The requested URL
is infected with Trojan.Win32.Delf.cxi virus
Security Risk Description
Trojan-Spy.Pophot.FT Trojan-Spy.Pophot.FT is a threat that registers itself as a system service and collects certain essential information from the system.
Attention! The following threat category was identified:
Threat Category Description
A malicious backdoor trojan that runs in the background and allows remote access to the compromised system
File System Modifications
The following files were created in the system:
# Filename(s) File Size File MD5 Alias
1 %Profiles%\LocalService\Favorites\Desktop.ini 122 bytes 0xFC2BF37169C033A08C1FD7680193CCE2 (not available)
2 %System%\RpcS.dll 135,168 bytes 0x58A1B347EB4CB768D11DE4311ACC5E22 Backdoor.Win32.Delf.ash [Kaspersky Lab]
Backdoor.Trojan [Symantec]
BackDoor-CXI [McAfee]
TROJ_SHEUR.FIJ [Trend Micro]
3 %System%\RpcS.exe
[file and pathname of the sample #1] 440,832 bytes 0x86FCE8F87CB043FDAD626CAAC4E86620 (not available)
Notes:
%Profiles% is a variable that refers to the file system directory containing user profile folders. A typical path is C:\Documents and Settings.
%System% is a variable that refers to the System folder. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
The following directories were created:
%Profiles%\LocalService\Favorites
%Profiles%\LocalService\Favorites\Links
Memory Modifications
There were new processes created in the system:
Process Name Process Filename Main Module Size
RpcS.exe %System%\rpcs.exe 770,048 bytes
[filename of the sample #1] [file and pathname of the sample #1] 770,048 bytes
The following module was loaded into the address space of other process(es):
Module Name Module Filename Address Space Details
RpcS.dll %System%\RpcS.dll Process name: IEXPLORE.EXE
Process filename: %ProgramFiles%\internet explorer\iexplore.exe
Address space: 0x1C20000 - 0x1C45000
Notes:
%ProgramFiles% is a variable that refers to the Program Files folder. A typical path is C:\Program Files.
There was a new service created in the system:
Service Name Display Name Status Service Filename
RpcS Remote Procedure Call System(RPCS) "Running" %System%\RpcS.exe
Registry Modifications
The following Registry Keys were created:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\ LEGACY_RPCS
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\ LEGACY_RPCS\0000
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\ LEGACY_RPCS\0000\Control
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\R pcS
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\R pcS\Security
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\R pcS\Enum
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\R oot\LEGACY_RPCS
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\R oot\LEGACY_RPCS\0000
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\R oot\LEGACY_RPCS\0000\Control
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\RpcS
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\RpcS\Security
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\RpcS\Enum
HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Toolbar
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\Explorer\CabinetState
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\Explorer\RunMRU
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\Ext
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\Ext\Stats
The newly created Registry Values are:
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\ LEGACY_RPCS\0000\Control]
*NewlyCreated* = 0x00000000
ActiveService = "RpcS"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\ LEGACY_RPCS\0000]
Service = "RpcS"
Legacy = 0x00000001
ConfigFlags = 0x00000000
Class = "LegacyDriver"
ClassGUID = "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
DeviceDesc = "Remote Procedure Call System(RPCS)"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\ LEGACY_RPCS]
NextInstance = 0x00000001
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\R pcS\Enum]
0 = "Root\LEGACY_RPCS\0000"
Count = 0x00000001
NextInstance = 0x00000001
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\R pcS\Security]
Security = 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 0
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\R pcS]
Type = 0x00000110
Start = 0x00000002
ErrorControl = 0x00000000
ImagePath = "%System%\RpcS.exe"
DisplayName = "Remote Procedure Call System(RPCS)"
ObjectName = "LocalSystem"
Description = "���������RPCï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï ¿½Ý¿â¡£By:HACKLL QQ:8824965"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\R oot\LEGACY_RPCS\0000\Control]
*NewlyCreated* = 0x00000000
ActiveService = "RpcS"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\R oot\LEGACY_RPCS\0000]
Service = "RpcS"
Legacy = 0x00000001
ConfigFlags = 0x00000000
Class = "LegacyDriver"
ClassGUID = "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
DeviceDesc = "Remote Procedure Call System(RPCS)"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\R oot\LEGACY_RPCS]
NextInstance = 0x00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\RpcS\Enum]
0 = "Root\LEGACY_RPCS\0000"
Count = 0x00000001
NextInstance = 0x00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\RpcS\Security]
Security = 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 0
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\RpcS]
Type = 0x00000110
Start = 0x00000002
ErrorControl = 0x00000000
ImagePath = "%System%\RpcS.exe"
DisplayName = "Remote Procedure Call System(RPCS)"
ObjectName = "LocalSystem"
Description = "���������RPCï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï ¿½Ý¿â¡£By:HACKLL QQ:8824965"
[HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Toolbar]
Locked = 0x00000001
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\Explorer\CabinetState]
Settings = 0C 00 02 00 0A 01 F8 75 60 00 00 00
FullPath = 0x00000000
The following Registry Values were modified:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Internet Settings\Cache\Paths]
Directory = "%Profiles%\LocalService\Local Settings\Temporary Internet Files\Content.IE5"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Internet Settings\Cache\Paths\path1]
CachePath = "%Profiles%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Internet Settings\Cache\Paths\path2]
CachePath = "%Profiles%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Internet Settings\Cache\Paths\path3]
CachePath = "%Profiles%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Internet Settings\Cache\Paths\path4]
CachePath = "%Profiles%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Se rviceCurrent]
(Default) = 0x0000000B
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\ServiceCurrent]
(Default) = 0x0000000B
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\Explorer\Shell Folders]
Cookies = "%Profiles%\LocalService\Cookies"
Favorites = "%Profiles%\LocalService\Favorites"
Cache = "%Profiles%\LocalService\Local Settings\Temporary Internet Files"
History = "%Profiles%\LocalService\Local Settings\History"
COOOL HACKTOOL
