ThreatExpert Report: Trojan-Spy.Win32.Ambler

Submission Summary:

Submission details:

Submission received: 4 November 2009, 17:51:46
Processing time: 6 min 4 sec
Submitted sample:

File MD5: 0x3B02D7FF31628778DB12998B4A0069F6
File SHA-1: 0x706A6594F12A253A088516B7A657D0EFAA670DF8
Filesize: 54,784 bytes

Summary of the findings:

What's been found	Severity Level
Downloads/requests other files from Internet.
Modifies some system settings that may have negative impact on overall system security state.
Creates a startup registry entry.
Registers a 32-bit in-process server DLL.
Registers a Browser Helper Object (Microsoft's Internet Explorer plugin module).

Technical Details:

File System Modifications

The following files were created in the system:

#	Filename(s)	File Size	File Hash	Alias
1	%System%\fdcd.dat %System%\idm.dat %System%\qsff.dat %System%\xde.dat	1 bytes	MD5: 0xCFCD208495D565EF66E7DFF9F98764DA SHA-1: 0xB6589FC6AB0DC82CF12099D1C2D40AB994E8410C	(not available)
2	%System%\lhkkca	203 bytes	MD5: 0x6C48201553201AE2FCCB1BD407CBB610 SHA-1: 0xCAF90A140D53BF4FB92CE041A00DBFCE3C75A1D0	(not available)
3	%System%\mmkp.dll	43,520 bytes	MD5: 0x709B2A7D064E00AA303BF16892ACCDFB SHA-1: 0x7AB420E6D46950C5EC260A727435C45419C1F9B0	Trojan-Spy.Win32.Ambler [Ikarus] packed with PE_Patch.UPX [Kaspersky Lab]
4	%System%\nfom.gif	54,784 bytes	MD5: 0xBBC31952C936BC493431A8469F05CD24 SHA-1: 0x49C464E6FCF84B6E97A12DE53CE1B190E42D5C43	(not available)
5	%System%\pl5dg.dat	45 bytes	MD5: 0xA6203CF1D1695042F89B6DF8A2EF5E3A SHA-1: 0xDC9915BDEC4235230BA8F2C51A7F22E7C761A64B	(not available)
6	[file and pathname of the sample #1]	54,784 bytes	MD5: 0x3B02D7FF31628778DB12998B4A0069F6 SHA-1: 0x706A6594F12A253A088516B7A657D0EFAA670DF8	(not available)

Note:

%System% is a variable that refers to the System folder. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

Memory Modifications

The following module was loaded into the address space of other process(es):

Module Name	Module Filename	Address Space Details
mmkp.dll	%System%\mmkp.dll	Process name: IEXPLORE.EXE Process filename: %ProgramFiles%\internet explorer\iexplore.exe Address space: 0xD70000 - 0xD92000

Notes:

%ProgramFiles% is a variable that refers to the Program Files folder. A typical path is C:\Program Files.

Registry Modifications

The following Registry Keys were created:

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1AFAE454-6EB6-4A81-828E-3C051C00EF3E}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1AFAE454-6EB6-4A81-828E-3C051C00EF3E}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1AFAE454-6EB6-4A81-828E-3C051C00EF3E}\ProgID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1AFAE454-6EB6-4A81-828E-3C051C00EF3E}\TypeLib
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{278356AC-8907-43AC-B9AE-F9544F1CAAFA}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1AFAE454-6EB6-4A81-828E-3C051C00EF3E}
HKEY_LOCAL_MACHINE\SOFTWARE\CS
HKEY_LOCAL_MACHINE\SOFTWARE\CS\8
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System

The newly created Registry Values are:

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1AFAE454-6EB6-4A81-828E-3C051C00EF3E}\TypeLib]

(Default) = "{E87ECF38-96AA-457A-90F6-7C3980581394}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1AFAE454-6EB6-4A81-828E-3C051C00EF3E}\ProgID]

(Default) = "plf"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1AFAE454-6EB6-4A81-828E-3C051C00EF3E}\InprocServer32]

(Default) = "mmkp.dll"
ThreadingModel = "Apartment"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1AFAE454-6EB6-4A81-828E-3C051C00EF3E}]

(Default) = "Internet Explorer Plugin"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{278356AC-8907-43AC-B9AE-F9544F1CAAFA}]

(Default) = "IE addon"
Locale = "EN"
StubPath = "rundll32 mmkp.dll,laspi"
IsInstalled = 0x00000001
Version = "4,3,6,3"

so that mmkp.dll runs every time Windows starts

[HKEY_LOCAL_MACHINE\SOFTWARE\CS\8]

lopu = "04112009_175159_115390"

[HKEY_LOCAL_MACHINE\SOFTWARE\CS]

KIO = "FF@["
klfg = "l&VQVR#"#:!RU!:#V/&:/%/R:$T'"&T''RQ$Rj"
D1 = 64 67 73 72 73 73 70 71 78 67 3B 7F 7A 73 79 3B 7F 66 73 73 7F 78 70 65
D2 = 66 70 65 26
D3 = 66 70 65 27
pr = 26 66 7E 7B 67 62 26 77 73 3A 77 7F 6E 3A 65 71 61 63 64

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]

DisableTaskMgr = 0x00000001
DisableRegistryTools = 0x00000001

to prevent users from starting Task Manager (Taskmgr.exe)

to disable the Windows registry editors (Regedt32.exe and Regedit.exe)

Other details

Analysis of the file resources indicate the following possible country of origin:

Russian Federation

There was registered attempt to establish connection with the remote host. The connection details are:

Remote Host	Port Number
72.232.203.90	80

The data identified by the following URLs was then requested from the remote web server:

http://2short2be.biz/setup/nom.php
http://2short2be.biz/setup/som.php
http://2short2be.biz/setup/com.php?id=04112009_175159_115390

All content ("Information") contained in this report is the copyrighted work of Threat Expert Ltd and its associated companies ("ThreatExpert") and may not be copied without the express permission of ThreatExpert.

The Information is provided on an "as is" basis. ThreatExpert disclaims all warranties, whether express or implied, to the maximum extent permitted by law, including the implied warranties that the Information is merchantable, of satisfactory quality, accurate, fit for a particular purpose or need, or non-infringing, unless such implied warranties are legally incapable of exclusion. Further, ThreatExpert does not warrant or make any representations regarding the use or the results of the use of the Information in terms of their correctness, accuracy, reliability, or otherwise.