Submission Summary:

What's been foundSeverity Level
Capability to block security-related software by modifying firewall settings and by disabling security services, such as Windows Update, Norton Autoprotect, Kaspersky Anti-Virus, etc.
There were some system executable files modified, which might indicate the presence of a PE-file infector.
Contains characteristics of an identified security risk.

 

Technical Details:

 

Possible Security Risk

Security RiskDescription
Trojan-PWS.WOW Trojan.PSW.WOW attempts to steal sensitive identifiable data, such as usernames, passwords and bank accounts, from your computer, and sends them to a remote server via HTTP.

Threat CategoryDescription
A virus capable to modify other files by infecting, prepending, or overwriting them them with its own body
A malicious trojan horse or bot that may represent security risk for the compromised system and/or its network environment
A malicious backdoor trojan that runs in the background and allows remote access to the compromised system

 

File System Modifications

#Filename(s)File SizeFile HashAlias
1 %AppData%\Microsoft\Installer\{B53D42E8-872B-430E-82D4-80065A31FCE1}\lpk.dll
%Temp%\lpk.dll
%Programs%\Startup\lpk.dll
[pathname with a string SHARE]\lpk.dll
[pathname with a string SHARE]\lpk.dll
[pathname with a string SHARE]\lpk.dll
[file and pathname of the sample #1]
173,568 bytes MD5: 0x8E76EF8F934E6FA7A5D4D8DEDD2606C0
SHA-1: 0x2CB8116DC8B304358343F908F4EF8619A8B6DD26
Backdoor.Trojan [Symantec]
Trojan.Win32.MicroFake.ba [Kaspersky Lab]
Trojan.Win32.MicroFake [Ikarus]
2 %Temp%\hrl1.tmp
%Temp%\hrl3.tmp
%Temp%\hrl4.tmp
%System%\ookyou.exe
165,850 bytes MD5: 0xFB15D7055706D88E8F1F9452433531D5
SHA-1: 0x76019BFDE23DD9B540E441B2FDCF67BFA413ED9F
Backdoor.Trojan [Symantec]
Virus.Win32.Nimnul.a [Kaspersky Lab]
W32/Ramnit.a [McAfee]
W32/Ramnit-A [Sophos]
Virus:Win32/Ramnit.P [Microsoft]
Trojan.Win32.ServStart [Ikarus]
3 %Temp%\hrl1mgr.exe 126,976 bytes MD5: 0x7E397C3B36DBF443E028807750EDD91D
SHA-1: 0x6AD975FD864CA642937C7C03291E05937E8B6099
W32.Virut.CF [Symantec]
Virus.Win32.Virut.ce [Kaspersky Lab]
PWS-Zbot.gen.cy [McAfee]
W32/Scribble-B [Sophos]
PWS:Win32/Zbot [Microsoft]
Backdoor.Win32.CVVStealer [Ikarus]
4 %Temp%\hrl2mgr.exe 126,976 bytes MD5: 0xB153CEC40D82CEA37D560956ED17EB22
SHA-1: 0xD091018AA538DE46CFF0FF7CBF104F2823AB3649
W32.Virut.CF [Symantec]
Virus.Win32.Virut.ce [Kaspersky Lab]
PWS-Zbot.gen.cy [McAfee]
W32/Scribble-B [Sophos]
PWS:Win32/Zbot [Microsoft]
Backdoor.Win32.CVVStealer [Ikarus]
5 %Temp%\hrl3mgr.exe 126,976 bytes MD5: 0x583EBF5A1E0CE105635FCB444E35903B
SHA-1: 0xF0368D8D4ECF91E21743B67842CB171316C5CEA3
W32.Virut.CF [Symantec]
Virus.Win32.Virut.ce [Kaspersky Lab]
PWS-Zbot.gen.cy [McAfee]
W32/Scribble-B [Sophos]
PWS:Win32/Zbot [Microsoft]
Backdoor.Win32.CVVStealer [Ikarus]
6 %Temp%\hrl4mgr.exe 126,976 bytes MD5: 0xAAAC42593EBB7740AE8C30816AE92AD6
SHA-1: 0xA4874965D73DEEE11585C2A1F56C07F0FCF3E56C
W32.Virut.CF [Symantec]
Virus.Win32.Virut.ce [Kaspersky Lab]
PWS-Zbot.gen.cy [McAfee]
W32/Scribble-B [Sophos]
PWS:Win32/Zbot [Microsoft]
Backdoor.Win32.CVVStealer [Ikarus]
7 %Programs%\Startup\maswtjoy.exe
%ProgramFiles%\etbkjgfi\maswtjoy.exe
99,840 bytes MD5: 0xEF5DC2521333FB418BD5518F1DB3FD08
SHA-1: 0x3D5E8D6DBF09A599F674FE9D6C1D736B0C31CB70
Trojan.Gen [Symantec]
Trojan.Win32.Lebag.dgi [Kaspersky Lab]
PWS-Zbot.gen.cy [McAfee]
Troj/FakeAV-EKL [Sophos]
PWS:Win32/Zbot [Microsoft]
Backdoor.Win32.CVVStealer [Ikarus]
8 %ProgramFiles%\Internet Explorer\dmlconf.dat 16 bytes MD5: 0xC1E184DACBDBFEBB3C530346E6DAE4E1
SHA-1: 0xAC02101B84CF62C4F82ACDDB5E22BB4FDFD8C683
(not available)

 

Memory Modifications

Process NameProcess FilenameMain Module Size
[generic host process][generic host process filename]20,480 bytes

Module NameModule FilenameAddress Space Details
[filename of the sample #1][file and pathname of the sample #1]Process name: [generic host process]
Process filename: [generic host process filename]
Address space: 0x10000000 - 0x1002E000
[filename of the sample #1][file and pathname of the sample #1]Process name: [generic host process]
Process filename: [generic host process filename]
Address space: 0x10000000 - 0x1002E000
[filename of the sample #1][file and pathname of the sample #1]Process name: [generic host process]
Process filename: [generic host process filename]
Address space: 0x10000000 - 0x1002E000
[filename of the sample #1][file and pathname of the sample #1]Process name: [generic host process]
Process filename: [generic host process filename]
Address space: 0x10000000 - 0x1002E000

Service NameDisplay NameStatusService Filename
MediaCenterplfMS Driver Servcice Centerlwb."Stopped"%System%\ookyou.exe

 

Registry Modifications

 

Other details

China

 

 

All content ("Information") contained in this report is the copyrighted work of Threat Expert Ltd and its associated companies ("ThreatExpert") and may not be copied without the express permission of ThreatExpert.

The Information is provided on an "as is" basis. ThreatExpert disclaims all warranties, whether express or implied, to the maximum extent permitted by law, including the implied warranties that the Information is merchantable, of satisfactory quality, accurate, fit for a particular purpose or need, or non-infringing, unless such implied warranties are legally incapable of exclusion. Further, ThreatExpert does not warrant or make any representations regarding the use or the results of the use of the Information in terms of their correctness, accuracy, reliability, or otherwise.

Copyright © 2017 ThreatExpert. All rights reserved.