ThreatExpert Report: not-a-virus:RemoteAdmin.Win32.RAT.b, Trojan.SuspectCRC, Trojan-Dropper.Agent..

Submission Summary:

Submission details:

Submission received: 31 August 2011, 10:09:24
Processing time: 7 min 51 sec
Submitted sample:

File MD5: 0x524A18D5E4D6B4782B3AC5F41DEBDA2D
File SHA-1: 0x13576E22D4003C26F1333069CEDB7E1F5D386ADF
Filesize: 1,886,777 bytes
Alias: not-a-virus:RemoteAdmin.Win32.RAT.b [Kaspersky Lab]

Summary of the findings:

What's been found	Severity Level
Capability to send out email message(s) with the built-in SMTP client engine.

Technical Details:

The new window was created, as shown below:

NOTICE: The content shown in the above window is captured automatically and is not controlled or endorsed by ThreatExpert.
Please contact us on this link should any material be offensive or inappropriate and we will ensure any such content is blocked from future viewers of the report.

File System Modifications

The following files were created in the system:

#	Filename(s)	File Size	File Hash	Alias
1	%System%\c\CMD.reg	131 bytes	MD5: 0x8EA5C3FFACF77A33DAAE2D49EBF94701 SHA-1: 0x19C5C1CB5D9EE0B7BE774EE1B739A00181C02997	(not available)
2	%System%\c\dakai-syswin.bat	44 bytes	MD5: 0xE9F50C0F6E7F5DE4372E6DEEC425D6EC SHA-1: 0x846592CFCD7C7052327C5FF5D7F5A3C022953BF8	(not available)
3	%System%\c\fuzhianzhuang.bat	94 bytes	MD5: 0x96EF9986317EFED2698E3BCFFE00D0A8 SHA-1: 0x5E55DAF726B8B8E84E705E968851BD3733686EA9	(not available)
4	%System%\c\syswin\AccInfo.ini	441 bytes	MD5: 0x139D794BBC04F67ABB1A7DA560FD3E71 SHA-1: 0x71BA255BBEFCAC981D88C05EF1038548F8A77771	(not available)
5	%System%\c\syswin\CCProxy.exe %System%\c\syswin\svchost.exe	1,093,632 bytes	MD5: 0xB5128496CD59776643E06BA59C124B41 SHA-1: 0x9076D8A35A50E1CA3488B95B93E18B6C1CB771CE	Trojan.SuspectCRC [Ikarus]
6	%System%\c\syswin\CCProxy.ini	2,836 bytes	MD5: 0x43A046A2FEC2990A9C2E8736C6DDCBA3 SHA-1: 0x74F79B5314B91F80C9D6B1C80B9ABD0EB3782AC4	(not available)
7	%System%\c\syswin\cha.bat	51 bytes	MD5: 0xE91C906596E5E820C622A078D98A43CF SHA-1: 0x993D492560B84D2F35C934F637A73A16D88CB407	(not available)
8	%System%\c\syswin\Language\English.ini	12,322 bytes	MD5: 0xBD4271B91DBE4447C56A96AB8377F7D7 SHA-1: 0x1F23C0803DEBA9FB0D4A32580EC46D89303D86A6	(not available)
9	%System%\c\syswin\Log\5160.bat	725 bytes	MD5: 0xCEF42D0E710887C3466B1832E142F888 SHA-1: 0x8236F55B71A08DE004858195A5C85006A63BD92D	(not available)
10	%System%\c\syswin\Log\5334.bat	725 bytes	MD5: 0x97D38B244C7EA3A03B12E4409EA198A7 SHA-1: 0xBD039514959B4A3FB203B2C74916CA6446E3D0E6	(not available)
11	%System%\c\syswin\Log\Changelog.txt	9,131 bytes	MD5: 0x3B69449ACE048A5747336B1495261122 SHA-1: 0xD2724A790DDCCA51FADE00369DB10DDE78D83973	(not available)
12	%System%\c\syswin\Log\ip.bat	49 bytes	MD5: 0xA5A47ECB120DC50BDD2130C9C5C95EDF SHA-1: 0x8955CCC52CA4428B54A68DA2F05DFD3ADC53B94D	(not available)
13	%System%\c\syswin\Log\libminiupnpc.a	27,796 bytes	MD5: 0x58FB6E6439A67695AD4B9398DEE0EE1E SHA-1: 0x21F3DDD41BFA9C15F8C0D0107A409F32F84BDB21	(not available)
14	%System%\c\syswin\Log\LICENSE	1,497 bytes	MD5: 0x60FCF38AB196D540B416E06402D9958A SHA-1: 0x88EF43C2698C926286AA2D8AB1BFC1403AE07C27	(not available)
15	%System%\c\syswin\Log\miniupnpc.def	678 bytes	MD5: 0x5505154FEB60DE2BA26487BCFDF015FC SHA-1: 0x6AB909754492949B37901F4DAE9E6577C1E43A64	(not available)
16	%System%\c\syswin\Log\miniupnpc.dll	43,720 bytes	MD5: 0x9E4AA77884B1C350930B3BE23F84F2AF SHA-1: 0x52AA49C7E36929863C97892206D014CE7A05D51D	(not available)
17	%System%\c\syswin\Log\miniupnpc.lib	19,004 bytes	MD5: 0xBB449359B52565459980C5F35A26C613 SHA-1: 0x946E428DC013FFC3C6746FB4C2A665FFF3CFCE25	(not available)
18	%System%\c\syswin\Log\README	1,846 bytes	MD5: 0x9C89AADBF98BFF9AF8AAF34033386A1D SHA-1: 0xA0606E18C922D53724AA188EF0953B91004F5CB6	(not available)
19	[pathname with a string SHARE]\upnpc-shared.exe	6,144 bytes	MD5: 0xACCE7577A245CB49B257BC6148B5CB12 SHA-1: 0x4814DA37532BD7C2046DA55CB00BBBA58CC57D18	packed with UPX [Kaspersky Lab]
20	%System%\c\syswin\Log\upnpc-static.exe	12,800 bytes	MD5: 0xD27C535D6CEA1B4A3493AF18CD8BB028 SHA-1: 0x7BC86C3FF9014F4EF076B6FAAAB648DB42540D40	not-a-virus:RemoteAdmin.Win32.RAT.b [Kaspersky Lab] packed with UPX [Kaspersky Lab]
21	%System%\c\syswin\run.bat	606 bytes	MD5: 0x0DBE33E868D67DF81E2EDA4B9BB3334B SHA-1: 0x597EDB60C3F46773EC37A53156CDF95F3EA9836A	(not available)
22	%System%\c\syswin\rundlllllllll.bat	909 bytes	MD5: 0x6C97C21B31725C22989CBA8973FD1257 SHA-1: 0x9D1E41E8798E6B48F369E8A7DB3A9F6760E085AC	(not available)
23	%System%\c\syswin\sc.bat	86 bytes	MD5: 0x0711487BB151A91DA24E7D72A39F87B3 SHA-1: 0x8616016F459587B12020DFC1F119C6B3207FE5D9	(not available)
24	%System%\c\syswin\sc.exe %System%\c\wu-wu-wu\sc.exe	31,232 bytes	MD5: 0x4563A5DC09A73778C6AB774374DE8032 SHA-1: 0x3B4182531777C1A0A0C781CD254BEC55E3DBE2FD	(not available)
25	%System%\c\syswin\web\cn_acclistadmin.htm	5,609 bytes	MD5: 0x4E76060E9A6E2AB2B488D7E8E412D403 SHA-1: 0x9951E543094D2A6958C159D576480547282FB357	(not available)
26	%System%\c\syswin\web\cn_acclistuser.htm	2,942 bytes	MD5: 0x9F33C499AE33785588BCD451E7E0D0A5 SHA-1: 0x3C6B33341C368A724FE9C4CD6263C666288D4B42	(not available)
27	%System%\c\syswin\web\en_acclistadmin.htm	5,741 bytes	MD5: 0x6BDEB3A56050CE04017A8B33B1D83C08 SHA-1: 0x3BD119952BBB6BED4D9A105DB3FE25AADF08F943	(not available)
28	%System%\c\syswin\web\en_acclistuser.htm	3,075 bytes	MD5: 0xF855EFB02698018359B7554110B7EF53 SHA-1: 0x8568AACE862E1388B26D6379E060E484BBAB8000	(not available)
29	%System%\c\syswin\web\en_index.html	330 bytes	MD5: 0xC43A73412032854C9BE66273613AC837 SHA-1: 0xA9C69E66549CDB67D150ED55C860774449EEF136	(not available)
30	%System%\c\syswin\web\en_list.htm	230 bytes	MD5: 0x599F0856C395EE8D5908E59B09830031 SHA-1: 0x4E526A265EB440F4311E4D3441A624E757470FB9	(not available)
31	%System%\c\syswin\web\en_log.htm	463 bytes	MD5: 0xD949320D8ACEE4CF5C6CE0DEAA66E4B5 SHA-1: 0x422B87F06933B2FA4C2281BFC8F4C61EC146280D	(not available)
32	%System%\c\syswin\web\en_settings.htm	3,982 bytes	MD5: 0x8A1CF8DA2DED1352F63EDC119F5053C1 SHA-1: 0xAABB992F89BE685A0F75D81C6FA668EA5FAF6FDC	(not available)
33	%System%\c\syswin\web\proxyadmin.php	1,465 bytes	MD5: 0x20C78614CED684B105C764190F750366 SHA-1: 0xA8FF1E417ECD4A687748668B864250D86CE85F86	(not available)
34	%System%\c\syswin\zdq.exe	127,488 bytes	MD5: 0x0DBC9E9059A46453BE8DE409FEF65624 SHA-1: 0x1267EA6D30E6ADD2B994D562BEBF920E43C3C001	(not available)
35	%System%\c\u.exe	520,434 bytes	MD5: 0xD51F7F27A102B98C2FDE1783CD5BE4E7 SHA-1: 0x7B0F42FF18B90F62B8F86479FA4310BEFAE1FB17	Trojan-Dropper.Agent [Ikarus]
36	%System%\c\wu-wu-wu\5159-5160.bat	496 bytes	MD5: 0xB9FE5A82630B74357E78C762A3BBE1E2 SHA-1: 0x37A7BE29C9CDFA6B06AADC9CD8B8AD37893E8801	Backdoor.BAT.Agent.i [Kaspersky Lab]
37	%System%\c\wu-wu-wu\5160.exe	574,976 bytes	MD5: 0xA4756744CE822BB24E40EAB462AA94D8 SHA-1: 0x2D9BC7795F114AA6EA9D0455E979B45CCD521455	(not available)
38	%System%\c\wu-wu-wu\5312-5334.bat	502 bytes	MD5: 0xB87A079D85870BB82FA19991850C1C14 SHA-1: 0xF0F373F8583EEE7B9C075A538E74F7D51E9FEFA1	Backdoor.BAT.Agent.i [Kaspersky Lab]
39	%System%\c\wu-wu-wu\5334.exe	574,976 bytes	MD5: 0xA1163CD66211B8671FDE6D653D613228 SHA-1: 0xDECDFF32580888C5DB899B08F741BBAFE22D9C89	(not available)
40	%System%\c\wu-wu-wu\Ch3389.exe	20,480 bytes	MD5: 0x676E9572CD20EBD81019DEF682C2A83E SHA-1: 0x061A0E536459457715471BCFC90EA9EBAE31278D	(not available)
41	%System%\c\wu-wu-wu\diandiandian.bat	5,168 bytes	MD5: 0xBB8D7B8121974C736A01EA2766EC208B SHA-1: 0x259829031B9A663F32FC996DF9C63C029BB8CE68	Backdoor.BAT.Agent.i [Kaspersky Lab]
42	%System%\c\wu-wu-wu\hyuan.reg %System%\c\you-you-you\hyuan.reg	296 bytes	MD5: 0x921AEEF0FAD9CBA0E17F68C7426D4D67 SHA-1: 0x12111CF077C026B2D64DD43A0D69602794174FD9	(not available)
43	%System%\c\wu-wu-wu\ipseccmd.exe %System%\c\you-you-you\ipseccmd.exe	106,496 bytes	MD5: 0x11E5A276A93C4604C175CA3EBCE6D77A SHA-1: 0xBB3CDDA302AFDB2F1E31249D8F80EECA09CCB515	(not available)
44	%System%\c\wu-wu-wu\setms.reg %System%\c\you-you-you\setms.reg	692 bytes	MD5: 0xED671780B97BD8AE1B97F1E4EC9CDC7F SHA-1: 0x3F9886706E965CFF3E7924B1DAD67C728653E31E	(not available)
45	%System%\c\wu-wu-wu\uniimex.exe %System%\c\you-you-you\uniimex.exe	187,069 bytes	MD5: 0x86D27FA3C22097185BF50270D518F945 SHA-1: 0xD317A237A1F1FA616790BFCB14DA89815B663981	(not available)
46	%System%\c\wu-wu-wu\useri.bat %System%\c\you-you-you\useri.bat	1,022 bytes	MD5: 0x596113A52CC7E4A5AEA636A2EDC2DDD9 SHA-1: 0xD7D276D73235C43C362DBA545A42591F654C7EE8	(not available)
47	%System%\c\wu-wu-wu\usrcoinat.exe %System%\c\you-you-you\usrcoinat.exe	149,341 bytes	MD5: 0xAF2237EE9190C35D4F06AD179B61D5EF SHA-1: 0xBF224CAA1230E522F8EBD6D95EE69C4BB16FF255	(not available)
48	%System%\c\wu-wu-wu\winipsec.dll %System%\c\you-you-you\winipsec.dll	32,768 bytes	MD5: 0x24B0DB7E532076D5FC17C56CC50140B4 SHA-1: 0xBEC2A4923E541BF83E00064A2595A59EC36426A3	(not available)
49	%System%\c\wu-wu-wu\wuwuwuwu.ipsec	73,728 bytes	MD5: 0x28F723237366EFC0E83BE347B3895C79 SHA-1: 0xB2C30518AF292CE5234D94F6940739BE8AC332F8	(not available)
50	%System%\c\wu-wu-wu\XP.REG %System%\c\you-you-you\XP.REG	288 bytes	MD5: 0xFDD4AB35F1C1C47AECCED0C9F827DB3C SHA-1: 0x3DF329F9967477B8E1B6B3F58B2DE7BFF7AC6160	(not available)
51	%System%\c\wu-wu-wu\XPXPXPXPXPXPXPxp.exe %System%\c\you-you-you\XPXPXPXPXP.exe	259,072 bytes	MD5: 0x83F41673425C73D4F1FC6293F72A2174 SHA-1: 0xAB5D32DF9F836E09448EF3527538DA462119DBC9	Mal/Generic-A [Sophos] packed with UPX [Kaspersky Lab]
52	%System%\c\wu-wu-wu\zcb.reg %System%\c\you-you-you\zcb.reg	134 bytes	MD5: 0xFB8246ADCA19CF88145F7FBB4EA8E4D0 SHA-1: 0xD09715BD6095B032331416CDE12013AE74927AE8	(not available)
53	%System%\c\you-you-you\111111111111.bat	4,500 bytes	MD5: 0x0E09FB076065252530EA13D4D674E413 SHA-1: 0x8AF58A63FFCADDF2E4A26EC3063565D46D0C5F06	Backdoor.BAT.Agent.i [Kaspersky Lab]
54	%System%\c\you-you-you\youyouyou.ipsec	102,400 bytes	MD5: 0x7055BB00C6FC43FBA65F19BB009BE29C SHA-1: 0x48AC2A6C2602BC935F3024734761D06A1AA84457	(not available)
55	[file and pathname of the sample #1]	1,886,777 bytes	MD5: 0x524A18D5E4D6B4782B3AC5F41DEBDA2D SHA-1: 0x13576E22D4003C26F1333069CEDB7E1F5D386ADF	Backdoor.BAT.Agent.i, not-a-virus:RemoteAdmin.Win32.RAT.b [Kaspersky Lab]

Note:

%System% is a variable that refers to the System folder. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

The following directories were created:

%System%\c
%System%\c\syswin
%System%\c\syswin\Language
%System%\c\syswin\Log
%System%\c\syswin\web
%System%\c\wu-wu-wu
%System%\c\you-you-you

Memory Modifications

There was a new process created in the system:

Process Name	Process Filename	Main Module Size
[filename of the sample #1]	[file and pathname of the sample #1]	192,512 bytes

All content ("Information") contained in this report is the copyrighted work of Threat Expert Ltd and its associated companies ("ThreatExpert") and may not be copied without the express permission of ThreatExpert.

The Information is provided on an "as is" basis. ThreatExpert disclaims all warranties, whether express or implied, to the maximum extent permitted by law, including the implied warranties that the Information is merchantable, of satisfactory quality, accurate, fit for a particular purpose or need, or non-infringing, unless such implied warranties are legally incapable of exclusion. Further, ThreatExpert does not warrant or make any representations regarding the use or the results of the use of the Information in terms of their correctness, accuracy, reliability, or otherwise.