PDF

Print

ThreatScope Analysis Report

For file RemovalTool.exe uploaded 2012-08-28 at 06:50:51 AM

Threat level: Malicious

Recommendation: Do not allow this file to be run in your network. Perform remediation on machines on which the file may have run.

Threat Assessment

HTTP traffic to server hosting malicious content

Drops executable file(s)

HTTP traffic to uncategorized server

Writes to the filesystem in a directory of the user profile often used by malware

Screenshots:

File details:

Hash MD5

ebb4ac5bb30b93e38a02683e3e7c98c6

File size

516.00 KB

Hash SHA-1

2adcb91c4ce31cc85cbed28df3b475d76a7f91a1

File uploaded

2012-08-28 06:50:51 AM

Hash SHA-256

ee68078699089fd035bf99716cac53f0a970cbf62356f1a53941b512daedbfd4

Report created

2012-08-28 06:52:43 AM

Technical Details

Requested HTTP URLs

The analyzed file requests the following URLs.

URL

IP Address

Category

Details

May include user agent string, HTTP server, or encryption information.

Details

Method

Status

The first item is the response type (e.g. 200, meaning OK). The second item is the size of the response.

Status

MIME

The first item is the server-declared content type. The second item is the true content type.

MIME

www.bluemountain-ecards.net/im
ages/loader.php

69.73.138.167

United States

Uncategorized

User agent:

Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1

HTTP Server:

Apache

GET

200
15 B

text/html

www.asselegis.org.br/images/tx
t.txt

187.73.33.54

Brazil

Malicious Web Sites

User agent:

Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1

HTTP Server:

Apache

GET

200
421 B

text/plain

www.basketcoach.com/images/log
os/Plugin.dll

94.23.235.157

France

Sports

User agent:

Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)

HTTP Server:

Apache

GET

200
1.37 MB

application/x-msdos-program

Resolved hostnames

The analyzed file used DNS to resolve the following hostnames.

Hostname

Category

IP address

bluemountain-ecards.net

Uncategorized

69.73.138.167

www.basketcoach.com

Sports

94.23.235.157

www.asselegis.org.br

Malicious Web Sites

187.73.33.54

IP addresses

The analyzed file requests the following IP addresses.

IP Address

ASN

69.73.138.167

United States

187.73.33.54

Brazil

94.23.235.157

France

File system modifications

The analyzed file changes the following items in the file system. This type of change can be performed by both malicious and benign files.

Event

File path

Creates file

c:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\L92WDWXT\Plugin[1].dll

Writes file

c:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\L92WDWXT\Plugin[1].dll

Opens file

c:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\L92WDWXT\Plugin[1].dll

Creates file

c:\Documents and Settings\Administrator\Application Data\Java Update\JavaUpdate.dll

Writes file

c:\Documents and Settings\Administrator\Application Data\Java Update\JavaUpdate.dll

Opens file

c:\Documents and Settings\Administrator\Application Data\Java Update\JavaUpdate.dll

Process modifications

The analyzed file affected the following system processes.

Event

File path

Creates process

Sample started

Creates process

C:\WINDOWS\system32\regsvr32.exe

Registry


No Windows Registry changes were made.

Global system events

The following global system events were detected.

Event

Name

Creates semaphore

shell.{A48F1A32-A340-11D1-BC6B-00A0C90312E1}98c6.exe

Creates mutex

ZonesCounterMutex

Creates mutex

ZonesCacheCounterMutex

Creates mutex

ZonesLockedCacheCounterMutex

Creates event

Creates mutex

Mutex_140398102

Creates event

Global\crypt32LogoffEvent

Creates semaphore

shell.{210A4BA0-3AEA-1069-A2D9-08002B30309D}98c6.exe

Creates mutex

c:!documents and settings!administrator!local settings!temporary internet files!content.ie5!

Creates mutex

c:!documents and settings!administrator!cookies!ttings!temporary internet files!content.ie5!

Creates mutex

c:!documents and settings!administrator!local settings!history!history.ie5!iles!content.ie5!

Creates mutex

WininetConnectionMutex

Creates event

DINPUTWINMM

Creates mutex

RasPbFile

Creates event

Global\userenv: User Profile setup evente7c98c6.exe

Creates semaphore

shell.{7CB834F0-527B-11D2-9D1F-0000F805CA57}98c6.exe

Creates mutex

SHIMLIB_LOG_MUTEX

Creates semaphore

shell.{A48F1A32-A340-11D1-BC6B-00A0C90312E1}

Creates event

Global\userenv: User Profile setup eventE1}

Websense has made an effort to determine if your submission is malicious however, Websense cannot guarantee the accuracy of the result