---------------------------------------------------------------------------------------------------- http://www.threatexpert.com/report.aspx?md5=002a217d4bbb8ff8fd8e941acca85fcd Submission details: Submission received: 1 October 2011, 11:12:13 Processing time: 10 min 50 sec Submitted sample: File MD5: 0x002A217D4BBB8FF8FD8E941ACCA85FCD File SHA-1: 0x18DB92E9E721EE699F20E58B8C1E071304C0FB7C Filesize: 229,376 bytes Packer info: packed with: UPX [Kaspersky Lab] The newly created Registry Values are: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ESENT\Process\ipconfig\DEBUG] Trace Level = "" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings] 6 = 5D 20 5F 99 24 3C 36 87 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run] Kczovqiu = "%System%\wbcachet.exe" so that wbcachet.exe runs every time Windows starts [HKEY_LOCAL_MACHINE\SOFTWARE\qrjaslop] URF = 12 7B 27 B8 A8 9E 14 BF 33 03 38 66 4D 59 D1 29 E2 DF B4 28 39 37 41 48 A4 54 4E 33 D3 7D 06 53 DA 38 84 9E 2E C2 4D D0 F9 32 F0 7F 74 DB 2F D3 24 F1 1E C8 B1 98 BB 2F 42 AF E0 46 BA 4F 26 D9 E5 2D 16 B9 B7 67 5C 5E 12 D1 1C 15 1B A0 CA 1C 47 E4 AC 9 [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings] 6 = 5D 20 5F 99 24 3C 36 87 [HKEY_CURRENT_USER\Software\qrjaslop] URF = 12 7B 27 B8 A8 9E 14 BF 33 03 38 66 4D 59 D1 29 E2 DF B4 28 39 37 41 48 A4 54 4E 33 D3 7D 06 53 DA 38 84 9E 2E C2 4D D0 F9 32 F0 7F 74 DB 2F D3 24 F1 1E C8 B1 98 BB 2F 42 AF E0 46 BA 4F 26 D9 E5 2D 16 B9 B7 67 5C 5E 12 D1 1C 15 1B A0 CA 1C 47 E4 AC 9 There was registered attempt to establish connection with the remote host. The connection details are: Remote Host Port Number 95.211.130.162 80 ---------------------------------------------------------------------------------------------------- http://www.threatexpert.com/report.aspx?md5=84cb1194b264d1b6fe85c6922fc26a2c Submission details: Submission received: 16 October 2011, 02:34:33 Processing time: 8 min 11 sec Submitted sample: File MD5: 0x84CB1194B264D1B6FE85C6922FC26A2C File SHA-1: 0x60FA283698E3DD680F2948AA6887584753EFC081 Filesize: 244,224 bytes The newly created Registry Values are: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ESENT\Process\ipconfig\DEBUG] Trace Level = "" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings] 6 = 5C 19 71 A5 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run] JZTS = "%System%\tree5.exe" so that tree5.exe runs every time Windows starts [HKEY_LOCAL_MACHINE\SOFTWARE\qrjaslop] URF = B3 F0 A2 F8 05 87 A2 C2 3C FC 73 66 4D 2E EB B4 F7 CA 5C 77 D8 15 BC B7 9E 0C 76 0A 5D 35 B7 CB 4D 0F 14 49 E6 5C 04 2B F8 4E EB 23 24 DA 1C C7 D4 B4 98 AE B1 CB 42 3F F3 2C A9 B5 8A 08 76 AA A0 2D 69 CF 58 24 7C D3 01 06 68 54 E4 13 0F 40 80 60 F6 6 [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings] 6 = 5C 19 71 A5 [HKEY_CURRENT_USER\Software\qrjaslop] URF = B3 F0 A2 F8 05 87 A2 C2 3C FC 73 66 4D 2E EB B4 F7 CA 5C 77 D8 15 BC B7 9E 0C 76 0A 5D 35 B7 CB 4D 0F 14 49 E6 5C 04 2B F8 4E EB 23 24 DA 1C C7 D4 B4 98 AE B1 CB 42 3F F3 2C A9 B5 8A 08 76 AA A0 2D 69 CF 58 24 7C D3 01 06 68 54 E4 13 0F 40 80 60 F6 6 ---------------------------------------------------------------------------------------------------- http://www.threatexpert.com/report.aspx?md5=8e6b7ace686e424e0e2c413d520222ab Submission details: Submission received: 22 October 2011, 11:12:15 Processing time: 8 min 16 sec Submitted sample: File MD5: 0x8E6B7ACE686E424E0E2C413D520222AB File SHA-1: 0xF0B09E5F1E97C708B8F7053FAC4BC3473D1E3C75 Filesize: 231,936 bytes Packer info: packed with: UPX [Kaspersky Lab] The newly created Registry Values are: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ESENT\Process\ipconfig\DEBUG] Trace Level = "" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings] 6 = 5D 09 6C A5 15 1F 08 A3 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run] KJISGRWQ = "%System%\MSJINT35M.exe" so that MSJINT35M.exe runs every time Windows starts [HKEY_LOCAL_MACHINE\SOFTWARE\qrjaslop] URF = B6 F7 AE 78 A2 7A CA EC CC 03 04 EB 96 61 B8 D9 6B 28 E6 77 10 0D E1 56 9E 97 F5 65 69 70 A3 36 51 C0 97 89 19 B4 C6 6C 83 C7 C2 6F 24 56 4E B6 48 3D 4D 04 57 B8 A6 D7 CA 2C 82 B9 8A C5 C1 D9 E5 A6 E8 94 C3 44 1B 95 ED 2E 1C 44 90 99 EB B3 63 E9 37 8 [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings] 6 = 5D 09 6C A5 15 1F 08 A3 [HKEY_CURRENT_USER\Software\qrjaslop] URF = B6 F7 AE 78 A2 7A CA EC CC 03 04 EB 96 61 B8 D9 6B 28 E6 77 10 0D E1 56 9E 97 F5 65 69 70 A3 36 51 C0 97 89 19 B4 C6 6C 83 C7 C2 6F 24 56 4E B6 48 3D 4D 04 57 B8 A6 D7 CA 2C 82 B9 8A C5 C1 D9 E5 A6 E8 94 C3 44 1B 95 ED 2E 1C 44 90 99 EB B3 63 E9 37 8 ---------------------------------------------------------------------------------------------------- http://www.threatexpert.com/report.aspx?md5=cc4d3340927075f683f3c54b3d623cc4 Submission details: Submission received: 3 November 2011, 05:16:38 Processing time: 9 min 36 sec Submitted sample: File MD5: 0xCC4D3340927075F683F3C54B3D623CC4 File SHA-1: 0x040404EF96C908CD4C39EFD70CC6AB4B7B1E1C97 Filesize: 275,456 bytes Alias & packer info: Trojan-Downloader.Win32.Ponmocup [Ikarus] packed with: UPX [Kaspersky Lab] The newly created Registry Values are: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ESENT\Process\ipconfig\DEBUG] Trace Level = "" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings] 6 = 7C 33 49 93 31 24 38 82 C4 B1 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run] jplecigpio = "%System%\c_852M.exe" so that c_852M.exe runs every time Windows starts [HKEY_LOCAL_MACHINE\SOFTWARE\qrjaslop] URF = 44 4B 8B 5A 64 43 ED 84 47 99 46 7C F8 7C 28 26 EC F3 04 A0 52 94 E5 86 FD DF 8B D5 CF 76 A4 FE 4D 5F 3B 11 76 82 08 97 BD 62 87 BF 90 FD 18 50 7F 01 1E ED 0F A6 A0 7E 32 9A B4 91 9C 4D 12 FF 5B 1A DB BA B9 0F 21 06 38 C9 4A 0B C3 2A DC F2 68 95 27 B [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings] 6 = 7C 33 49 93 31 24 38 82 C4 B1 [HKEY_CURRENT_USER\Software\qrjaslop] URF = 44 4B 8B 5A 64 43 ED 84 47 99 46 7C F8 7C 28 26 EC F3 04 A0 52 94 E5 86 FD DF 8B D5 CF 76 A4 FE 4D 5F 3B 11 76 82 08 97 BD 62 87 BF 90 FD 18 50 7F 01 1E ED 0F A6 A0 7E 32 9A B4 91 9C 4D 12 FF 5B 1A DB BA B9 0F 21 06 38 C9 4A 0B C3 2A DC F2 68 95 27 B There was registered attempt to establish connection with the remote host. The connection details are: Remote Host Port Number 82.192.79.174 80 The data identified by the following URL was then requested from the remote web server: http://82.192.79.174/search ---------------------------------------------------------------------------------------------------- http://www.threatexpert.com/report.aspx?md5=ee324ae3e7b7b9bd2a6ac558702b2f48 Submission details: Submission received: 6 November 2011, 17:12:11 Processing time: 9 min 44 sec Submitted sample: File MD5: 0xEE324AE3E7B7B9BD2A6AC558702B2F48 File SHA-1: 0xBC3AD0F878139EE95994063185F0F3AFC66D0874 Filesize: 12,992 bytes The following files were created in the system: # Filename(s) File Size File Hash Alias 1 %Temp%\4er2.tmp 370,176 bytes MD5: 0x1F40ED6D3A29D6972BD1C0AC98D2AF7A SHA-1: 0x12DD77A0337296D269A643D1EAD472FBC4C99A13 Trojan.Win32.Pakes.qkk [Kaspersky Lab] 2 %System%\crt.dat 16 bytes MD5: 0xEE1E7414F43DD0B2D0A61DA0BBF1E8BD SHA-1: 0x8302BC695E3FF44AE4E9B9AD1D1B148214CAFD45 (not available) 3 %System%\mdhcp32.dll 50,688 bytes MD5: 0x28CC1F85B7F6BDEB09D52F2F5F281345 SHA-1: 0xFC21308F02663C6DDC51C0DA3EF214BAE707965D Trojan:Win32/Lukicsel.I [Microsoft] Win32.SuspectCrc [Ikarus] 4 [file and pathname of the sample #1] 12,992 bytes MD5: 0xEE324AE3E7B7B9BD2A6AC558702B2F48 SHA-1: 0xBC3AD0F878139EE95994063185F0F3AFC66D0874 (not available) 5 %System%\shimg.dll 295,061 bytes MD5: 0xB2EFA5ADA901B216C96CF795255A8C8D SHA-1: 0xE97CAF6FEC294295D21A1ADA0AD0974DEEDBC8C4 (not available) The newly created Registry Values are: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Data] data5 = 48 52 37 36 2C 11 58 93 F6 70 E8 43 85 E8 5C 91 F9 75 C9 46 9D 2C B6 B1 A4 89 F0 6A FD 6C CC 2E 33 33 30 25 25 10 66 B7 97 26 A9 19 86 E4 52 8F F0 77 C9 46 84 13 F6 F8 A7 83 FB 74 FD 61 F2 0A [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ESENT\Process\ipconfig\DEBUG] Trace Level = "" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings] 6 = 74 25 57 8F 26 3C 3B 9A [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run] bfrytqdh = "%System%\wmsdmoe20.exe" so that wmsdmoe20.exe runs every time Windows starts [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\mdhcp32] DllName = "mdhcp32.dll" Startup = "WinStart2EX" Logoff = "WinOff2EX" Shutdown = "WinOff2EX" Asynchronous = 0x00000001 Impersonate = 0x00000000 so that mdhcp32.dll is installed as a Winlogon notification package [HKEY_LOCAL_MACHINE\SOFTWARE\qrjaslop] URF = EC 2C B2 BA E2 70 67 EF 84 90 F2 7D E1 2A D7 42 40 87 C9 74 08 4A 73 BE E9 FE 8B 84 5E F4 3D 2B 24 37 20 CF FA 62 EB 21 7C 67 12 E1 93 25 AC 38 DB 60 C0 25 D4 B7 C4 0A 4E A7 0F 9F B3 81 3E D9 D5 D0 44 6C FD 67 8F 05 23 D1 0D 44 17 58 17 68 97 67 11 F [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings] 6 = 74 25 57 8F 26 3C 3B 9A [HKEY_CURRENT_USER\Software\qrjaslop] URF = EC 2C B2 BA E2 70 67 EF 84 90 F2 7D E1 2A D7 42 40 87 C9 74 08 4A 73 BE E9 FE 8B 84 5E F4 3D 2B 24 37 20 CF FA 62 EB 21 7C 67 12 E1 93 25 AC 38 DB 60 C0 25 D4 B7 C4 0A 4E A7 0F 9F B3 81 3E D9 D5 D0 44 6C FD 67 8F 05 23 D1 0D 44 17 58 17 68 97 67 11 F There were registered attempts to establish connection with the remote hosts. The connection details are: Remote Host Port Number 173.193.216.86 8014 204.0.5.42 80 69.163.248.145 80 69.163.250.145 80 82.192.79.174 80 31.214.169.43 8000 The data identified by the following URLs was then requested from the remote web server: http://www.foxnews.com/ http://cache2.bazookanetworks.com/g2/bazooka.php?net=gnutella2&get=1&client=RAZA2.5.0.0 http://cache.trillinux.org/g2/bazooka.php?net=gnutella2&get=1&client=RAZA2.5.0.0 http://82.192.79.174/search ---------------------------------------------------------------------------------------------------- http://www.threatexpert.com/report.aspx?md5=b4d689fe9e91c269fd229d8716cf4c1b Submission details: Submission received: 14 November 2011, 13:29:31 Processing time: 10 min 0 sec Submitted sample: File MD5: 0xB4D689FE9E91C269FD229D8716CF4C1B File SHA-1: 0xD032BD23AD927E9C4D9E551FBA81623F6CAB4943 Filesize: 231,936 bytes Alias: Mal/Generic-L [Sophos] Trojan-Downloader.Win32.Ponmocup [Ikarus] The newly created Registry Values are: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ESENT\Process\ipconfig\DEBUG] Trace Level = "" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings] 6 = 4F 0D 69 A1 14 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run] YNLWF = "%System%\audiosrvu.exe" so that audiosrvu.exe runs every time Windows starts [HKEY_LOCAL_MACHINE\SOFTWARE\qrjaslop] URF = 0B 81 AB A8 9E CC 79 6D D4 0E 2A 1F F2 FF B1 37 A9 04 08 0E 08 F7 6E DF BF 1B 47 8E CE 5E F9 3F 07 5A 96 9C D2 33 FB 79 4E D1 75 66 7F 8D 57 48 0C 46 0D 54 90 25 83 30 9C B4 56 DC B5 D7 59 6D B3 39 CA 2F BF C6 7A 9F 23 D5 96 96 F6 00 67 FB 4C FC DB A [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings] 6 = 4F 0D 69 A1 14 [HKEY_CURRENT_USER\Software\qrjaslop] URF = 0B 81 AB A8 9E CC 79 6D D4 0E 2A 1F F2 FF B1 37 A9 04 08 0E 08 F7 6E DF BF 1B 47 8E CE 5E F9 3F 07 5A 96 9C D2 33 FB 79 4E D1 75 66 7F 8D 57 48 0C 46 0D 54 90 25 83 30 9C B4 56 DC B5 D7 59 6D B3 39 CA 2F BF C6 7A 9F 23 D5 96 96 F6 00 67 FB 4C FC DB A There was registered attempt to establish connection with the remote host. The connection details are: Remote Host Port Number 38.126.198.16 80 The data identified by the following URL was then requested from the remote web server: http://multiply.com/ ---------------------------------------------------------------------------------------------------- http://www.antivirus365.org/PCAntivirus/43818.html Newest Sample Submit:2011-11-6 19:03:22 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings 6 = 70 35 57 9D 3A 20 34 87 DB [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run fvrkhmkuv = "C:\Windows\System32\\rcbdyctl2.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\qrjaslop URF = B8 D9 DD 9E C3 A2 E3 6B FA 2E A6 DF D3 2F 2E 45 62 8E D9 77 C2 54 A0 C7 71 7B 52 04 15 C6 61 12 B4 1E 01 7C 82 A8 FA 2C 3E 54 66 25 DF 1A 80 A8 94 15 FA EB 86 79 2A DD C0 32 B0 5D C3 B7 61 CC DF 49 97 CF CE 82 C2 DA E4 2D 9C 68 72 F3 42 41 29 7E 30 1 [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings 6 = 70 35 57 9D 3A 20 34 87 DB [HKEY_CURRENT_USER\Software\qrjaslop URF = B8 D9 DD 9E C3 A2 E3 6B FA 2E A6 DF D3 2F 2E 45 62 8E D9 77 C2 54 A0 C7 71 7B 52 04 15 C6 61 12 B4 1E 01 7C 82 A8 FA 2C 3E 54 66 25 DF 1A 80 A8 94 15 FA EB 86 79 2A DD C0 32 B0 5D C3 B7 61 CC DF 49 97 CF CE 82 C2 DA E4 2D 9C 68 72 F3 42 41 29 7E 30 1 The data identified by the following URL was then requested from the remote web server: http://82.192.79.174/search ---------------------------------------------------------------------------------------------------- sample modified hosts file: 127.0.0.1 thepiratebay.org 127.0.0.1 www.thepiratebay.org 127.0.0.1 mininova.org 127.0.0.1 www.mininova.org 127.0.0.1 forum.mininova.org 127.0.0.1 blog.mininova.org 127.0.0.1 suprbay.org 127.0.0.1 www.suprbay.org ----------------------------------------------------------------------------------------------------