Submission Summary:

What's been foundSeverity Level
Registers a Winlogon notification package so that the installed module is loaded into the address space of winlogon.exe.
Registers a 32-bit in-process server DLL.
Registers a Browser Helper Object (Microsoft's Internet Explorer plugin module).
Contains characteristics of an identified security risk.

 

Technical Details:

 

Possible Security Risk

Security RiskDescription
Trojan-Clicker.Delf!ct Trojan-Clicker.Delf!ct is a threat that attempts to redirect compromised computer to some other advertisement websites

Threat CategoryDescription
A code with the rootkit-specific techniques designed to hide the software presence in the system
A hacktool that could be used by attackers to break into a system
A malicious trojan horse or bot that may represent security risk for the compromised system and/or its network environment
A keylogger program that can capture all user keystrokes (including confidential details such username, password, credit card number, etc.)

 

File System Modifications

#Filename(s)File SizeFile HashAlias
1 %Temp%\gkbfmupi.sys 4,608 bytes MD5: 0x91E73AC9AE573BF412A2FEF55DB22238
SHA-1: 0x1B9A4CF55657D85D3817A1D7F9C0464708213B5F
Rootkit.Podnuha.A [PCTools]
Hacktool.Rootkit [Symantec]
Rootkit.Win32.Podnuha.a [Kaspersky Lab]
VirTool:WinNT/Boaxxe.A [Microsoft]
2 %System%\cfbacfb.dll 74,240 bytes MD5: 0xDE1E68218F7627573AB7479F94222963
SHA-1: 0xB32815E4CE223276490ADC2497B3F587FB7C7805
Trojan.CL.Delf.ZVE [PCTools]
Trojan Horse [Symantec]
Trojan-Clicker.Win32.Delf.iq [Kaspersky Lab]
Generic.dx [McAfee]
Mal/EncPk-CL, Mal/Packer [Sophos]
VirTool:Win32/Obfuscator.Q [Microsoft]
3 %System%\cfbacfb.exe 53,248 bytes MD5: 0x203B43C17F4D3DAF6C5CA89CE62574DC
SHA-1: 0x21C080C2A9BAB354ECE5E7DCFE2D85E669669578
Hacktool.Rootkit [PCTools]
Hacktool.Rootkit [Symantec]
Trojan-Spy.Win32.BZub.bwv [Kaspersky Lab]
Generic.dx [McAfee]
Mal/EncPk-CL, Mal/Packer [Sophos]
VirTool:Win32/Obfuscator.Q [Microsoft]
Win-Trojan/Bzub.53248.N [AhnLab]
4 %System%\drivers\suhwczfq.sys 12,416 bytes MD5: 0xD14A1A2BCABFFE6170B54194944EA24C
SHA-1: 0x744DB87920D0BEAB310B9487D80CBF533466C10A
Rootkit.Podnuha.C [PCTools]
Hacktool.Rootkit [Symantec]
Rootkit.Win32.Podnuha.a [Kaspersky Lab]
Troj/Conhook-AG [Sophos]
VirTool:WinNT/Boaxxe.E [Microsoft]
Win-Trojan/Xema.variant [AhnLab]
5 %System%\Restore\MachineGuid.txt 78 bytes MD5: 0x6331307B7FA1DC849B809B3E89C254CD
SHA-1: 0x4B50B9471715B958941AB729908B1DD8EEA8DC50
(not available)
6 [file and pathname of the sample #1] 140,800 bytes MD5: 0xD8D5CBAEF4B21C31C97B110B4D63DC89
SHA-1: 0xE9FA3EF5094106159818C831963E1F325135CD1C
Trojan-Clicker.Delf!ct [PCTools]
Infostealer.Bzup [Symantec]
Trojan-Clicker.Win32.Delf.xx [Kaspersky Lab]
Generic.dx [McAfee]
Mal/EncPk-CL, Mal/Packer [Sophos]
VirTool:Win32/Obfuscator.Q [Microsoft]
Trojan-Clicker.Win32.Delf [Ikarus]
Win-Trojan/Xema.variant [AhnLab]

 

Memory Modifications

Process NameProcess FilenameMain Module Size
[generic host process][generic host process filename]20,480 bytes

Process NameProcess FilenameAllocated Size
[generic host process][generic host process filename]69,632 bytes
[generic host process][generic host process filename]2,060,288 bytes

Module NameModule FilenameAddress Space Details
cfbacfb.dll%System%\cfbacfb.dllProcess name: explorer.exe
Process filename: %Windir%\explorer.exe
Address space: 0x1B20000 - 0x1B4B000
cfbacfb.dll%System%\cfbacfb.dllProcess name: IEXPLORE.EXE
Process filename: %ProgramFiles%\internet explorer\iexplore.exe
Address space: 0x19C0000 - 0x19EB000

Service NameDisplay NameNew StatusService Filename
srserviceSystem Restore Service"Running"%System%\svchost.exe -k netsvcs

Driver NameDriver Filename
gkbfmupi.sys%Temp%\gkbfmupi.sys
suhwczfq.sys%System%\drivers\suhwczfq.sys

 

Registry Modifications

 

 

All content ("Information") contained in this report is the copyrighted work of Threat Expert Ltd and its associated companies ("ThreatExpert") and may not be copied without the express permission of ThreatExpert.

The Information is provided on an "as is" basis. ThreatExpert disclaims all warranties, whether express or implied, to the maximum extent permitted by law, including the implied warranties that the Information is merchantable, of satisfactory quality, accurate, fit for a particular purpose or need, or non-infringing, unless such implied warranties are legally incapable of exclusion. Further, ThreatExpert does not warrant or make any representations regarding the use or the results of the use of the Information in terms of their correctness, accuracy, reliability, or otherwise.

Copyright © 2014 ThreatExpert. All rights reserved.