Attached zip file zz.zip;
encrypted with password:
infected
Threat normally identified by McAfee ViruScan as pws-legmir.gen.k and pws-legmir.gen.k.dll.
ThreatExpert report:
http://www.threatexpert.com/report.aspx?ui...a4-384227ac7ad9
Submission Summary:
* Submission details:
o Submission received: 24 April 2008, 06:22:58
o Processing time: 4 min 13 sec
o Submitted sample:
+ File MD5: 0x67818D263FE0F8C2FDF42F1722AFD068
+ Filesize: 140.548 bytes
* Summary of the findings:
What's been found Severity Level
Downloads/requests other files from Internet.
Modifies some system settings that may have negative impact on overall system security state.
Creates a startup registry entry.
Contains characteristics of an identified security risk.
Technical Details:
Possible Security Risk
* Attention! Characteristics of the following security risk was identified in the system:
Security Risk Description
Rootkit.Agent.QV Rootkit.Agent.QV injects rootkit components into Windows processes and attempts to hides itself from detection. It also made changes to Windows Explorer settings and download other malicious files from external servers.
File System Modifications
* The following files were created in the system:
# Filename(s) File Size File MD5 Alias
1 c:.com 116.871 bytes 0x319443231C6B8B2945839353211323DA (not available)
2 c:\autorun.inf 544 bytes 0xFEE13D7B72CFD52FE0718A25FD36FF80 (not available)
3 %Temp%\eytsuap7.dll 26.388 bytes 0xABF0801BF467D979683AE104E3A77A80 Trojan.Onlinegames.Gen!Pac.73 [PCTools]Bloodhound.Packed.Jmp [symantec]
4 %Temp%\tru1.tmp 140.548 bytes 0x67818D263FE0F8C2FDF42F1722AFD068 (not available)
5 %System%\kavo.exe 116.871 bytes 0xA4DEAFAC4C9010E0655597C3C0BDB2B7 W32/Autorun.worm.bx.gen [McAfee]
6 %System%\kavo1.dll 125.952 bytes 0x9A88F77584DB91C027D8DAE0D9B92842 PWS-LegMir.gen.k.dll [McAfee]
* Notes:
o %Temp% is a variable that refers to the temporary folder in the short path form. By default, this is C:\Documents and Settings\[userName]\Local Settings\Temp\ (Windows NT/2000/XP).
o %System% is a variable that refers to the System folder. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
Memory Modifications
* There were new processes created in the system:
Process Name Process Filename Main Module Size
1.exe %Windir%\1.exe 262.144 bytes
[filename of the sample #1] [file and pathname of the sample #1] 147.456 bytes
kavo.exe %System%\kavo.exe 262.144 bytes
* There was a new memory page created in the address space of the system process(es):
Process Name Process Filename Allocated Size
explorer.exe %Windir%\explorer.exe 131.072 bytes
* The following module was loaded into the address space of other process(es):
Module Name Module Filename Address Space Details
kavo1.dll %System%\kavo1.dll Process name: explorer.exe
Process filename: %Windir%\explorer.exe
Address space: 0x1970000 - 0x19A3000
Registry Modifications
* The newly created Registry Value is:
o [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
+ kava = "%System%\kavo.exe"
so that kavo.exe runs every time Windows starts
* The following Registry Value was modified:
o [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL]
+ CheckedValue = 0x00000000
so that hidden files and folders are not displayed in explorer when browsing the file system
Other details
* Analysis of the file resources indicate the following possible country of origin:
China
* The following Internet download was started (the retrieved bits are saved into the local file):
URL to be downloaded Filename for the downloaded bits
http://www.1a123.com/hp/zz.rar %Temp%\zz.rar
/applications/core/interface/file/attachment.php?id=1912" data-fileid="1912" rel="">zz.zip
