File details


Filename: CcEvtSvc.exe

File size: 91136 bytes
Build: 21 November 2007 7:40:57 PM
MD5: 45b79094263e778f496864cfeb14b401
SHA1: 81082acedc1b5d8786717a274723dcda52a10962
Packers: UPX
QUOTE
File CcEvtSvc.exe received on 11.21.2007 23:25:45 (CET)

AhnLab-V3 2007.11.22.0 2007.11.21 -
AntiVir 7.6.0.34 2007.11.21 TR/Crypt.FKM.Gen
Authentium 4.93.8 2007.11.21 -
Avast 4.7.1074.0 2007.11.21 -
AVG 7.5.0.503 2007.11.21 -
BitDefender 7.2 2007.11.21 -
CAT-QuickHeal 9.00 2007.11.21 -
ClamAV 0.91.2 2007.11.21 -
DrWeb 4.44.0.09170 2007.11.21 -
eSafe 7.0.15.0 2007.11.21 suspicious Trojan/Worm
eTrust-Vet 31.3.5315 2007.11.21 -
Ewido 4.0 2007.11.21 -
FileAdvisor 1 2007.11.21 -
Fortinet 3.14.0.0 2007.11.21 -
F-Prot 4.4.2.54 2007.11.21 -
F-Secure 6.70.13030.0 2007.11.21 -
Ikarus T3.1.1.12 2007.11.21 -
Kaspersky 7.0.0.125 2007.11.21 -
McAfee 5168 2007.11.21 -
Microsoft 1.3007 2007.11.21 -
NOD32v2 2676 2007.11.21 -
Norman 5.80.02 2007.11.21 -
Panda 9.0.0.4 2007.11.21 -
Prevx1 V2 2007.11.21 -
Rising 20.19.21.00 2007.11.21 -
Sophos 4.23.0 2007.11.21 -
Sunbelt 2.2.907.0 2007.11.21 -
Symantec 10 2007.11.21 -
TheHacker 6.2.9.136 2007.11.21 -
VBA32 3.12.2.5 2007.11.20 -
VirusBuster 4.3.26:9 2007.11.21 -
Webwasher-Gateway 6.0.1 2007.11.21 Trojan.Crypt.FKM.Gen
______________________________

Filename: Apwcmdnt.dll

File size: 51200 bytes
Build: 21 November 2007 7:13:12 PM
MD5: 6b92abe5bf844ea1afe4b51e4140cfcb
SHA1: 26d146cf2c3a98d79e212c4c19a01c3507233a67
Packers: UPX
QUOTE
File Apwcmdnt.dll received on 11.21.2007 23:55:42 (CET)

AhnLab-V3 2007.11.22.0 2007.11.21 -
AntiVir 7.6.0.34 2007.11.21 -
Authentium 4.93.8 2007.11.21 -
Avast 4.7.1074.0 2007.11.21 -
AVG 7.5.0.503 2007.11.21 -
BitDefender 7.2 2007.11.21 -
CAT-QuickHeal 9.00 2007.11.21 -
ClamAV 0.91.2 2007.11.21 -
DrWeb 4.44.0.09170 2007.11.21 -
eSafe 7.0.15.0 2007.11.21 -
eTrust-Vet 31.3.5315 2007.11.21 -
Ewido 4.0 2007.11.21 -
FileAdvisor 1 2007.11.21 -
Fortinet 3.14.0.0 2007.11.21 -
F-Prot 4.4.2.54 2007.11.21 -
F-Secure 6.70.13030.0 2007.11.21 -
Ikarus T3.1.1.12 2007.11.21 -
Kaspersky 7.0.0.125 2007.11.21 -
McAfee 5168 2007.11.21 -
Microsoft 1.3007 2007.11.21 -
NOD32v2 2676 2007.11.21 -
Norman 5.80.02 2007.11.21 -
Panda 9.0.0.4 2007.11.21 -
Prevx1 V2 2007.11.22 -
Rising 20.19.21.00 2007.11.21 -
Sophos 4.23.0 2007.11.21 -
Sunbelt 2.2.907.0 2007.11.21 -
Symantec 10 2007.11.21 -
TheHacker 6.2.9.136 2007.11.21 -
VBA32 3.12.2.5 2007.11.20 -
VirusBuster 4.3.26:9 2007.11.21 -
Webwasher-Gateway 6.0.1 2007.11.21 Win32.UPXpacked.gen!94 (suspicious)

Visible signs


Logfile of Trend Micro HijackThis v2.0.2
...
O10 - Unknown file in Winsock LSP: c:\windows\system32\apwcmdnt.dll

Technical details


Registry changes.
  • Adds a service called CcEvtSvc.
  • Adds an entry to the winsock catalog.
    QUOTE
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CCEVTSVC
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CCEVTSVC\0000
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CCEVTSVC\0000\Control
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CcEvtSvc
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CcEvtSvc "DisplayName"
    Type: REG_SZ
    Data: CcEvtSvc
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CcEvtSvc "ImagePath"
    Type: REG_EXPAND_SZ
    Data: %SystemRoot%\System32\CcEvtSvc.exe -k netsvcs
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CcEvtSvc "ObjectName"
    Type: REG_SZ
    Data: LocalSystem
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CcEvtSvc\Enum
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CcEvtSvc\Security
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000012
File system changes.
QUOTE
c:\WINDOWS\system32\Apwcmdnt.dll
Date: 11/21/2007 11:50 PM
Size: 51,200 bytes
c:\WINDOWS\system32\CcEvtSvc.exe
Date: 11/21/2007 11:45 PM
Size: 91,136 bytes

Notes


Random file names : NO
Random service / servicename : NO
QUOTE
0000E410 0040FC10 0 Apwcmdnt.dll
0000E5F4 0040FDF4 0 CcEvtSvc.exe
0000E604 0040FE04 0 %SystemRoot%\System32\CcEvtSvc.exe -k netsvcs
0000E634 0040FE34 0 CcEvtSvc

Network activity


QUOTE
POST /exchange/exchange.php?
IP and link are hardcoded into CcEvtSvc.exe.

Offending IP


58.65.234.105

QUOTE
inetnum: 58.65.232.0 - 58.65.239.255
netname: HOSTFRESH
descr: HostFresh
descr: Internet Service Provider
country: HK
admin-c: PL466-AP
tech-c: PL466-AP
status: ALLOCATED PORTABLE
mnt-by: APNIC-HM
mnt-lower: MAINT-HK-HOSTFRESH
mnt-routes: MAINT-HK-HOSTFRESH
remarks: Please send Spam & Abuse report to
remarks:
remarks: -+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+
remarks: This object can only be updated by APNIC hostmasters.
remarks: To update this object, please contact APNIC
remarks: hostmasters and include your organisation's account
remarks: name in the subject line.
remarks: -+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+
changed: 20060612
changed: 20060613
changed: 20061018
source: APNIC

person: Piu Lo
nic-hdl: PL466-AP
e-mail:
address: No. 500, Post Office, Tuen Mun, N.T., Hong Kong
phone: +852-35979788
fax-no: +852-24522539
country: HK
changed: 20071025
mnt-by: MAINT-HK-HOSTFRESH
source: APNIC