csi.forcepoint.com - Report for "RemovalTool.exe"

ThreatScope Analysis Report

For file RemovalTool.exe uploaded 2012-08-28 at 08:50:51 AM

Threat level: Malicious

Recommendation: Do not allow this file to be run in your network. Perform remediation on machines on which the file may have run.

Threat		Assessment
		HTTP traffic to server hosting malicious content
		Drops executable file(s)
		HTTP traffic to uncategorized server
		Writes to the filesystem in a directory of the user profile often used by malware

Screenshots:

File details:

Hash MD5	ebb4ac5bb30b93e38a02683e3e7c98c6	File size	516.00 KB
Hash SHA-1	2adcb91c4ce31cc85cbed28df3b475d76a7f91a1	File uploaded	2012-08-28 08:50:51 AM
Hash SHA-256	ee68078699089fd035bf99716cac53f0a970cbf62356f1a53941b512daedbfd4	Report created	2012-08-28 08:52:43 AM

Technical Details

Requested HTTP URLs

The analyzed file requests the following URLs.

URL	IP Address	Category	Details May include user agent string, HTTP server, or encryption information. Details	Method	Status The first item is the response type (e.g. 200, meaning OK). The second item is the size of the response. Status	MIME The first item is the server-declared content type. The second item is the true content type. MIME
www.bluemountain-ecards.net/im ages/loader.php	69.73.138.167 United States	Uncategorized	User agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1 HTTP Server: Apache	GET	200 15 B	text/html
www.asselegis.org.br/images/tx t.txt	187.73.33.54 Brazil	Malicious Web Sites	User agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1 HTTP Server: Apache	GET	200 421 B	text/plain
www.basketcoach.com/images/log os/Plugin.dll	94.23.235.157 France	Sports	User agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729) HTTP Server: Apache	GET	200 1.37 MB	application/x-msdos-program

URL

IP Address

Category

Details

Method

Status

MIME

www.bluemountain-ecards.net/im
ages/loader.php

69.73.138.167

Uncategorized

GET

200
15 B

text/html

www.asselegis.org.br/images/tx
t.txt

187.73.33.54

Malicious Web Sites

GET

200
421 B

text/plain

www.basketcoach.com/images/log
os/Plugin.dll

94.23.235.157

Sports

GET

200
1.37 MB

application/x-msdos-program

Resolved hostnames

The analyzed file used DNS to resolve the following hostnames.

Hostname	Category	IP address
bluemountain-ecards.net	Uncategorized	69.73.138.167
www.basketcoach.com	Sports	94.23.235.157
www.asselegis.org.br	Malicious Web Sites	187.73.33.54

IP addresses

The analyzed file requests the following IP addresses.

IP Address		ASN
69.73.138.167		United States
187.73.33.54		Brazil
94.23.235.157		France

File system modifications

The analyzed file changes the following items in the file system. This type of change can be performed by both malicious and benign files.

Event		File path
Creates file		c:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\L92WDWXT\Plugin[1].dll
Writes file		c:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\L92WDWXT\Plugin[1].dll
Opens file		c:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\L92WDWXT\Plugin[1].dll
Creates file		c:\Documents and Settings\Administrator\Application Data\Java Update\JavaUpdate.dll
Writes file		c:\Documents and Settings\Administrator\Application Data\Java Update\JavaUpdate.dll
Opens file		c:\Documents and Settings\Administrator\Application Data\Java Update\JavaUpdate.dll

Process modifications

The analyzed file affected the following system processes.

Event		File path
Creates process		Sample started
Creates process		C:\WINDOWS\system32\regsvr32.exe

Registry

No Windows Registry changes were made.

Global system events

The following global system events were detected.

Event		Name
Creates semaphore		shell.{A48F1A32-A340-11D1-BC6B-00A0C90312E1}98c6.exe
Creates mutex		ZonesCounterMutex
Creates mutex		ZonesCacheCounterMutex
Creates mutex		ZonesLockedCacheCounterMutex
Creates event
Creates mutex		Mutex_140398102
Creates event		Global\crypt32LogoffEvent
Creates semaphore		shell.{210A4BA0-3AEA-1069-A2D9-08002B30309D}98c6.exe
Creates mutex		c:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Creates mutex		c:!documents and settings!administrator!cookies!ttings!temporary internet files!content.ie5!
Creates mutex		c:!documents and settings!administrator!local settings!history!history.ie5!iles!content.ie5!
Creates mutex		WininetConnectionMutex
Creates event		DINPUTWINMM
Creates mutex		RasPbFile
Creates event		Global\userenv: User Profile setup evente7c98c6.exe
Creates semaphore		shell.{7CB834F0-527B-11D2-9D1F-0000F805CA57}98c6.exe
Creates mutex		SHIMLIB_LOG_MUTEX
Creates semaphore		shell.{A48F1A32-A340-11D1-BC6B-00A0C90312E1}
Creates event		Global\userenv: User Profile setup eventE1}

Forcepoint has made an effort to determine if your submission is malicious however, Forcepoint cannot guarantee the accuracy of the result