Submission Summary:
* Submission details:
o Submission received: 7 August 2008, 09:54:22
o Processing time: 5 min 2 sec
o Submitted sample:
+ File MD5: 0x92A4F4A3138BA16CB765AC939959A2AB
+ Filesize: 118 501 bytes
+ Alias: Trojan.Lineage.Gen!Pac.3 [PCTools], Trojan-PSW.Win32.OnLineGames.yxf [Kaspersky Lab], Infostealer.Gampass [Symantec], PWS-Gamania.gen.a [McAfee], WORM_AUTORUN.ASD [Trend Micro], Mal/EncPk-CE [Sophos], Worm:Win32/Taterf.gen!C [Microsoft]
* Summary of the findings:
What's been found Severity Level
Downloads/requests other files from Internet.
Modifies some system settings that may have negative impact on overall system security state.
Creates a startup registry entry.
Contains characteristics of an identified security risk.
Technical Details:
Possible Security Risk
* Attention! Characteristics of the following security risks were identified in the system:
Security Risk Description
Trojan-PWS.OnlineGames.ARun Trojan-PWS.OnlineGames.ARun attempts to steal password information associated to popular online games such as MapleStory, Legend of Mir and World of Warcraft. It has the ability to spread itself via removable disk such as USB drives.
Rootkit.Agent.QV Rootkit.Agent.QV injects rootkit components into Windows processes and attempts to hides itself from detection. It also made changes to Windows Explorer settings and download other malicious files from external servers.
* Attention! The following threat categories were identified:
Threat Category Description
A malicious trojan horse or bot that may represent security risk for the compromised system and/or its network environment
A network-aware worm that attempts to replicate across the existing network(s)
A keylogger program that can capture all user keystrokes (including confidential details such username, password, credit card number, etc.)
File System Modifications
* The following files were created in the system:
# Filename(s) File Size File MD5 Alias
1 c:\autorun.inf 575 bytes 0x1E16FBA1A04DD9FEA40D229ECE2124AF Worm.Win32.AutoRun.ekp [Kaspersky Lab]Mal/AutoInf-A [Sophos]
2 %Temp%\bmdhu.dll 27 038 bytes 0x657A1FA9D789B7CD14DEE65BEE47CCB6 Trojan-PWS.OnlineGames.ARun [PCTools]Trojan-PSW.Win32.OnLineGames.yxd [Kaspersky Lab]Bloodhound.Packed.Jmp [Symantec]PWS-Gamania.gen.a [McAfee]TSPY_ONLINEG.JRA [Trend Micro]Mal/Generic-A [Sophos]VirTool:WinNT/Vanti.gen!C [Microsoft]
3 c:\o.exe
%System%\kavo.exe
[file and pathname of the sample #1] 118 501 bytes 0x92A4F4A3138BA16CB765AC939959A2AB Trojan.Lineage.Gen!Pac.3 [PCTools]Trojan-PSW.Win32.OnLineGames.yxf [Kaspersky Lab]Infostealer.Gampass [Symantec]PWS-Gamania.gen.a [McAfee]WORM_AUTORUN.ASD [Trend Micro]Mal/EncPk-CE [Sophos]Worm:Win32/Taterf.gen!C [Microsoft]
4 %System%\kavo0.dll
%System%\kavo1.dll 125 952 bytes 0xEAA7CFC77A34607985C3AFB37B5490AD Trojan.Lineage.Gen!Pac.3 [PCTools]Trojan-PSW.Win32.OnLineGames.yxc [Kaspersky Lab]Trojan.Packed.NsAnti [Symantec]PWS-Gamania.gen.a [McAfee]Mal/EncPk-CE [Sophos]Worm:Win32/Taterf.B.dll [Microsoft]
* Notes:
o %Temp% is a variable that refers to the temporary folder in the short path form. By default, this is C:\Documents and Settings\[UserName]\Local Settings\Temp\ (Windows NT/2000/XP).
o %System% is a variable that refers to the System folder. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
Memory Modifications
* There were new processes created in the system:
Process Name Process Filename Main Module Size
kavo.exe %System%\kavo.exe 266 240 bytes
[filename of the sample #1] [file and pathname of the sample #1] 266 240 bytes
* The following module was loaded into the address space of other process(es):
Module Name Module Filename Address Space Details
kavo0.dll %System%\kavo0.dll Process name: explorer.exe
Process filename: %Windir%\explorer.exe
Address space: 0x1B60000 - 0x1B93000
Registry Modifications
* The newly created Registry Value is:
o [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
+ kava = "%System%\kavo.exe"
so that o.exe runs every time Windows starts
* The following Registry Value was modified:
o [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL]
+ CheckedValue = 0x00000000
so that hidden files and folders are not displayed in explorer when browsing the file system
Other details
* The following Internet download was started (the retrieved bits are saved into the local file):
URL to be downloaded Filename for the downloaded bits
http://(donttryit...).1a123.com/hp/zz.rar %Temp%\zz.rar
