File details
</h4>Filename: 216-1.exe
File size: 55808 bytes
MD5...: c2b64b4de7a7a337d50e9f332b276a0c
SHA1..: b3f291d2c194c4a3fb29bd5f3e2a748727a51879
SHA256: e26b3b048457386c174ccbc88c9a9d83b9418521490744d70812e63388c58ffa
PEiD..: -
Kaspersky: Trojan-Downloader.Win32.Agent.ajtrQUOTEFile 216-1.exe received on 10.15.2008 22:45:35 (CET)
AhnLab-V3 2008.10.16.0 2008.10.15 -
AntiVir 7.9.0.4 2008.10.15 -
Authentium 5.1.0.4 2008.10.15 -
Avast 4.8.1248.0 2008.10.15 -
AVG 8.0.0.161 2008.10.15 -
BitDefender 7.2 2008.10.15 -
CAT-QuickHeal 9.50 2008.10.14 -
ClamAV 0.93.1 2008.10.15 -
DrWeb 4.44.0.09170 2008.10.15 -
eSafe 7.0.17.0 2008.10.15 -
eTrust-Vet 31.6.6149 2008.10.15 -
Ewido 4.0 2008.10.15 -
F-Prot 4.4.4.56 2008.10.15 -
F-Secure 8.0.14332.0 2008.10.15 -
Fortinet 3.113.0.0 2008.10.15 -
GData 19 2008.10.15 -
Ikarus T3.1.1.34.0 2008.10.15 -
K7AntiVirus 7.10.496 2008.10.15 -
Kaspersky 7.0.0.125 2008.10.15 -
McAfee 5405 2008.10.14 -
Microsoft 1.4005 2008.10.15 -
NOD32 3525 2008.10.15 -
Norman 5.80.02 2008.10.15 -
Panda 9.0.0.4 2008.10.15 -
PCTools 4.4.2.0 2008.10.15 -
Prevx1 V2 2008.10.15 Malicious Software
Rising 20.66.22.00 2008.10.15 -
SecureWeb-Gateway 6.7.6 2008.10.15 -
Sophos 4.34.0 2008.10.15 -
Sunbelt 3.1.1725.1 2008.10.15 -
Symantec 10 2008.10.15 -
TheHacker 6.3.1.0.112 2008.10.15 -
TrendMicro 8.700.0.1004 2008.10.15 -
VBA32 3.12.8.6 2008.10.14 -
ViRobot 2008.10.15.1421 2008.10.15 -
VirusBuster 4.5.11.0 2008.10.15 -
<h4>
Technical details
</h4>Registry changes.
- Adds the following Value.QUOTEHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Schedule "AtTaskMaxHours"
Type: REG_DWORD
Data: 48, 00, 00, 00 - Modifies the following Value.QUOTEHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Schedule "NextAtJobId"
Old type: REG_DWORD
New type: REG_DWORD
Old data: 01, 00, 00, 00
New data: 19, 00, 00, 00
Note: %System% is a variable that refers to the System folder. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).QUOTE%System%\4Ff8IMPB.exe
Date: 10/15/2008 10:38 PM
Size: 55,808 bytes
c:\WINDOWS\Tasks\At1.job
Date: 10/15/2008 11:53 PM
Size: 350 bytes
up to
c:\WINDOWS\Tasks\At24.job
Date: 10/15/2008 11:53 PM
Size: 350 bytes
<h4>
Notes
</h4>- Upon excution 216-1.exe requires Internet access.
- Copies itself to the %System% folder under as 4Ff8IMPB.exe and is started by 216-1.exe.
- Starts an Internet Explorer instance and injects itself into the address space of iexplore.exe.
- Creates different mutexes to mark its presence on the system. One of them, k0Vs8251CM is very similar to a mutex created by jfifoj.exe and it's thus safe to presume that we are in presence of an updated version. We also notice several hidden iexplore.exe instances running under 4Ff8IMPB.exe
- Creates & destroys a hidden instance of iexplore.exe under svchost.exe every few seconds.
- Connects to internet in order to retrieve a list of ad-servers.
- Pops advertising and promotional offers on the infected system. Seeing the huge list of URL's visited in a very short amount of time (below is only a snipit) the chance is very high to fall on a dodgy advertisement that will "cause trouble" on our PC.
[attachmentid=842] - Since 24 scheduled tasks are created, the program gets loaded every hour and every day (even after a reboot or shutdown). The tasks have been created under the SYSTEM account.
