machine).

Downloads/requests other files from Internet.

Compromises SafeBoot registry key(s) in an attempt to disable the Safe Mode.

Creates a startup registry entry.

Contains characteristics of an identified security risk.


Possible Security Risk

  • Attention! Characteristics of the following security risks were identified in the system:

Security Risk
Description

Trojan-Downloader.Bagle
Trojan.Downloader.Bagle runs in the background and attempts to download malicious files from the Internet without the users knowledge.

Trojan.Lodear.D
Trojan.Lodear.D is a trojan that will install itself onto infected computers so it will start everytime the system reboots. It will also try to download and install additional malware from a list of predetermined websites.

Rootkit.Agent
Rootkit.Agent is a trojan that hijack browser in order to produce popup advertisements from known badsites and also have rootkit functionality in order to hide itself as system driver.

  • Attention! The following threat categories were identified:

Threat Category
Description


A malicious trojan horse or bot that may represent security risk for the compromised system and/or its network environment


A program that downloads files to the local computer that may represent security risk


A network-aware worm that attempts to replicate across the existing network(s)

File System Modifications

  • The following files were created in the system:

#
Filename(s)
File Size
File Hash
Alias

1
%System%\drivers\hldrrr.exe
[file and pathname of the sample #1]
655,360 bytes
MD5: 0x113554AB42E9EF2B530284E51370C507
SHA-1: 0x661783D44061A4AD2077F6C47DBFDDA5AF57A1FE
Trojan.DL.Bagle.ZPL [PCTools]
W32.Beagle.EB [Symantec]
Trojan-Downloader.Win32.Bagle.ajd [Kaspersky Lab]
Downloader.gen.a [McAfee]
Troj/Agent-GQY [Sophos]
TrojanDownloader:Win32/Bagle.RN [Microsoft]
Trojan-Downloader.Win32.Bagle [Ikarus]
Win-Trojan/Bagle.655360 [AhnLab]

2
%System%\drivers\srosa.sys
100,352 bytes
MD5: 0x09348BABE24297C2911724AD90FC773B
SHA-1: 0x004F941EB05890E960337074F79B83E6A7577C08
Rootkit.Bagle.Gen.21 [PCTools]
Trojan Horse [Symantec]
Trojan-Downloader.Win32.Bagle.jh [Kaspersky Lab]
Generic Downloader.x [McAfee]
Trojan:WinNT/Bagle.gen!B [Microsoft]
Trojan-Downloader.Win32.Bagle [Ikarus]
Win-Trojan/Bagle.100352 [AhnLab]

  • Note:
    • %System% is a variable that refers to the System folder. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
  • The following directory was created:
    • %System%\drivers\down
  • The following directory was deleted:
    • [pathname with a string SHARE]\shared
  • The following system services were modified:

Service Name
Display Name
New Status
Service Filename

ALG
Application Layer Gateway Service
"Stopped"
%System%\alg.exe

SharedAccess
Windows Firewall/Internet Connection Sharing (ICS)
"Stopped"
%System%\svchost.exe -k netsvcs

wscsvc
Security Center
"Stopped"
%System%\svchost.exe -k netsvcs

wuauserv
Automatic Updates
"Stopped"
%System%\svchost.exe -k netsvcs

  • There was a new kernel-mode driver installed in the system:

Driver Name
Driver Filename

Megadrv3
%System%\drivers\srosa.sys

Registry Modifications

  • The following Registry Keys were created:
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Security Center
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Security Center\Svc
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_SROSA
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_SROSA\0000
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_SROSA\0000\Control
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\srosa
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\srosa\Security
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\srosa\Enum
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SROSA
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SROSA\0000
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SROSA\0000\Control
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\srosa
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\srosa\Security
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\srosa\Enum
    • HKEY_CURRENT_USER\Software\FirstRRRun
    • HKEY_CURRENT_USER\Software\Local AppWizard-Generated Applications
    • HKEY_CURRENT_USER\Software\Local AppWizard-Generated Applications\uiytuhjy
    • HKEY_CURRENT_USER\Software\Local AppWizard-Generated Applications\uiytuhjy\Settings
  • The following Registry Keys were deleted:
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\AppMgmt
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Base
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Boot Bus Extender
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Boot file system
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\CryptSvc
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\DcomLaunch
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\dmadmin
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\dmboot.sys
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\dmio.sys
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\dmload.sys
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\dmserver
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\EventLog
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\File system
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Filter
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\HelpSvc
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Netlogon
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\PCI Configuration
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\PlugPlay
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\PNP Filter
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Primary disk
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\RpcSs
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SCSI Class
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\sermouse.sys
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\sr.sys
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SRService
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\System Bus Extender
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\vga.sys
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\vgasave.sys
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\WinMgmt
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\{36FC9E60-C465-11CF-8056-444553540000}
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\{4D36E965-E325-11CE-BFC1-08002BE10318}
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\{4D36E969-E325-11CE-BFC1-08002BE10318}
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\{4D36E96A-E325-11CE-BFC1-08002BE10318}
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\{4D36E96B-E325-11CE-BFC1-08002BE10318}
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\{4D36E96F-E325-11CE-BFC1-08002BE10318}
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\{4D36E977-E325-11CE-BFC1-08002BE10318}
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\{4D36E97B-E325-11CE-BFC1-08002BE10318}
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\{4D36E97D-E325-11CE-BFC1-08002BE10318}
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\{4D36E980-E325-11CE-BFC1-08002BE10318}
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\{71A27CDD-812A-11D0-BEC7-08002BE2092F}
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\{745A17A0-74D3-11D0-B6FE-00A0C90F57DA}
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\AFD
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\AppMgmt
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\Base
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\Boot Bus Extender
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\Boot file system
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\Browser
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\CryptSvc
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\DcomLaunch
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\Dhcp
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\dmadmin
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\dmboot.sys
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\dmio.sys
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\dmload.sys
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\dmserver
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\DnsCache
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\EventLog
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\File system
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\Filter
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\HelpSvc
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\ip6fw.sys
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\ipnat.sys
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\LanmanServer
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\LanmanWorkstation
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\LmHosts
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\Messenger
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\NDIS
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\NDIS Wrapper
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\Ndisuio
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\NetBIOS
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\NetBIOSGroup
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\NetBT
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\NetDDEGroup
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\Netlogon
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\NetMan
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\Network
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\NetworkProvider
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\nm
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\nm.sys
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\NtLmSsp
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\PCI Configuration
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\PlugPlay
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\PNP Filter
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\PNP_TDI
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\Primary disk
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\rdpcdd.sys
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\rdpdd.sys
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\rdpwd.sys
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\rdsessmgr
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\RpcSs
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\SCSI Class
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\sermouse.sys
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\SharedAccess
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\sr.sys
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\SRService
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\Streams Drivers
  • The newly created Registry Values are:
    • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
      • EnableLUA = 0x00000000
    • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Security Center\Svc]
      • EnableLUA = 0x00000016
    • [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_SROSA\0000\Control]
      • *NewlyCreated* = 0x00000000
      • ActiveService = "srosa"
    • [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_SROSA\0000]
      • Service = "srosa"
      • Legacy = 0x00000001
      • ConfigFlags = 0x00000000
      • Class = "LegacyDriver"
      • ClassGUID = "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
      • DeviceDesc = "Megadrv3"
    • [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_SROSA]
      • NextInstance = 0x00000001
    • [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\srosa\Enum]
      • 0 = "Root\LEGACY_SROSA\0000"
      • Count = 0x00000001
      • NextInstance = 0x00000001
    • [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\srosa\Security]
      • Security = 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 0
    • [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\srosa]
      • Type = 0x00000001
      • Start = 0x00000001
      • ErrorControl = 0x00000000
      • ImagePath = "%System%\drivers\srosa.sys"
      • DisplayName = "Megadrv3"
    • [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SROSA\0000\Control]
      • *NewlyCreated* = 0x00000000
      • ActiveService = "srosa"
    • [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SROSA\0000]
      • Service = "srosa"
      • Legacy = 0x00000001
      • ConfigFlags = 0x00000000
      • Class = "LegacyDriver"
      • ClassGUID = "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
      • DeviceDesc = "Megadrv3"
    • [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SROSA]
      • NextInstance = 0x00000001
    • [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\srosa\Enum]
      • 0 = "Root\LEGACY_SROSA\0000"
      • Count = 0x00000001
      • NextInstance = 0x00000001
    • [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\srosa\Security]
      • Security = 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 0
    • [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\srosa]
      • Type = 0x00000001
      • Start = 0x00000001
      • ErrorControl = 0x00000000
      • ImagePath = "%System%\drivers\srosa.sys"
      • DisplayName = "Megadrv3"
    • [HKEY_CURRENT_USER\Software\FirstRRRun]
      • First12Ru123n = 0x00000001
    • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
      • drvsyskit = "%System%\drivers\hldrrr.exe"

      so that hldrrr.exe runs every time Windows starts
  • The following Registry Values were deleted:
    • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders]
      • C:\Documents and Settings\UserName\Application Data\Microsoft\Installer\ = ""
      • C:\WINDOWS\Installer\{4275B162-C5C0-4912-9522-E92FE1C4E21D}\ = ""
      • C:\Documents and Settings\UserName\Application Data\Microsoft\Installer\{3966BA0C-23BA-4B20-9B9D-7561DEC54E6A}\ = ""
      • C:\Program Files\VMware\VMware Tools\Drivers\memctl\ = ""
      • C:\Program Files\VMware\VMware Tools\TPOG3\ = ""
      • C:\Program Files\VMware\VMware Tools\TPOG3\amd64\ = ""
      • C:\Program Files\VMware\VMware Tools\TPOG3\i386\ = ""
      • C:\Program Files\VMware\VMware Tools\vmci\ = ""
      • C:\WINDOWS\Installer\{3B410500-1802-488E-9EF1-4B11992E0440}\ = ""
      • C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ = "1"
      • C:\WINDOWS\Microsoft.NET\Framework\ = "1"
      • C:\WINDOWS\Microsoft.NET\ = "1"
      • C:\WINDOWS\PCHEALTH\ERRORREP\ = "1"
      • C:\WINDOWS\PCHEALTH\ERRORREP\QHEADLES\ = "1"
      • C:\WINDOWS\PCHEALTH\ERRORREP\QSIGNOFF\ = "1"
      • C:\WINDOWS\winsxs\Policies\x86_policy.8.0.Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_x-ww_77c24773\ = ""
      • C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Security\Users\ = ""
      • C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Security\ = ""
      • C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\ = ""
      • C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Security\Users\App_LocalResources\ = ""
      • C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Images\ = ""
      • C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\1033\ = ""
      • C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\App_GlobalResources\ = ""
      • C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\AppConfig\ = ""
      • C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\AppConfig\App_LocalResources\ = ""
      • C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\App_Code\ = ""
      • C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\RedistList\ = ""
      • C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\CONFIG\Browsers\ = ""
      • C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\CONFIG\ = ""
      • C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Providers\ = ""
      • C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Providers\App_LocalResources\ = ""
      • C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Security\Wizard\ = ""
      • C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Security\Wizard\App_LocalResources\ = ""
      • C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Security\Permissions\ = ""
      • C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Security\Permissions\App_LocalResources\ = ""
      • C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\App_LocalResources\ = ""
      • C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\ = ""
      • C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\App_Data\ = ""
      • C:\WINDOWS\Microsoft.NET\Framework\v1.0.3705\ = ""
      • C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Security\Roles\ = ""
      • C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Security\Roles\App_LocalResources\ = ""
      • C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\MSBuild\ = ""
      • C:\WINDOWS\system32\MUI\0409\ = ""
      • C:\Program Files\Internet Explorer\MUI\0409\ = ""
      • C:\Program Files\Internet Explorer\MUI\ = ""
      • C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\MUI\0409\ = ""
      • C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\MUI\ = ""
      • C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Security\App_LocalResources\ = ""
      • C:\WINDOWS\winsxs\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_0de06acd\ = ""
      • C:\Program Files\Common Files\Microsoft Shared\DW\ = ""
      • C:\Program Files\Common Files\Microsoft Shared\DW\1025\ = ""
      • C:\Program Files\Common Files\Microsoft Shared\DW\1028\ = ""
      • C:\Program Files\Common Files\Microsoft Shared\DW\1031\ = ""
      • C:\Program Files\Common Files\Microsoft Shared\DW\1033\ = ""
      • C:\Program Files\Common Files\Microsoft Shared\DW\1036\ = ""
      • C:\Program Files\Common Files\Microsoft Shared\DW\1040\ = ""
      • C:\Program Files\Common Files\Microsoft Shared\DW\1041\ = ""
      • C:\Program Files\Common Files\Microsoft Shared\DW\1042\ = ""
      • C:\Program Files\Common Files\Microsoft Shared\DW\2052\ = ""
      • C:\Program Files\Common Files\Microsoft Shared\DW\3082\ = ""
      • C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Microsoft .NET Framework 2.0\ = ""
    • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDlls]
      • C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\App_LocalResources\error.aspx.resx = 0x00000001
      • C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Security\Permissions\App_LocalResources\createPermission.aspx.resx = 0x00000001
      • C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Providers\App_LocalResources\providerList.ascx.resx = 0x00000001
      • C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\App_GlobalResources\AppConfigCommon.resx = 0x00000001
      • C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Security\Roles\App_LocalResources\manageSingleRole.aspx.resx = 0x00000001
      • C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Security\App_LocalResources\setUpAuthentication.aspx.resx = 0x00000001
      • C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Security\Users\App_LocalResources\editUser.aspx.resx = 0x00000001
      • C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Security\Wizard\App_LocalResources\wizardAddUser.ascx.resx = 0x00000001
      • C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\System.EnterpriseServices.dll = 0x00000001
      • C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\App_Data\GroupedProviders.xml = 0x00000001
      • C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\navigationBar.ascx = 0x00000001
      • C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\AppConfig\SmtpSettings.aspx = 0x00000001
      • C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\App_Code\WebAdminPage.cs = 0x00000001
      • C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\WebAdminHelp.aspx = 0x00000001
      • C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Images\requiredBang.gif = 0x00000001
      • C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Security\Permissions\managePermissions.aspx = 0x00000001
      • C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Providers\ProviderList.ascx = 0x00000001
      • C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Security\Roles\manageSingleRole.aspx = 0x00000001
      • C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Security\security.aspx = 0x00000001
      • C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Security\Users\addUser.aspx = 0x00000001
      • C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Security\Wizard\wizardAddUser.ascx = 0x00000001
      • C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\1033\alinkui.dll = 0x00000001
      • C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\alink.dll = 0x00000001
      • C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\dfdll.dll = 0x00000001
      • C:\WINDOWS\system32\dfshim.dll = 0x00000001
      • C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\System.Deployment.dll = 0x00000001
      • C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\dfsvc.exe = 0x00000001
      • C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\gacutil.exe.config = 0x00000001
      • C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\regsvcs.exe.config = 0x00000001
      • C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ieexec.exe.config = 0x00000001
      • C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\csc.exe.config = 0x00000001
      • C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\1033\cscompui.dll = 0x00000001
      • C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\cscompmgd.dll = 0x00000001
      • C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\csc.exe = 0x00000001
      • C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\cscomp.dll = 0x00000001
      • C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\cvtres.exe = 0x00000001
      • C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\1033\CvtResUI.dll = 0x00000001
      • C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Microsoft.JScript.dll = 0x00000001
      • C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Microsoft.JScript.tlb = 0x00000002


Other details

  • To mark the presence in the system, the following Mutex object was created:
    • DBWinMutex
  • The following Host Name was requested from a host database:
    • www.ru
  • The following Internet downloads were started (the retrieved bits are saved into the local file):

URL to be downloaded
Filename for the downloaded bits

http://www.courdesloges.com/files2.php
%System%\drivers\down\407265.exe

http://aytocristobal.com/files2.php
%System%\drivers\down\407312.exe

http://cuidatumiembro.com/files2.php
%System%\drivers\down\407328.exe

http://maneironsclimb.com/files2.php
%System%\drivers\down\407328.exe

http://www.etraining.ee/files2.php
%System%\drivers\down\407343.exe

http://dancefrequency.com.br/files2.php
%System%\drivers\down\407343.exe

http://darioo.altervista.org/files2.php
%System%\drivers\down\407359.exe

http://daruliftaa.com/files2.php
%System%\drivers\down\407406.exe

http://datalifecenter.com/files2.php
%System%\drivers\down\407421.exe

http://datissa.com/files2.php
%System%\drivers\down\407421.exe

http://www.dbmetric.com/files2.php
%System%\drivers\down\407421.exe

http://WWW.DDP.COM.PE/files2.php
%System%\drivers\down\407437.exe

http://www.debmark.com/files2.php
%System%\drivers\down\407437.exe

http://decastrogil.es/files2.php
%System%\drivers\down\407484.exe

http://delattres.com/files2.php
%System%\drivers\down\407484.exe

http://demianaiello.com.ar/files2.php
%System%\drivers\down\407500.exe

http://demo.portaltapejara.com/files2.php
%System%\drivers\down\407500.exe

http://derechoydemocracia.es/files2.php
%System%\drivers\down\407515.exe

http://www.devergo.com/files2.php
%System%\drivers\down\407531.exe

http://dezaete.nl/files2.php
%System%\drivers\down\407531.exe

http://dieppeseinemaritime.com/files2.php
%System%\drivers\down\407531.exe

http://digitalpicture.com/files2.php
%System%\drivers\down\407578.exe

http://digicromo.com/files2.php
%System%\drivers\down\407578.exe

http://diocesequebec.qc.ca/files2.php
%System%\drivers\down\407593.exe

http://divinaclub.com/files2.php
%System%\drivers\down\407593.exe

http://divinojocelyn.altervista.org/files2.php
%System%\drivers\down\407609.exe

http://dj-horoz.com/files2.php
%System%\drivers\down\407609.exe

http://djsoprano.cp.win.pl/files2.php
%System%\drivers\down\407609.exe

http://djthefox.com/files2.php
%System%\drivers\down\407625.exe

http://deniselinsconvites.com.br/files2.php
%System%\drivers\down\407687.exe

http://lotva.org/files2.php
%System%\drivers\down\407703.exe

http://oliwia.iskierka.org/files2.php
%System%\drivers\down\407703.exe

http://dospablos.es/files2.php
%System%\drivers\down\407703.exe

http://dponcemi.altervista.org/files2.php
%System%\drivers\down\407718.exe

http://drutplast.com.pl/files2.php
%System%\drivers\down\407765.exe

http://dudys.bx.pl/files2.php
%System%\drivers\down\407765.exe

http://dukedem.com/files2.php
%System%\drivers\down\407781.exe

http://dddesignstudio.com/files2.php
%System%\drivers\down\407796.exe

http://easylimo.es/files2.php
%System%\drivers\down\407828.exe

http://doctorlife.org/files2.php
%System%\drivers\down\407859.exe

http://eccesso.es/files2.php
%System%\drivers\down\407859.exe

http://ecobos.be/files2.php
%System%\drivers\down\407875.exe

http://www.edenvillage.it/files2.php
%System%\drivers\down\407875.exe

http://programaseducativos-salamanca.com/files2.php
%System%\drivers\down\407890.exe

http://www.ekogips.pl/files2.php
%System%\drivers\down\407890.exe

http://www.ekotap.pl/files2.php
%System%\drivers\down\407906.exe

http://elelfogris.com/files2.php
%System%\drivers\down\407906.exe

http://elemco.pl/files2.php
%System%\drivers\down\407906.exe

http://elitan.pl/files2.php
%System%\drivers\down\407953.exe

http://passecdl.co.uk/files2.php
%System%\drivers\down\407953.exe

http://www.elotron.com/files2.php
%System%\drivers\down\407968.exe

http://elpantalan.es/files2.php
%System%\drivers\down\407968.exe

http://industriascarnicaselrobledo.com/files2.php
%System%\drivers\down\407984.exe

http://www.enco-group.cz/files2.php
%System%\drivers\down\407984.exe

http://energiesport.com/files2.php
%System%\drivers\down\407984.exe

http://epamateohernandez.com/files2.php
%System%\drivers\down\408000.exe

http://eravamo100.altervista.org/files2.php
%System%\drivers\down\408000.exe

http://esf-ct.com/files2.php
%System%\drivers\down\408031.exe

http://espaciojoven.org/files2.php
%System%\drivers\down\408046.exe

http://www.espaceprojets-villejuif.fr/files2.php
%System%\drivers\down\408062.exe

http://www.eszterlancaruhaz.hu/files2.php
%System%\drivers\down\408062.exe

http://www.etalon-stroy.ru/files2.php
%System%\drivers\down\408062.exe

http://www.experiment.lv/files2.php
%System%\drivers\down\408078.exe

http://streetlions.com/files2.php
%System%\drivers\down\408078.exe

http://www.false-news.com/files2.php
%System%\drivers\down\408093.exe

http://falshpolcom.18.com1.ru/files2.php
%System%\drivers\down\408093.exe

http://www.concretosfamasa.com/files2.php
%System%\drivers\down\408140.exe

http://fermesdemarie.eolas-services.com/files2.php
%System%\drivers\down\408156.exe

http://fernandoaureliano.com/files2.php
%System%\drivers\down\408156.exe

http://fetems.org.br/files2.php
%System%\drivers\down\408171.exe

http://wolfsdonksport.be/files2.php
%System%\drivers\down\408171.exe

http://filibertovillalobosguijuelo.com/files2.php
%System%\drivers\down\408171.exe

http://finz-center.com/files2.php
%System%\drivers\down\408187.exe

http://www.fitdina.com/files2.php
%System%\drivers\down\408187.exe

http://fiveuk.fi.funpic.org/files2.php
%System%\drivers\down\408203.exe

http://flabs.net/files2.php
%System%\drivers\down\408234.exe

http://fomentocredito.es/files2.php
%System%\drivers\down\408234.exe

http://fortis-sf.home.pl/files2.php
%System%\drivers\down\408250.exe

http://fotoastur.com/files2.php
%System%\drivers\down\408250.exe

http://fouadovedia.com/files2.php
%System%\drivers\down\408250.exe

http://foxx.fan-sites.org/files2.php
%System%\drivers\down\408265.exe

http://frauen-ratgeber.com/files2.php
%System%\drivers\down\408265.exe

http://fritschiclean.ch/files2.php
%System%\drivers\down\408281.exe

http://www.kfzeintragsservice.de/files2.php
%System%\drivers\down\408281.exe

http://www.autometasuche.de./files2.php
%System%\drivers\down\408281.exe

http://www.s-w-services.co.uk/files2.php
%System%\drivers\down\408328.exe

http://www.bodis.at/files2.php
%System%\drivers\down\408343.exe

http://www.musikverein-grosswallstadt.de/files2.php
%System%\drivers\down\408343.exe

http://tripplexwelt.de/files2.php
%System%\drivers\down\408359.exe

http://www.weingut-giegerich.de/files2.php
%System%\drivers\down\408359.exe

http://www.tenbrink-online.de/files2.php
%System%\drivers\down\408375.exe

http://www.alphazip.com/files2.php
%System%\drivers\down\408375.exe

http://www.kayaks.cz/files2.php
%System%\drivers\down\408390.exe

http://galami.sk/files2.php
%System%\drivers\down\408406.exe

http://galateainteriorismo.com/files2.php
%System%\drivers\down\408421.exe

http://galixesol.com/files2.php
%System%\drivers\down\408437.exe

http://www.gan-psifas.co.il/files2.php
%System%\drivers\down\408437.exe

http://robertsandboles.co.nz/files2.php
%System%\drivers\down\408468.exe

http://gazetaszkolna.edu.pl/files2.php
%System%\drivers\down\408468.exe

http://gdri.si/files2.php
%System%\drivers\down\408484.exe

http://generation80.be/files2.php
%System%\drivers\down\408531.exe

Heuristics Analysis

  • Heuristically identified capability to terminate the following security related processes:

_avp32.exe
_avpcc.exe
_avpm.exe
ackwin32.exe
alertsvc.exe
alogserv.exe
anti-trojan.exe
antivirus.exe
ants.exe
apvxdwin.exe
armor2net.exe
atcon.exe
atupdater.exe
atwatch.exe
aupdate.exe
autodown.exe
autotrace.exe
autoupdate.exe
avconsol.exe
avengine.exe
avgcc32.exe
avgctrl.exe
avgnt.exe
avgserv.exe
avguard.exe
avgw.exe
avkserv.exe
avkservice.exe
avp.exe
avp32.exe
avpcc.exe
avpm.exe
avpupd.exe
avsched32.exe
avsynmgr.exe
avwupd32.exe
avwupsrv.exe
avxmonitor9x.exe
avxmonitornt.exe
avxquar.exe
blackd.exe
blackice.exe
ccapp.exe
ccevtmgr.exe
ccproxy.exe
cfiaudit.exe
claw95.exe
claw95cf.exe
cleaner.exe
cleaner3.exe
cmgrdian.exe
cpd.exe
defwatch.exe
doors.exe
drweb32w.exe
drwebupw.exe
escanh95.exe
escanhnt.exe
f-agnt95.exe
fameh32.exe
fast.exe
fch32.exe
firewall.exe
f-prot95.exe
frameworkservice.exe
frw.exe
fsav.exe
fsav32.exe
fsgk32.exe
fsm32.exe
fsma32.exe
fsmb32.exe
f-stopw.exe
guard.exe
iamapp.exe
iamserv.exe
icload95.exe
icloadnt.exe
icmon.exe
icssuppnt.exe
icsupp95.exe
icsuppnt.exe
iface.exe
iomon98.exe
isrv95.exe
jedi.exe
kavpf.exe
livesrv.exe
lockdown2000.exe
luall.exe
lucomserver.exe
luinit.exe
mcagent.exe
mcmnhdlr.exe
mcshield.exe
mcupdate.exe
mcvsshld.exe
minilog.exe
monitor.exe
moolive.exe
navapsvc.exe
navapw32.exe
navlu32.exe
navstub.exe
navw32.exe
navwnt.exe
ndd32.exe
neowatchlog.exe
nisum.exe
nmain.exe
nod32.exe
nod32krn.exe
normist.exe
notstart.exe
nprotect.exe
nsched32.exe
ntrtscan.exe
ntxconfig.exe
nupgrade.exe
nvc95.exe
nwservice.exe
outpost.exe
pavfires.exe
pavfnsvr.exe
pavproxy.exe
pavsrv51.exe
pcciomon.exe
pccntmon.exe
persfw.exe
pop3trap.exe
poproxy.exe
pxagent.exe
realmon.exe
rescue.exe
rtvscan.exe
rtvscn95.exe
rulaunch.exe
savscan.exe
scan32.exe
shstat.exe
smc.exe
sndsrvc.exe
sphinx.exe
spyxx.exe
ss3edit.exe
swnetsup.exe
symlcsvc.exe
symproxysvc.exe
taumon.exe
tc.exe
tca.exe
tcm.exe
tds-3.exe
tfak.exe
trjscan.exe
update.exe
updaterui.exe
vettray.exe
vptray.exe
vsecomr.exe
vshwin32.exe
vsmon.exe
vsserv.exe
vsstat.exe
watchdog.exe
webscanx.exe
webtrap.exe
wgfe95.exe
wradmin.exe
wrctrl.exe
xcommsvr.exe
zatutor.exe
zauinst.exe
zonealarm.exe

Downloaded File Summary:

  • Summary of the findings:

What's been found
Severity Level

Creates a startup registry entry.

Contains characteristics of an identified security risk.

Technical Details:


Possible Security Risk

  • Attention! The following threat categories were identified:

Threat Category
Description


A network-aware worm that attempts to replicate across the existing network(s)


A malicious trojan horse or bot that may represent security risk for the compromised system and/or its network environment


File System Modifications

  • The following file was created in the system:

#
Filename(s)
File Size
File Hash
Alias

1
%AppData%\m\flec006.exe
[file and pathname of the sample #1]
99,844 bytes
MD5: 0x3F4F042FC88BC862989DD6702E19D917
SHA-1: 0x566DD782D6E49431A401A43087DBC7AACE784C17
Trojan.Lodeight.C [Symantec]
Email-Worm.Win32.Bagle.of [Kaspersky Lab]
W32/Bagle.gen [McAfee]
TROJ_BAGLE.AO [Trend Micro]
Mal/Packer, Mal/Behav-191, Mal/Bagpk-D [Sophos]
Worm:Win32/Bagle.gen!C [Microsoft]
Email-Worm.Win32.Bagle [Ikarus]
Win32/MalPackedB.suspicious [AhnLab]

  • Note:
    • %AppData% is a variable that refers to the file system directory that serves as a common repository for application-specific data. A typical path is C:\Documents and Settings\[UserName]\Application Data.
  • The following directory was created:
    • %AppData%\m


Memory Modifications

  • There were new processes created in the system:

Process Name
Process Filename
Main Module Size

flec006.exe
%AppData%\m\flec006.exe
261,617 bytes

[filename of the sample #1]
[file and pathname of the sample #1]
261,617 bytes


Registry Modifications

  • The newly created Registry Value is:
    • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
      • mule_st_key = "%AppData%\m\flec006.exe"

      so that flec006.exe runs every time Windows starts


Other details

  • The following Host Name was requested from a host database:
    • google.com