第一乞丐潮哥.cmd Size: 284694 MD5: D84C9278AF1C162AFF8BA617B56BA645 inside.
- Download 第一乞丐潮哥.cmd as a password protected archive (please contact me if you need the password).
- Download dropped files as a password protected archive (please contact me if you need the password).
From: www71625 [mailto:www71625@yahoo.com.tw]
Sent: Monday, March 08, 2010 6:53 PM
To: XXXXX
Subject: 超牛B,中國第一极品帥哥的傳說,蓋過現實明星..壓縮密碼668
咋樣?哥老犀利、老有型了,网絡從沒寂寞過。也不甘寂寞--..壓縮密碼668
AntiVir 8.2.1.180 2010.03.05 TR/Drop.Agen.283856
AVG 9.0.0.787 2010.03.07 PSW.OnlineGames3.AEQN
DrWeb 5.0.1.12222 2010.03.07 Trojan.Packed.1132
F-Secure 9.0.15370.0 2010.03.07 Trojan:W32/Agent.NRR
Fortinet 4.0.14.0 2010.03.07 SPY/Magania
Ikarus T3.1.1.80.0 2010.03.07 Worm.Win32.Taterf
Kaspersky 7.0.0.125 2010.03.07 Trojan-GameThief.Win32.Magania.cxsb
McAfee 5912 2010.03.06 New Malware.bl
McAfee+Artemis 5912 2010.03.06 New Malware.bl
McAfee-GW-Edition 6.8.5 2010.03.07 Trojan.Drop.Agen.283856
Microsoft 1.5502 2010.03.07 VirTool:Win32/Obfuscator.EX
Panda 10.0.2.2 2010.03.07 Trj/CI.A
Sophos 4.51.0 2010.03.07 Sus/UnkPack-C
Sunbelt 5780 2010.03.07 VirTool.Win32.Obfuscator
Symantec 20091.2.0.41 2010.03.07 Backdoor.Graybird
Additional information
File size: 284694 bytes
MD5...: d84c9278af1c162aff8ba617b56ba645
Symantec and PCtools detect it as Graybird, aka Gray Pigeon, but it is not. It is a classic Magania trojan described here by F- Secure
Threatexpert report
I pasting most of it below as well
- File MD5: 0xD84C9278AF1C162AFF8BA617B56BA645
- File SHA-1: 0x92C1FEF49F9FFA2058F463864A1B17E624FF5A19
- Filesize: 284,694 bytes
- Alias:
- Backdoor.Graybird
[PCTools]
- Trojan-GameThief.Win32.Magania.cxsb [Kaspersky Lab]
Technical Details:
- The new window was created, as shown below: --- no idea who it is, if you do, please enlighten me (M)
 File System Modifications |
- The following files were created in the system:
| # | Filename(s) | File Size | File Hash | Alias |
| 1 | %Temp%\RarSFX0\8.sfx.exe | 175,488 bytes | MD5: 0x4BA3B2CC974F483075E19521B8B0B71F SHA-1: 0x9DA317C4FB3AF3528CD6730E6999EDC6F46C77A8 | Trojan-GameThief.Win32.Magania.cxsb [Kaspersky Lab] Mal/RarMal-B [Sophos] |
| 2 | %Temp%\RarSFX0\su3.jpg | 59,384 bytes | MD5: 0x89A5DA994FD9BE9EECE1612B7FD1E92E SHA-1: 0x2E3C8E1516FBADFB3953608B873A08768E15F7FE | (not available) |
| 3 | %System%\8.exe | 96,002 bytes | MD5: 0xF7E1DA20030BD8DB5B5F33584740D282 SHA-1: 0x81067AF434AD1AF3ECF35443CBD80A3B848AFF71 | Trojan-GameThief.Win32.Magania.cxsb [Kaspersky Lab] |
| 4 | [file and pathname of the sample #1] | 84,694 bytes | MD5: 0xD84C9278AF1C162AFF8BA617B56BA645 SHA-1: 0x92C1FEF49F9FFA2058F463864A1B17E624FF5A19 | Backdoor.Graybird [PCTools] Trojan-GameThief.Win32.Magania.cxsb [Kaspersky Lab] |
- The following directory was created:
- %Temp%\RarSFX0
| Memory Modifications |
- There was a new process created in the system:
| Process Name | Process Filename | Main Module Size |
| [filename of the sample #1] | [file and pathname of the sample #1] | 151,552 bytes |
- Analysis of the file resources indicate the following possible countries of origin:
 | Taiwan |
 | China |
More detailed CW Sandbox Sunbelt report
----------------------------------------------------------------------------------------
Once executed, the above image gets displayed and the files listed below got created
C:\WINDOWS\system32\ajbpi.exe - this file is injected in explorer.exe process. Threatexpert reported having a different file name, it is random.
Virustotal
File ajbpi.exe received on 2010.03.09 05:00:32 (UTC)
Result: 17/42 (40.48%)a-squared 4.5.0.50 2010.03.09 Worm.Win32.Taterf!IK
AntiVir 8.2.1.180 2010.03.08 TR/PSW.Magania.cxsb
AVG 9.0.0.787 2010.03.08 PSW.OnlineGames3.AEQN
CAT-QuickHeal 10.00 2010.03.08 (Suspicious) - DNAScan
DrWeb 5.0.1.12222 2010.03.09 Trojan.Packed.1132
F-Secure 9.0.15370.0 2010.03.09 Trojan:W32/Agent.NRR
Fortinet 4.0.14.0 2010.03.07 SPY/Magania
Ikarus T3.1.1.80.0 2010.03.09 Worm.Win32.Taterf
Kaspersky 7.0.0.125 2010.03.09 Trojan-GameThief.Win32.Magania.cxsb
McAfee 5914 2010.03.08 New Malware.bl
McAfee+Artemis 5914 2010.03.08 New Malware.bl
McAfee-GW-Edition 6.8.5 2010.03.09 Heuristic.LooksLike.Win32.SuspiciousPE.B
Microsoft 1.5502 2010.03.08 VirTool:Win32/Obfuscator.EX
Sophos 4.51.0 2010.03.09 Sus/UnkPack-C
Sunbelt 5797 2010.03.09 VirTool.Win32.Obfuscator
Symantec 20091.2.0.41 2010.03.09 Suspicious.Insight
TrendMicro 9.120.0.1004 2010.03.09 TROJ_GAMETHI.FJF
File size: 96002 bytes
MD5...: f7e1da20030bd8db5b5f33584740d282
In user temp directory:
%Temp%\RarSFX0\8.sfx.exe
%Temp%\RarSFX0\su3.jpg
Virustotal 8.sfx.exe
File 8.sfx.exe received on 2010.03.09 04:40:32 (UTC)
Result: 15/42 (35.72%)
AntiVir 8.2.1.180 2010.03.08 DR/PSW.Magania.cxsb
AVG 9.0.0.787 2010.03.08 PSW.OnlineGames3.AEQN
DrWeb 5.0.1.12222 2010.03.09 Trojan.Packed.1132
F-Secure 9.0.15370.0 2010.03.09 Trojan:W32/Agent.NRR
Ikarus T3.1.1.80.0 2010.03.09 Worm.Win32.Taterf
Kaspersky 7.0.0.125 2010.03.09 Trojan-GameThief.Win32.Magania.cxsb
McAfee 5914 2010.03.08 New Malware.bl
McAfee+Artemis 5914 2010.03.08 New Malware.bl
McAfee-GW-Edition 6.8.5 2010.03.09 Trojan.Dropper.PSW.Magania.cxsb
Microsoft 1.5502 2010.03.08 VirTool:Win32/Obfuscator.EX
Sophos 4.51.0 2010.03.09 Sus/UnkPack-C
Sunbelt 5797 2010.03.09 VirTool.Win32.Obfuscator
Symantec 20091.2.0.41 2010.03.09 Suspicious.Insight
TrendMicro 9.120.0.1004 2010.03.09 TROJ_GAMETHI.FJF
Additional information
File size: 175488 bytes
MD5...: 4ba3b2cc974f483075e19521b8b0b71f
Result: 15/42 (35.72%)
AntiVir 8.2.1.180 2010.03.08 DR/PSW.Magania.cxsb
AVG 9.0.0.787 2010.03.08 PSW.OnlineGames3.AEQN
DrWeb 5.0.1.12222 2010.03.09 Trojan.Packed.1132
F-Secure 9.0.15370.0 2010.03.09 Trojan:W32/Agent.NRR
Ikarus T3.1.1.80.0 2010.03.09 Worm.Win32.Taterf
Kaspersky 7.0.0.125 2010.03.09 Trojan-GameThief.Win32.Magania.cxsb
McAfee 5914 2010.03.08 New Malware.bl
McAfee+Artemis 5914 2010.03.08 New Malware.bl
McAfee-GW-Edition 6.8.5 2010.03.09 Trojan.Dropper.PSW.Magania.cxsb
Microsoft 1.5502 2010.03.08 VirTool:Win32/Obfuscator.EX
Sophos 4.51.0 2010.03.09 Sus/UnkPack-C
Sunbelt 5797 2010.03.09 VirTool.Win32.Obfuscator
Symantec 20091.2.0.41 2010.03.09 Suspicious.Insight
TrendMicro 9.120.0.1004 2010.03.09 TROJ_GAMETHI.FJF
Additional information
File size: 175488 bytes
MD5...: 4ba3b2cc974f483075e19521b8b0b71f
Virustotal su3.jpg
File su3.jpg received on 2010.03.09 04:41:24 (UTC)
Result: 2/41 (4.88%)
AntiVir 8.2.1.180 2010.03.05 TR/Drop.Agen.283856
McAfee-GW-Edition 6.8.5 2010.03.07 Trojan.Drop.Agen.283856
Additional information
File size: 59384 bytes
MD5...: 89a5da994fd9be9eece1612b7fd1e92e
DNS queries and TCP traffic
information from Robtex.com
http://www.robtex.com/ip/61.152.96.121.html#graph
0100.cc, hyqk.com, x127.com, qmzp.net, mb52.com and at least 100 other hosts point to 61.152.96.121. It is blacklisted in seven lists.
205.209.180.114
OrgName: Managed Solutions Group, Inc.
OrgID: MSG-48
Address: 45535 Northport Loop East
City: Fremont
StateProv: CA
PostalCode: 94538
Country: US
ReferralServer: rwhois://rwhois.managedsg-inc.com:4321
NetRange: 205.209.128.0 - 205.209.191.255
CIDR: 205.209.128.0/18
NetName: NET-MANAGED
NetHandle: NET-205-209-128-0-1
Parent: NET-205-0-0-0-0
NetType: Direct Allocation
NameServer: RDNS1.MANAGEDSG-INC.COM
NameServer: RDNS2.MANAGEDSG-INC.COM
Comment:
RegDate: 2004-04-15
Updated: 2006-03-17
Found a referral to rwhois.managedsg-inc.com:4321.
%rwhois V-1.5:003eff:00 rwhoisd (by Network Solutions, Inc. V-1.5.9.5)
network:Auth-Area:205.209.128.0/18
network:Class-Name:network
network:Network-Name:NET-MSG
network:IP-Network:205.209.180.114/32
network:IP-Network-Block:205.209.180.114
network:Organization-Name:Fei Xu
network:Organization-City:ShangHai
network:Organization-State:ShangHai
network:Organization-Zip:200437
network:Organization-Country:CN
network:Description-Usage:customer
network:Created:20100308
network:Updated:20100308
network:Updated-By:abuse@managedsg-inc.com
61.152.96.121
inetnum: 61.152.96.120 - 61.152.96.126
netname: LIN-CHUN-SHENG
descr: LIN CHUN SHENG
country: CN
admin-c: WQ58-AP
tech-c: WL371-AP
mnt-by: MAINT-CHINANET-SH
changed: wanglin@shaidc.com 20040413
status: ASSIGNED NON-PORTABLE
source: APNIC
person: Wang Qing
address: 6F,380 Fushan Road,Shanghai 200122
country: CN
phone: +86-21-68761255-807
fax-no: +86-21-68761255-805
e-mail: wanglin@shaidc.com
nic-hdl: WQ58-AP
mnt-by: MAINT-CN-SHTELE-XINCHAN
changed: wanglin@shaidc.com 20021007
source: APNIC
person: Wang Lin
address: 6F,380 Fushan Road,Shanghai 200122
country: CN
phone: +86-21-68761255-807
fax-no: +86-21-68761255-805
e-mail: wanglin@shaidc.com
nic-hdl: WL371-AP
mnt-by: MAINT-CN-SHTELE-XINCHAN
changed: wanglin@shaidc.com 20021007
source: APNIC
route: 61.152.0.0/16
descr: PNAP-SEA
CHINAnet
origin: AS4134
mnt-by: INAP-MAINT-RADB
changed: hollyb@internap.com 20000507
source: RADB
Result: 2/41 (4.88%)
AntiVir 8.2.1.180 2010.03.05 TR/Drop.Agen.283856
McAfee-GW-Edition 6.8.5 2010.03.07 Trojan.Drop.Agen.283856
Additional information
File size: 59384 bytes
MD5...: 89a5da994fd9be9eece1612b7fd1e92e
DNS queries and TCP traffic
chidoule.com = 205.209.180.114
ymymym.com = 61.152.96.121
information from Robtex.com
- 456.com, screenma.com, exprexss.com, chidoule.com, www.li456.com and at least one other host point to 205.209.180.114. It is blacklisted in one list
http://www.robtex.com/ip/61.152.96.121.html#graph
0100.cc, hyqk.com, x127.com, qmzp.net, mb52.com and at least 100 other hosts point to 61.152.96.121. It is blacklisted in seven lists.
205.209.180.114
OrgName: Managed Solutions Group, Inc.
OrgID: MSG-48
Address: 45535 Northport Loop East
City: Fremont
StateProv: CA
PostalCode: 94538
Country: US
ReferralServer: rwhois://rwhois.managedsg-inc.com:4321
NetRange: 205.209.128.0 - 205.209.191.255
CIDR: 205.209.128.0/18
NetName: NET-MANAGED
NetHandle: NET-205-209-128-0-1
Parent: NET-205-0-0-0-0
NetType: Direct Allocation
NameServer: RDNS1.MANAGEDSG-INC.COM
NameServer: RDNS2.MANAGEDSG-INC.COM
Comment:
RegDate: 2004-04-15
Updated: 2006-03-17
Found a referral to rwhois.managedsg-inc.com:4321.
%rwhois V-1.5:003eff:00 rwhoisd (by Network Solutions, Inc. V-1.5.9.5)
network:Auth-Area:205.209.128.0/18
network:Class-Name:network
network:Network-Name:NET-MSG
network:IP-Network:205.209.180.114/32
network:IP-Network-Block:205.209.180.114
network:Organization-Name:Fei Xu
network:Organization-City:ShangHai
network:Organization-State:ShangHai
network:Organization-Zip:200437
network:Organization-Country:CN
network:Description-Usage:customer
network:Created:20100308
network:Updated:20100308
network:Updated-By:abuse@managedsg-inc.com
61.152.96.121
inetnum: 61.152.96.120 - 61.152.96.126
netname: LIN-CHUN-SHENG
descr: LIN CHUN SHENG
country: CN
admin-c: WQ58-AP
tech-c: WL371-AP
mnt-by: MAINT-CHINANET-SH
changed: wanglin@shaidc.com 20040413
status: ASSIGNED NON-PORTABLE
source: APNIC
person: Wang Qing
address: 6F,380 Fushan Road,Shanghai 200122
country: CN
phone: +86-21-68761255-807
fax-no: +86-21-68761255-805
e-mail: wanglin@shaidc.com
nic-hdl: WQ58-AP
mnt-by: MAINT-CN-SHTELE-XINCHAN
changed: wanglin@shaidc.com 20021007
source: APNIC
person: Wang Lin
address: 6F,380 Fushan Road,Shanghai 200122
country: CN
phone: +86-21-68761255-807
fax-no: +86-21-68761255-805
e-mail: wanglin@shaidc.com
nic-hdl: WL371-AP
mnt-by: MAINT-CN-SHTELE-XINCHAN
changed: wanglin@shaidc.com 20021007
source: APNIC
route: 61.152.0.0/16
descr: PNAP-SEA
CHINAnet
origin: AS4134
mnt-by: INAP-MAINT-RADB
changed: hollyb@internap.com 20000507
source: RADB
No comments:
Post a Comment