ThreatExpert Report: Trojan.Win32.

Koblu

http://www.threatexpert.com/report.aspx?md5=ff061cc088bd21ed382a5...

Visit ThreatExpert web site

Close Report

Submission Summary:
Submission details: Submission received: 8 March 2011, 01:08:27 Processing time: 10 min 58 sec Submitted sample: File MD5: 0xFF061CC088BD21ED382A512C54B9158C File SHA-1: 0xA182B74A99B1865B5E5B7A0FE25BE25CBE3CAFE7 Filesize: 262,656 bytes Alias: Trojan.Win32.Koblu Summary of the findings: What's been found Registers a Winlogon notification package so that the installed module is loaded into the address space of winlogon.exe. Severity Level [Ikarus]

Technical Details:

File System Modifications

The following files were created in the system: # Filename(s) 1 %Temp%\[filename of the sample #1 without extension].bat File Size 108 bytes File Hash MD5: 0x67FC3FCA5DB3AAFA5EF64E2D034F584E SHA-1: 0x572E62F1F2331C3BCBA7ECA8B442E088C3F455C7 MD5: 0xB1031990B4FECAAF1AA5C48932505300 SHA-1: 0xF7563F2E31F629970F4762BD5447E2B5A3FEA23C Alias (not available)

2 %System%\itlnfw32.dll 35,840 bytes

(not available)

3 %System%\itlpfw32.dll 211,968 MD5: 0x752199121E9CBBF6D582EE21DBD8DB1E (not available) bytes SHA-1: 0x0BC70BEFC9D6FC26A1BBFBAB94105D31D7DEA659 4 [file and pathname of the sample #1] 262,656 MD5: 0xFF061CC088BD21ED382A512C54B9158C bytes SHA-1: 0xA182B74A99B1865B5E5B7A0FE25BE25CBE3CAFE7 Trojan.Win32.Koblu [Ikarus]

Notes: %Temp% is a variable that refers to the temporary folder in the short path form. By default, this is C:\Documents and Settings\[UserName]\Local Settings\Temp\ (Windows NT/2000/XP). %System% is a variable that refers to the System folder. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

1 of 5

4/28/2011 6:12 PM

ThreatExpert Report: Trojan.Win32.Koblu

http://www.threatexpert.com/report.aspx?md5=ff061cc088bd21ed382a5...

Memory Modifications
The following module was loaded into the address space of other process(es): Module Name Module Filename itlpfw32.dll Address Space Details

%System%\itlpfw32.dll Process name: svchost.exe Process filename: %System%\svchost.exe Address space: 0x860000 - 0x899000

There was a new service created in the system: Service Name Display Name itlperf Status Service Filename

Intel CPU Perfermons "Running" %System%\svchost.exe -k itlsvc

Registry Modifications
The following Registry Keys were created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\itlnfw32 HKEY_LOCAL_MACHINE\SOFTWARE\Intel HKEY_LOCAL_MACHINE\SOFTWARE\Intel\Perfermence HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_ITLPERF HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_ITLPERF\0000 HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_ITLPERF\0000\Control HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\itlperf HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\itlperf\Parameters HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\itlperf\Security HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\itlperf\Enum HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_ITLPERF HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_ITLPERF\0000 HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_ITLPERF\0000\Control HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\itlperf HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\itlperf\Parameters HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\itlperf\Security HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\itlperf\Enum The newly created Registry Values are: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost] itlsvc = "itlperf" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\itlnfw32] Asynchronous = 0x00000001 DllName = "itlnfw32.dll" Impersonate = 0x00000000 Enabled = 0x00000001 Logon = "WlLogonEvent" Startup = "WlStartupEvent" so that itlnfw32.dll is installed as a Winlogon notification package [HKEY_LOCAL_MACHINE\SOFTWARE\Intel\Perfermence] Pwd = "35242350" Installer = "BKjv0LJNjTaeRtX8Set6boFYacPVlLRWWoBjvErU7LM=" [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_ITLPERF\0000\Control]

2 of 5

4/28/2011 6:12 PM

ThreatExpert Report: Trojan.Win32.Koblu

http://www.threatexpert.com/report.aspx?md5=ff061cc088bd21ed382a5...

*NewlyCreated* = 0x00000000 ActiveService = "itlperf" [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_ITLPERF\0000] Service = "itlperf" Legacy = 0x00000001 ConfigFlags = 0x00000000 Class = "LegacyDriver" ClassGUID = "{8ECC055D-047F-11D1-A537-0000F8753ED1}" DeviceDesc = "Intel CPU Perfermons" [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_ITLPERF] NextInstance = 0x00000001 [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\itlperf\Enum] 0 = "Root\LEGACY_ITLPERF\0000" Count = 0x00000001 NextInstance = 0x00000001 [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\itlperf\Security] Security = 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 0 [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\itlperf\Parameters] ServiceDll = "%System%\itlpfw32.dll" [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\itlperf] Type = 0x00000120 Start = 0x00000002 ErrorControl = 0x00000001 ImagePath = "%System%\svchost.exe -k itlsvc" DisplayName = "Intel CPU Perfermons" ObjectName = "LocalSystem" Description = "Intel CPU perfermons service." [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_ITLPERF\0000\Control] *NewlyCreated* = 0x00000000 ActiveService = "itlperf" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_ITLPERF\0000] Service = "itlperf" Legacy = 0x00000001 ConfigFlags = 0x00000000 Class = "LegacyDriver" ClassGUID = "{8ECC055D-047F-11D1-A537-0000F8753ED1}" DeviceDesc = "Intel CPU Perfermons" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_ITLPERF] NextInstance = 0x00000001 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\itlperf\Enum] 0 = "Root\LEGACY_ITLPERF\0000" Count = 0x00000001 NextInstance = 0x00000001 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\itlperf\Security] Security = 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 0 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\itlperf\Parameters] ServiceDll = "%System%\itlpfw32.dll"

3 of 5

4/28/2011 6:12 PM

ThreatExpert Report: Trojan.Win32.Koblu

http://www.threatexpert.com/report.aspx?md5=ff061cc088bd21ed382a5...

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\itlperf] Type = 0x00000120 Start = 0x00000002 ErrorControl = 0x00000001 ImagePath = "%System%\svchost.exe -k itlsvc" DisplayName = "Intel CPU Perfermons" ObjectName = "LocalSystem" Description = "Intel CPU perfermons service." [HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main] DisableScriptDebuggerIE = "yes" Error Dlg Displayed On Every Error = "no" Play_Animations = "no" Display Inline Videos = "no" [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings] WarnOnZoneCrossing = 0x00000000 WarnOnPostRedirect = 0x00000000 WarnonBadCertRecving = 0x00000000 WarnOnHTTPSToHTTPRedirect = 0x00000000 WarnOnPost = 0x00000000 The following Registry Values were modified: [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\ServiceCurrent] (Default) = [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ServiceCurrent] (Default) = [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3] 1001 = 1206 = 1406 = 1601 = 1604 = 1605 = 1609 = 1800 = 1804 = 1805 = 1806 = 1A04 = 1A05 = 1C00 =

Other details
Analysis of the file resources indicate the following possible country of origin:

China

4 of 5

4/28/2011 6:12 PM

ThreatExpert Report: Trojan.Win32.Koblu

http://www.threatexpert.com/report.aspx?md5=ff061cc088bd21ed382a5...

All content ("Information") contained in this report is the copyrighted work of Threat Expert Ltd and its associated companies ("ThreatExpert") and may not be copied without the express permission of ThreatExpert. The Information is provided on an "as is" basis. ThreatExpert disclaims all warranties, whether express or implied, to the maximum extent permitted by law, including the implied warranties that the Information is merchantable, of satisfactory quality, accurate, fit for a particular purpose or need, or non-infringing, unless such implied warranties are legally incapable of exclusion. Further ThreatExpert does not warrant , or make any representations regarding the use or the results of the use of the Information in terms of their correctness, accuracy, reliability, or otherwise. Copyright 2011 ThreatExpert. All rights reserved.

5 of 5

4/28/2011 6:12 PM