PDF

Print

ThreatScope Analysis Report

For file VirusShare_0cf9e999c574ec89595263446978dc9f uploaded 2013-02-20 at 12:17:10 PM

Threat level: Malicious

Recommendation: Do not allow this file to be run in your network. Perform remediation on machines on which the file may have run.

Threat Assessment

Drops and runs executable file(s)

Traffic to server using Dynamic DNS

Writes to the filesystem in a Windows system directory

Traffic to server hosting potentially malicious content

Writes to the filesystem in a directory of the user profile often used by malware

Screenshots:

File details:

Hash MD5

0cf9e999c574ec89595263446978dc9f

File size

293.00 KB

Hash SHA-1

5a52e53f4ac4a56f23883494a7108e3b631ba428

File uploaded

2013-02-20 12:17:10 PM

Hash SHA-256

-

Report created

2013-02-20 12:17:17 PM

Technical Details

Requested HTTP URLs

The analyzed file requests the following URLs.

URL

IP Address

Category

Details

May include user agent string, HTTP server, or encryption information.

Details

Method

Status

The first item is the response type (e.g. 200, meaning OK). The second item is the size of the response.

Status

MIME

The first item is the server-declared content type. The second item is the true content type.

MIME

news.lflinkup.org/jokes.htm

198.143.231.107

United States

Dynamic DNS

User agent:

Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; InfoPath.2)

HTTP Server:

Microsoft-IIS/6.0

GET

200
799 B

text/html

Resolved hostnames

The analyzed file used DNS to resolve the following hostnames.

Hostname

Category

IP address

news.lflinkup.org

Dynamic DNS

198.143.231.107

IP addresses

The analyzed file requests the following IP addresses.

IP Address

ASN

198.143.231.107

AS6983 ITC^Deltacom

United States

File system modifications

The analyzed file changes the following items in the file system. This type of change can be performed by both malicious and benign files.

Event

File path

Writes file

\Device\HarddiskVolume1\Documents and Settings\victimo\Application Data\Microsoft\Crypto\DSS\S-1-5-21-1220945662-152049171-1343024091-1003\408eed695a43ce909427ce7300568d96_3d274d6f-7a13-4fea-b6cc-59562ed0973a

Writes file

\Device\HarddiskVolume1\Documents and Settings\victimo\Local Settings\Temporary Internet Files\Content.IE5\MLOLIDQD\jokes[1].htm

Writes file

\Device\HarddiskVolume1\WINDOWS\Temp\5a52e53f4ac4a56f23883494a7108e3b631ba428.pdf

Writes file

\Device\HarddiskVolume1\Documents and Settings\victimo\Start Menu\Programs\Startup\AdobeRe.exe

Process modifications

The analyzed file affected the following system processes.

Event

File path

Creates process

\Device\HarddiskVolume1\WINDOWS\Temp\5a52e53f4ac4a56f23883494a7108e3b631ba428.exe

Creates process

\Device\HarddiskVolume1\WINDOWS\system32\wscntfy.exe

Creates process

\Device\HarddiskVolume1\Documents and Settings\victimo\Start Menu\Programs\Startup\AdobeRe.exe

Creates process

\Device\HarddiskVolume1\Program Files\Adobe\Reader 9.0\Reader\AcroRd32.exe

Creates process

\Device\HarddiskVolume1\WINDOWS\explorer.exe

Registry

The analyzed file made the following changes to the Windows Registry. Malicious files often alter the registry to ensure that the malicious software runs at system startup.

Event

Key

Value

Adds/Sets value

\REGISTRY\USER\S-1-5-21-1220945662-152049171-1343024091-1003\Software\Adobe\Acrobat Reader\9.0\Collab\cDocumentCenter\cSettings\tcSetting

Data:

Adds/Sets value

\REGISTRY\USER\S-1-5-21-1220945662-152049171-1343024091-1003\Software\Adobe\Acrobat Reader\9.0\Collab\cDocumentCenter\tDistMethod

Data:

Adds/Sets value

\REGISTRY\USER\S-1-5-21-1220945662-152049171-1343024091-1003\Software\Adobe\Acrobat Reader\9.0\Collab\cInitiationWizardFirstLaunch\bIsFirstLaunchSR

Data:

Adds/Sets value

\REGISTRY\USER\S-1-5-21-1220945662-152049171-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect

Data:

Adds/Sets value

\REGISTRY\USER\S-1-5-21-1220945662-152049171-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName

Data:

Adds/Sets value

\REGISTRY\USER\S-1-5-21-1220945662-152049171-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings

Data:

Adds/Sets value

\REGISTRY\MACHINE\SYSTEM\ControlSet001\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable

Data:

Adds/Sets value

\REGISTRY\USER\S-1-5-21-1220945662-152049171-1343024091-1003\Software\Adobe\Acrobat Reader\9.0\Collab\cDocumentCenter\bDefaultFD

Data:

Adds/Sets value

\REGISTRY\USER\S-1-5-21-1220945662-152049171-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\AppData

Data:

Adds/Sets value

\REGISTRY\USER\S-1-5-21-1220945662-152049171-1343024091-1003\Software\Adobe\Acrobat Reader\9.0\Collab\cEmailDistribution\tDistMethod

Data:

Adds/Sets value

\REGISTRY\USER\S-1-5-21-1220945662-152049171-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable

Data:

Adds/Sets value

\REGISTRY\USER\S-1-5-21-1220945662-152049171-1343024091-1003\Software\Adobe\Acrobat Reader\9.0\Collab\cEmailDistribution\bDefaultFD

Data:

Adds/Sets value

\REGISTRY\USER\S-1-5-21-1220945662-152049171-1343024091-1003\Software\Adobe\Acrobat Reader\9.0\Collab\cEmailDistribution\bAlwaysUseServerFD

Data:

Adds/Sets value

\REGISTRY\USER\S-1-5-21-1220945662-152049171-1343024091-1003\Software\Adobe\Acrobat Reader\9.0\Collab\cInitiationWizardFirstLaunch\bIsFirstLaunchSF

Data:

Adds/Sets value

\REGISTRY\USER\S-1-5-21-1220945662-152049171-1343024091-1003\Software\Adobe\Acrobat Reader\9.0\Collab\cDocumentCenter\bAlwaysUseServer

Data:

Adds/Sets value

\REGISTRY\USER\S-1-5-21-1220945662-152049171-1343024091-1003\Software\Adobe\Acrobat Reader\9.0\Collab\cDocumentCenter\tUI

Data:

Adds/Sets value

\REGISTRY\USER\S-1-5-21-1220945662-152049171-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cookies

Data:

Adds/Sets value

\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Common Documents

Data:

Adds/Sets value

\REGISTRY\USER\S-1-5-21-1220945662-152049171-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet

Data:

Adds/Sets value

\REGISTRY\USER\S-1-5-21-1220945662-152049171-1343024091-1003\Software\Adobe\Acrobat Reader\9.0\Collab\cInitiationWizardFirstLaunch\bIsFirstLaunchFD

Data:

Adds/Sets value

\REGISTRY\USER\S-1-5-21-1220945662-152049171-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Personal

Data:

Adds/Sets value

\REGISTRY\USER\S-1-5-21-1220945662-152049171-1343024091-1003\Software\Adobe\Acrobat Reader\9.0\AVGeneral\bLastExitNormal

Data:

Adds/Sets value

\REGISTRY\USER\S-1-5-21-1220945662-152049171-1343024091-1003\Software\Adobe\Acrobat Reader\9.0\Collab\cEmailDistribution\tURL

Data:

Adds/Sets value

\REGISTRY\USER\S-1-5-21-1220945662-152049171-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cache

Data:

Adds/Sets value

\REGISTRY\USER\S-1-5-21-1220945662-152049171-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Local AppData

Data:

Adds/Sets value

\REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\RNG\Seed

Data:

Adds/Sets value

\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Common Desktop

Data:

Adds/Sets value

\REGISTRY\USER\S-1-5-21-1220945662-152049171-1343024091-1003\Software\Adobe\Acrobat Reader\9.0\Collab\cEmailDistribution\tUI

Data:

Adds/Sets value

\REGISTRY\USER\S-1-5-21-1220945662-152049171-1343024091-1003\Software\Adobe\Acrobat Reader\9.0\Collab\cInitiationWizardFirstLaunch\bIsFirstLaunchUF

Data:

Adds/Sets value

\REGISTRY\USER\S-1-5-21-1220945662-152049171-1343024091-1003\Software\Adobe\Acrobat Reader\9.0\Collab\cEmailDistribution\cSettings\tcSetting

Data:

Adds/Sets value

\REGISTRY\USER\S-1-5-21-1220945662-152049171-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Desktop

Data:

Adds/Sets value

\REGISTRY\USER\S-1-5-21-1220945662-152049171-1343024091-1003\Software\Adobe\Acrobat Reader\9.0\Collab\cInitiationWizardFirstLaunch\bIsFirstLaunchER

Data:

Adds/Sets value

\REGISTRY\USER\S-1-5-21-1220945662-152049171-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass

Data:

Adds/Sets value

\REGISTRY\USER\S-1-5-21-1220945662-152049171-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{f6ac2bc2-bb99-11e1-9e4a-806d6172696f}\BaseClass

Data:

Adds/Sets value

\REGISTRY\USER\S-1-5-21-1220945662-152049171-1343024091-1003\Software\Adobe\Acrobat Reader\9.0\Collab\cDocumentCenter\bAlwaysUseServerFD

Data:

Adds/Sets value

\REGISTRY\USER\S-1-5-21-1220945662-152049171-1343024091-1003\Software\Adobe\Acrobat Reader\9.0\Collab\cDocumentCenter\tURL

Data:

Adds/Sets value

\REGISTRY\USER\S-1-5-21-1220945662-152049171-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{f6ac2bc0-bb99-11e1-9e4a-806d6172696f}\BaseClass

Data:

Adds/Sets value

\REGISTRY\USER\S-1-5-21-1220945662-152049171-1343024091-1003\Software\Adobe\Acrobat Reader\9.0\Collab\cDocumentCenter\bDefault

Data:

Adds/Sets value

\REGISTRY\USER\S-1-5-21-1220945662-152049171-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\History

Data:

Adds/Sets value

\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Common AppData

Data:

Adds/Sets value

\REGISTRY\USER\S-1-5-21-1220945662-152049171-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\MigrateProxy

Data:

Global system events


No global system events were detected.

Websense has made an effort to determine if your submission is malicious however, Websense cannot guarantee the accuracy of the result