Information Disclosure, Error Messages, DORK, GHDB, Report, threatexpert.com

Hoyt LLC Research investigates and reports on security vulnerabilities embedded in Web Applications and Products used in wide-scale deployment.

XSS.CX Home | XSS.CX Research Blog
Loading
Netsparker - Scan Report Summary
TARGET URL
 http://threatexpert.com/report.aspx?md5=d5999...
SCAN DATE
 4/22/2011 11:15:39 PM
REPORT DATE
 4/22/2011 11:19:07 PM
SCAN DURATION
 00:00:14

Total Requests

157

Average Speed

10.84 req/sec.
5
identified
1
confirmed
0
critical
3
informational

GHDB, DORK Tests

GHDB, DORK Tests
PROFILE
 Previous Settings
ENABLED ENGINES
 Static Tests, Find Backup Files, Blind Command Injection, Blind SQL Injection, Boolean SQL Injection, Command Injection, HTTP Header Injection, Local File Inclusion, Open Redirection, Remote Code Evaluation, Remote File Inclusion, SQL Injection, Cross-site Scripting
Authentication
Scheduled

VULNERABILITIES

Vulnerabilities
Netsparker - Web Application Security Scanner
LOW
40 %
INFORMATION
60 %

VULNERABILITY SUMMARY

Vulnerability Summary
URL Parameter Method Vulnerability Confirmed
/report.aspx md5 GET Internal Server Error Yes
ASP.NET Version Disclosure No
IIS Version Disclosure No
ASP.NET Debugging Enabled No
[Possible] Internal Path Leakage (Windows) No
Internal Server Error

Internal Server Error
1 TOTAL
LOW
CONFIRMED
1
The Server responded with an HTTP status 500. This indicates that there is a server-side error. Reasons may vary. The behavior should be analysed carefully. If Netsparker is able to find a security issue in the same resource it will report this as a separate vulnerability.

Impact

The impact may vary depending on the condition. Generally this indicates poor coding practices, not enough error checking, sanitization and whitelisting. However there might be a bigger issue such as SQL Injection. If that's the case Netsparker will check for other possible issues and report them separately.

Remedy

Analyse this issue and review the application code in order to handle unexpected errors, this should be a generic practice which does not disclose further information upon an error. All errors should be handled server side only.
- /report.aspx

/report.aspx CONFIRMED

http://threatexpert.com/report.aspx?md5='%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x0..

Parameters

Parameter Type Value
md5 GET '"--></style></script><script>netsparker(0x000035)</script>

Request

GET /report.aspx?md5='%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000035)%3C/script%3E HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: threatexpert.com
Cookie: ASP.NET_SessionId=e5iz3355pemzq555sdskjg55
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 500 Internal Server Error
Date: Sat, 23 Apr 2011 04:15:55 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 3026


<html>
<head>
<title>Runtime Error</title>
<style>
body {font-family:"Verdana";font-weight:normal;font-size: .7em;color:black;}
p {font-family:"Verdana";font-weight:normal;color:black;margin-top: -5px}
b {font-family:"Verdana";font-weight:bold;color:black;margin-top: -5px}
H1 { font-family:"Verdana";font-weight:normal;font-size:18pt;color:red }
H2 { font-family:"Verdana";font-weight:normal;font-size:14pt;color:maroon }
pre {font-family:"Lucida Console";font-size: .9em}
.marker {font-weight: bold; color: black;text-decoration: none;}
.version {color: gray;}
.error {margin-bottom: 10px;}
.expandable { text-decoration:underline; font-weight:bold; color:navy; cursor:hand; }
</style>
</head>

<body bgcolor="white">

<span><H1>Server Error in '/' Application.<hr width=100% size=1 color=silver></H1>

<h2> <i>Runtime Error</i> </h2></span>

<font face="Arial, Helvetica, Geneva, SunSans-Regular, sans-serif ">

<b> Description: </b>An application error occurred on the server. The current custom error settings for this application prevent the details of the application error from being viewed remotely (for security reasons). It could, however, be viewed by browsers running on the local server machine.
<br><br>

<b>Details:</b> To enable the details of this specific error message to be viewable on remote machines, please create a &lt;customErrors&gt; tag within a &quot;web.config&quot; configuration file located in the root directory of the current web application. This &lt;customErrors&gt; tag should then have its &quot;mode&quot; attribute set to &quot;Off&quot;.<br><br>

<table width=100% bgcolor="#ffffcc">
<tr>
<td>
<code><pre>

&lt;!-- Web.Config Configuration File --&gt;

&lt;configuration&gt;
&lt;system.web&gt;
&lt;customErrors mode=&quot;Off&quot;/&gt;
&lt;/system.web&gt;
&lt;/configuration&gt;</pre></code>

</td>
</tr>
</table>

<br>

<b>Notes:</b> The current error page you are seeing can be replaced by a custom error page by modifying the &quot;defaultRedirect&quot; attribute of the application's &lt;customErrors&gt; configuration tag to point to a custom error page URL.<br><br>

<table width=100% bgcolor="#ffffcc">
<tr>
<td>
<code><pre>

&lt;!-- Web.Config Configuration File --&gt;

&lt;configuration&gt;
&lt;system.web&gt;
&lt;customErrors mode=&quot;RemoteOnly&quot; defaultRedirect=&quot;mycustompage.htm&quot;/&gt;
&lt;/system.web&gt;
&lt;/configuration&gt;</pre></code>

</td>
</tr>
</table>

<br>

</body>
</html>
ASP.NET Version Disclosure

ASP.NET Version Disclosure
1 TOTAL
LOW
Netsparker identified that the target web server is disclosing ASP.NET version in the HTTP response. This information can help an attacker to develop further attacks and also the system can become an easier target for automated attacks. It was leaked from X-AspNet-Version banner of HTTP response or default ASP.NET error page.

Impact

An attacker can use disclosed information to harvest specific security vulnerabilities for the version identified. The attacker can also use this information in conjunction with the other vulnerabilities in the application or web server.

Remedy

Apply the following changes on your web.config file to prevent information leakage by using custom error pages and removing X-AspNet-Version from HTTP responses. 
<System.Web>
     < httpRuntime enableVersionHeader="false" /> 
     <customErrors mode="On" defaultRedirect="~/error/GeneralError.aspx">
          <error statusCode="403" redirect="~/error/Forbidden.aspx" />
          <error statusCode="404" redirect="~/error/PageNotFound.aspx" />
          <error statusCode="500" redirect="~/error/InternalError.aspx" />
     </customErrors>
</System.Web>

Remedy References

- /report.aspx

/report.aspx

http://threatexpert.com/report.aspx?md5=d59997a47e10791bfe72c5072ecd4dab

Extracted Version

2.0.50727

Request

GET /report.aspx?md5=d59997a47e10791bfe72c5072ecd4dab HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: threatexpert.com
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

Response

HTTP/1.1 200 OK
Date: Sat, 23 Apr 2011 04:15:43 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: ASP.NET_SessionId=44shuj55fvxqfobwpd1zxbu0; path=/; HttpOnly
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 20501


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<HTML><head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<meta name="description" content="ThreatExpert Report: BackDoor-DKI.gen.bu, Trojan.Win32.Refroso">
<style type="text/css">body a {color: #505050; text-decoration: none} body a:hover {color: #c00000; text-decoration: underline}</style>
<link href="./css/report.css" rel="stylesheet" type="text/css"/>
<title>ThreatExpert Report: BackDoor-DKI.gen.bu, Trojan.Win32.Refroso</title>
<script src="http://www.google-analytics.com/urchin.js" type="text/javascript"></script>
<script type="text/javascript">_uacct = "UA-1490218-5";_udn="threatexpert.com";urchinTracker();</script>
</head><body>
<table align="right"><tr class="top_link"><td><a href="http://www.threatexpert.com">Visit ThreatExpert web site</a></td>
<td style="color: #707070">|</td><td><a href="javascript:window.close();">Close Report</a></td></tr></table>
<a href="http://www.threatexpert.com"><img src="./resources/logo.gif" style="border: none"/></a>
<h2>Submission Summary:</h2>
<ul><li>Submission details:</li><ul>
<li>Submission received: 22 April 2011, 22:54:28</li>
<li>Processing time: 8 min 39 sec</li>
<li>Submitted sample:</li>
<ul>
<li>File MD5: 0xD59997A47E10791BFE72C5072ECD4DAB</li>
<li>File SHA-1: 0xFDC2A713CBB805E41FC7DEC962492F475DEC0D20</li>
<li>Filesize: 1,392,640 bytes</li>
<li>Alias:</li>
<ul><li>BackDoor-DKI.gen.bu [McAfee]</li>
<li><a href="http://www.threatexpert.com/threats/trojan-win32-refroso.html" target="_blank">Trojan.Win32.Refroso<img src="./resources/flag.gif" style="border:none"/></a> [Ikarus]</li>
</ul>
</ul>
</ul></ul>
<p>&nbsp;</p><h2>Technical Details:</h2>
<p>&nbsp;</p><table cellpadding="0" cellspacing="0" style="width:100%"><tr><td><img style="border: none" src="./resources/file_mod.gif"/></td><td width="100%" class="h3">File System Modifications</td></tr></table>
<ul><li>The following files were created in the system:</li></ul>
<p><table class="tbl" cellpadding="5" cellspacing="0">
<tr><td class="cell_1_h">#</td><td class="cell_1_h">Filename(s)</td><td class="cell_1_h">File Size</td><td class="cell_1_h">File Hash</td><td class="cell_2_h">Alias</td></tr>
<tr><td class="cell_1">1</td>
<td class="cell_1">
%CommonPrograms%\Teemoon Video Matching.lnk
</td>
<td class="cell_1">1,914 bytes</td>
<td class="cell_1">MD5: 0x56D6C61DEAAB26C4A020903FE1E52DB8<br/>SHA-1: 0x7D5C467DAFBC2618337846F62159192272C00979</td>
<td class="cell_2">(not available)</td>
</tr>
<tr><td class="cell_1">2</td>
<td class="cell_1">
%Temp%\19b9f.msi
<br/>
%Temp%\MSI1.tmp
</td>
<td class="cell_1">1,317,376 bytes</td>
<td class="cell_1">MD5: 0xA01F22C7D244F9F37FCDA36CBFD8EC1F<br/>SHA-1: 0x69E4939FA66C859F875C91E91C26873523E2C37E</td>
<td class="cell_2">(not available)</td>
</tr>
<tr><td class="cell_1">3</td>
<td class="cell_1">
%Temp%\CFG3.tmp
<br/>
%Temp%\CFG6.tmp
</td>
<td class="cell_1">123 bytes</td>
<td class="cell_1">MD5: 0x17AF548F88A3199AA8A63A72201F470F<br/>SHA-1: 0x4E64BB20A2F54D778ED684AA21ABEBAD63A5C2C0</td>
<td class="cell_2">(not available)</td>
</tr>
<tr><td class="cell_1">4</td>
<td class="cell_1">
%ProgramFiles%\Teemoon Video Matching\DirectShowLib-2005.dll
</td>
<td class="cell_1">282,624 bytes</td>
<td class="cell_1">MD5: 0x4386F1C7558AF3D3CC32B8A84B98BB90<br/>SHA-1: 0x805683789CE64F78604A6FE3DF9F9A5051DA92B7</td>
<td class="cell_2">(not available)</td>
</tr>
<tr><td class="cell_1">5</td>
<td class="cell_1">
%ProgramFiles%\Teemoon Video Matching\ICSharpCode.SharpZipLib.dll
</td>
<td class="cell_1">192,512 bytes</td>
<td class="cell_1">MD5: 0x0B3B4E8D1DE31F844E466D61CF7937B5<br/>SHA-1: 0xD699E5B46A14EA4D7C052E4193F85F0A4F2B29EB</td>
<td class="cell_2">(not available)</td>
</tr>
<tr><td class="cell_1">6</td>
<td class="cell_1">
%ProgramFiles%\Teemoon Video Matching\License.txt
</td>
<td class="cell_1">1,430 bytes</td>
<td class="cell_1">MD5: 0xD9652F16298681C975CF22F1B53C9E48<br/>SHA-1: 0x36350759F8B4B015BB4660BF756D42C2E2DB9091</td>
<td class="cell_2">(not available)</td>
</tr>
<tr><td class="cell_1">7</td>
<td class="cell_1">
%ProgramFiles%\Teemoon Video Matching\NLog.config
</td>
<td class="cell_1">666 bytes</td>
<td class="cell_1">MD5: 0x207388A17FEBD3F4ADB70FAF90BFC345<br/>SHA-1: 0x26961D67D715A1A140666672AEA24129536E556B</td>
<td class="cell_2">(not available)</td>
</tr>
<tr><td class="cell_1">8</td>
<td class="cell_1">
%ProgramFiles%\Teemoon Video Matching\<a href="http://www.threatexpert.com/files/NLog.dll.html" target="_blank">NLog.dll<img src="./resources/flag.gif" style="border:none"/></a>
</td>
<td class="cell_1">253,952 bytes</td>
<td class="cell_1">MD5: 0xF43F74C1B2A91FE9BD41CAC128E75023<br/>SHA-1: 0x9D70D8DE3695D7EBEDBCA34A8B2EFE4C3BEEDA78</td>
<td class="cell_2">(not available)</td>
</tr>
<tr><td class="cell_1">9</td>
<td class="cell_1">
%ProgramFiles%\Teemoon Video Matching\Teemoon.Updates.Client.dll
</td>
<td class="cell_1">33,792 bytes</td>
<td class="cell_1">MD5: 0xAD70AA0AEC382C7DC35A5F7312809468<br/>SHA-1: 0x7E9381676F4099D977C7EC1FFEC8311FB3AF94FC</td>
<td class="cell_2">(not available)</td>
</tr>
<tr><td class="cell_1">10</td>
<td class="cell_1">
%ProgramFiles%\Teemoon Video Matching\Teemoon.Updates.dll
</td>
<td class="cell_1">8,192 bytes</td>
<td class="cell_1">MD5: 0x4BFC7F5E3B70BD101A9C275E4E0566FC<br/>SHA-1: 0x6FAA7B050D52067660BFE9B104944E289BF187E9</td>
<td class="cell_2">(not available)</td>
</tr>
<tr><td class="cell_1">11</td>
<td class="cell_1">
%ProgramFiles%\Teemoon Video Matching\Teemoon.VideoId.dll
</td>
<td class="cell_1">26,624 bytes</td>
<td class="cell_1">MD5: 0x0B11EF7AE2EBAC414A5D04B84F30704C<br/>SHA-1: 0xBF8F5D5CF368D3C2C0AD53DE7E02854729A6082C</td>
<td class="cell_2">(not available)</td>
</tr>
<tr><td class="cell_1">12</td>
<td class="cell_1">
%ProgramFiles%\Teemoon Video Matching\Teemoon.VideoId.UI.Matching.exe
</td>
<td class="cell_1">367,616 bytes</td>
<td class="cell_1">MD5: 0x1B18B4138E3F0E31E0766F8EEBD25CB7<br/>SHA-1: 0xAA8D9D79EEB1E5A0A7A155A670906D8599EEBB5D</td>
<td class="cell_2">(not available)</td>
</tr>
<tr><td class="cell_1">13</td>
<td class="cell_1">
%ProgramFiles%\Teemoon Video Matching\Teemoon.VideoId.UI.Matching.exe.config
</td>
<td class="cell_1">392 bytes</td>
<td class="cell_1">MD5: 0xA64D09537D30DC8904595D9BD1818B0C<br/>SHA-1: 0x59B7A90FCED1D10020C90085FA63C23A62ED710A</td>
<td class="cell_2">(not available)</td>
</tr>
<tr><td class="cell_1">14</td>
<td class="cell_1">
%ProgramFiles%\Teemoon Video Matching\tvid.ico
<br/>
%Windir%\Installer\{D7C2199A-56E6-4895-BA24-5CB917462B06}\_853F67D554F05449430E7E.exe
<br/>
%Windir%\Installer\{D7C2199A-56E6-4895-BA24-5CB917462B06}\_E4C8397A9DB3A72CD1F92D.exe
</td>
<td class="cell_1">122,726 bytes</td>
<td class="cell_1">MD5: 0x0F7300EC1A57B37D8CBE8BAE976099E8<br/>SHA-1: 0x6F30D82828CF7CD26B50C41049614E4360D3DDF6</td>
<td class="cell_2">(not available)</td>
</tr>
<tr><td class="cell_1">15</td>
<td class="cell_1">
%Windir%\Installer\33280.msi
</td>
<td class="cell_1">798,208 bytes</td>
<td class="cell_1">MD5: 0xDAAD72C3472BD3F2EBBC76F35E670F7F<br/>SHA-1: 0x39AB18B412ABDC10F7E9B3563F9532A55F4D5BA5</td>
<td class="cell_2">(not available)</td>
</tr>
<tr><td class="cell_1">16</td>
<td class="cell_1">
[file and pathname of the sample #1]
</td>
<td class="cell_1">1,392,640 bytes</td>
<td class="cell_1">MD5: 0xD59997A47E10791BFE72C5072ECD4DAB<br/>SHA-1: 0xFDC2A713CBB805E41FC7DEC962492F475DEC0D20</td>
<td class="cell_2">BackDoor-DKI.gen.bu [McAfee]<br/><a href="http://www.threatexpert.com/threats/trojan-win32-refroso.html" target="_blank">Trojan.Win32.Refroso<img src="./resources/flag.gif" style="border:none"/></a> [Ikarus]</td>
</tr>
</table></p>
<ul><li>Notes:</li><ul>
<li>%CommonPrograms% is a variable that refers to the file system directory that contains the directories for the common program groups that appear on the Start menu for all users. A typical path is C:\Documents and Settings\All Users\Start Menu\Programs (Windows NT/2000/XP).</li>
<li>%Temp% is a variable that refers to the temporary folder in the short path form. By default, this is C:\Documents and Settings\[UserName]\Local Settings\Temp\ (Windows NT/2000/XP).</li>
<li>%ProgramFiles% is a variable that refers to the Program Files folder. A typical path is C:\Program Files.</li>
<li>%Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows or C:\Winnt.</li>
</ul></ul>
<ul><li>The following directories were created:</li>
<ul>
<li>%AppData%\Teemoon Video Matching</li>
<li>%ProgramFiles%\Teemoon Video Matching</li>
<li>%Windir%\Installer\{D7C2199A-56E6-4895-BA24-5CB917462B06}</li>
</ul></ul>
<ul><li>Notes:</li><ul>
<li>%AppData% is a variable that refers to the file system directory that serves as a common repository for application-specific data. A typical path is C:\Documents and Settings\[UserName]\Application Data.</li>
</ul></ul>
<p>&nbsp;</p><table cellpadding="0" cellspacing="0" style="width:100%"><tr><td><img style="border: none" src="./resources/mem_mod.gif"/></td><td width="100%" class="h3">Memory Modifications</td></tr></table>
<ul><li>The following system service was modified:</li></ul>
<p><table class="tbl" cellpadding="5" cellspacing="0">
<tr><td class="cell_1_h">Service Name</td><td class="cell_1_h">Display Name</td><td class="cell_1_h">New Status</td><td class="cell_2_h">Service Filename</td></tr>
<tr><td class="cell_1">MSIServer</td><td class="cell_1">Windows Installer</td><td class="cell_1">"Running"</td><td class="cell_2">%System%\msiexec.exe /V</td></tr>
</table></p>
<ul><li>Notes:</li><ul>
<li>%System% is a variable that refers to the System folder. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).</li>
</ul></ul>
<p>&nbsp;</p><table cellpadding="0" cellspacing="0" style="width:100%"><tr><td><img style="border: none" src="./resources/reg_mod.gif"/></td><td width="100%" class="h3">Registry Modifications</td></tr></table>
<ul><li>The following Registry Keys were created:</li>
<ul>
<li>HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Features\A9912C7D6E655984AB42C59B7164B260</li>
<li>HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\A9912C7D6E655984AB42C59B7164B260</li>
<li>HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\A9912C7D6E655984AB42C59B7164B260\SourceList</li>
<li>HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\A9912C7D6E655984AB42C59B7164B260\SourceList\Media</li>
<li>HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\A9912C7D6E655984AB42C59B7164B260\SourceList\Net</li>
<li>HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\C8F1BE87237B90D458FAD3EA365D1E46</li>
<li>HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Assemblies</li>
<li>HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Program Files|Teemoon Video Matching|DirectShowLib-2005.dll</li>
<li>HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Program Files|Teemoon Video Matching|ICSharpCode.SharpZipLib.dll</li>
<li>HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Program Files|Teemoon Video Matching|NLog.dll</li>
<li>HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Program Files|Teemoon Video Matching|Teemoon.Updates.Client.dll</li>
<li>HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Program Files|Teemoon Video Matching|Teemoon.Updates.dll</li>
<li>HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Program Files|Teemoon Video Matching|Teemoon.VideoId.dll</li>
<li>HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Program Files|Teemoon Video Matching|Teemoon.VideoId.UI.Matching.exe</li>
<li>HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.vID</li>
<li>HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.vID\Teemoon VideoID File</li>
<li>HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.vID\Teemoon VideoID File\ShellNew</li>
<li>HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Teemoon VideoID File</li>
<li>HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Teemoon VideoID File\DefaultIcon</li>
<li>HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Teemoon VideoID File\shell</li>
<li>HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Teemoon VideoID File\shell\open</li>
<li>HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Teemoon VideoID File\shell\open\command</li>
<li>HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UpgradeCodes\C8F1BE87237B90D458FAD3EA365D1E46</li>
<li>HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{D7C2199A-56E6-4895-BA24-5CB917462B06}</li>
<li>HKEY_CURRENT_USER\Software\Teemoon</li>
<li>HKEY_CURRENT_USER\Software\Teemoon\Teemoon Video Matching 1.0.5</li>
<li>HKEY_CURRENT_USER\Software\Teemoon\Teemoon Video Matching 1.0.5\{0BD7BBF1-20B9-AFCF-9CC9-28B80DE12DB1}</li>
</ul></ul>
<ul><li>The newly created Registry Values are:</li><ul>
<li>[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Features\A9912C7D6E655984AB42C59B7164B260]</li><ul>
<li>DefaultFeature = ""</li>
</ul>
<li>[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\A9912C7D6E655984AB42C59B7164B260\SourceList\Net]</li><ul>
<li>1 = "%Temp%\"</li>
</ul>
<li>[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\A9912C7D6E655984AB42C59B7164B260\SourceList\Media]</li><ul>
<li>1 = ";"</li>
</ul>
<li>[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\A9912C7D6E655984AB42C59B7164B260\SourceList]</li><ul>
<li>PackageName = "19b9f.msi"</li>
<li>LastUsedSource = "n;1;%Temp%\"</li>
</ul>
<li>[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\A9912C7D6E655984AB42C59B7164B260]</li><ul>
<li>ProductName = "Teemoon Video Matching 1.0.5"</li>
<li>PackageCode = "C524500A62B0D0C42BFE904E50632FEC"</li>
<li>Language = 0x00000409</li>
<..
IIS Version Disclosure

IIS Version Disclosure
1 TOTAL
INFORMATION
Netsparker identified that the target web server is disclosing the web server's version in the HTTP response. This information can help an attacker to gain a greater understanding of the system in use and potentially develop further attacks targeted at the specific web server version.

Impact

An attacker can look for specific security vulnerabilities for the version identified through the SERVER header information.

Remediation

Configure your web server to prevent information leakage from the SERVER header of its HTTP response.
- /report.aspx

/report.aspx

http://threatexpert.com/report.aspx?md5=d59997a47e10791bfe72c5072ecd4dab

Extracted Version

Microsoft-IIS/6.0

Request

GET /report.aspx?md5=d59997a47e10791bfe72c5072ecd4dab HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: threatexpert.com
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

Response

HTTP/1.1 200 OK
Date: Sat, 23 Apr 2011 04:15:43 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: ASP.NET_SessionId=44shuj55fvxqfobwpd1zxbu0; path=/; HttpOnly
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 20501


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<HTML><head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<meta name="description" content="ThreatExpert Report: BackDoor-DKI.gen.bu, Trojan.Win32.Refroso">
<style type="text/css">body a {color: #505050; text-decoration: none} body a:hover {color: #c00000; text-decoration: underline}</style>
<link href="./css/report.css" rel="stylesheet" type="text/css"/>
<title>ThreatExpert Report: BackDoor-DKI.gen.bu, Trojan.Win32.Refroso</title>
<script src="http://www.google-analytics.com/urchin.js" type="text/javascript"></script>
<script type="text/javascript">_uacct = "UA-1490218-5";_udn="threatexpert.com";urchinTracker();</script>
</head><body>
<table align="right"><tr class="top_link"><td><a href="http://www.threatexpert.com">Visit ThreatExpert web site</a></td>
<td style="color: #707070">|</td><td><a href="javascript:window.close();">Close Report</a></td></tr></table>
<a href="http://www.threatexpert.com"><img src="./resources/logo.gif" style="border: none"/></a>
<h2>Submission Summary:</h2>
<ul><li>Submission details:</li><ul>
<li>Submission received: 22 April 2011, 22:54:28</li>
<li>Processing time: 8 min 39 sec</li>
<li>Submitted sample:</li>
<ul>
<li>File MD5: 0xD59997A47E10791BFE72C5072ECD4DAB</li>
<li>File SHA-1: 0xFDC2A713CBB805E41FC7DEC962492F475DEC0D20</li>
<li>Filesize: 1,392,640 bytes</li>
<li>Alias:</li>
<ul><li>BackDoor-DKI.gen.bu [McAfee]</li>
<li><a href="http://www.threatexpert.com/threats/trojan-win32-refroso.html" target="_blank">Trojan.Win32.Refroso<img src="./resources/flag.gif" style="border:none"/></a> [Ikarus]</li>
</ul>
</ul>
</ul></ul>
<p>&nbsp;</p><h2>Technical Details:</h2>
<p>&nbsp;</p><table cellpadding="0" cellspacing="0" style="width:100%"><tr><td><img style="border: none" src="./resources/file_mod.gif"/></td><td width="100%" class="h3">File System Modifications</td></tr></table>
<ul><li>The following files were created in the system:</li></ul>
<p><table class="tbl" cellpadding="5" cellspacing="0">
<tr><td class="cell_1_h">#</td><td class="cell_1_h">Filename(s)</td><td class="cell_1_h">File Size</td><td class="cell_1_h">File Hash</td><td class="cell_2_h">Alias</td></tr>
<tr><td class="cell_1">1</td>
<td class="cell_1">
%CommonPrograms%\Teemoon Video Matching.lnk
</td>
<td class="cell_1">1,914 bytes</td>
<td class="cell_1">MD5: 0x56D6C61DEAAB26C4A020903FE1E52DB8<br/>SHA-1: 0x7D5C467DAFBC2618337846F62159192272C00979</td>
<td class="cell_2">(not available)</td>
</tr>
<tr><td class="cell_1">2</td>
<td class="cell_1">
%Temp%\19b9f.msi
<br/>
%Temp%\MSI1.tmp
</td>
<td class="cell_1">1,317,376 bytes</td>
<td class="cell_1">MD5: 0xA01F22C7D244F9F37FCDA36CBFD8EC1F<br/>SHA-1: 0x69E4939FA66C859F875C91E91C26873523E2C37E</td>
<td class="cell_2">(not available)</td>
</tr>
<tr><td class="cell_1">3</td>
<td class="cell_1">
%Temp%\CFG3.tmp
<br/>
%Temp%\CFG6.tmp
</td>
<td class="cell_1">123 bytes</td>
<td class="cell_1">MD5: 0x17AF548F88A3199AA8A63A72201F470F<br/>SHA-1: 0x4E64BB20A2F54D778ED684AA21ABEBAD63A5C2C0</td>
<td class="cell_2">(not available)</td>
</tr>
<tr><td class="cell_1">4</td>
<td class="cell_1">
%ProgramFiles%\Teemoon Video Matching\DirectShowLib-2005.dll
</td>
<td class="cell_1">282,624 bytes</td>
<td class="cell_1">MD5: 0x4386F1C7558AF3D3CC32B8A84B98BB90<br/>SHA-1: 0x805683789CE64F78604A6FE3DF9F9A5051DA92B7</td>
<td class="cell_2">(not available)</td>
</tr>
<tr><td class="cell_1">5</td>
<td class="cell_1">
%ProgramFiles%\Teemoon Video Matching\ICSharpCode.SharpZipLib.dll
</td>
<td class="cell_1">192,512 bytes</td>
<td class="cell_1">MD5: 0x0B3B4E8D1DE31F844E466D61CF7937B5<br/>SHA-1: 0xD699E5B46A14EA4D7C052E4193F85F0A4F2B29EB</td>
<td class="cell_2">(not available)</td>
</tr>
<tr><td class="cell_1">6</td>
<td class="cell_1">
%ProgramFiles%\Teemoon Video Matching\License.txt
</td>
<td class="cell_1">1,430 bytes</td>
<td class="cell_1">MD5: 0xD9652F16298681C975CF22F1B53C9E48<br/>SHA-1: 0x36350759F8B4B015BB4660BF756D42C2E2DB9091</td>
<td class="cell_2">(not available)</td>
</tr>
<tr><td class="cell_1">7</td>
<td class="cell_1">
%ProgramFiles%\Teemoon Video Matching\NLog.config
</td>
<td class="cell_1">666 bytes</td>
<td class="cell_1">MD5: 0x207388A17FEBD3F4ADB70FAF90BFC345<br/>SHA-1: 0x26961D67D715A1A140666672AEA24129536E556B</td>
<td class="cell_2">(not available)</td>
</tr>
<tr><td class="cell_1">8</td>
<td class="cell_1">
%ProgramFiles%\Teemoon Video Matching\<a href="http://www.threatexpert.com/files/NLog.dll.html" target="_blank">NLog.dll<img src="./resources/flag.gif" style="border:none"/></a>
</td>
<td class="cell_1">253,952 bytes</td>
<td class="cell_1">MD5: 0xF43F74C1B2A91FE9BD41CAC128E75023<br/>SHA-1: 0x9D70D8DE3695D7EBEDBCA34A8B2EFE4C3BEEDA78</td>
<td class="cell_2">(not available)</td>
</tr>
<tr><td class="cell_1">9</td>
<td class="cell_1">
%ProgramFiles%\Teemoon Video Matching\Teemoon.Updates.Client.dll
</td>
<td class="cell_1">33,792 bytes</td>
<td class="cell_1">MD5: 0xAD70AA0AEC382C7DC35A5F7312809468<br/>SHA-1: 0x7E9381676F4099D977C7EC1FFEC8311FB3AF94FC</td>
<td class="cell_2">(not available)</td>
</tr>
<tr><td class="cell_1">10</td>
<td class="cell_1">
%ProgramFiles%\Teemoon Video Matching\Teemoon.Updates.dll
</td>
<td class="cell_1">8,192 bytes</td>
<td class="cell_1">MD5: 0x4BFC7F5E3B70BD101A9C275E4E0566FC<br/>SHA-1: 0x6FAA7B050D52067660BFE9B104944E289BF187E9</td>
<td class="cell_2">(not available)</td>
</tr>
<tr><td class="cell_1">11</td>
<td class="cell_1">
%ProgramFiles%\Teemoon Video Matching\Teemoon.VideoId.dll
</td>
<td class="cell_1">26,624 bytes</td>
<td class="cell_1">MD5: 0x0B11EF7AE2EBAC414A5D04B84F30704C<br/>SHA-1: 0xBF8F5D5CF368D3C2C0AD53DE7E02854729A6082C</td>
<td class="cell_2">(not available)</td>
</tr>
<tr><td class="cell_1">12</td>
<td class="cell_1">
%ProgramFiles%\Teemoon Video Matching\Teemoon.VideoId.UI.Matching.exe
</td>
<td class="cell_1">367,616 bytes</td>
<td class="cell_1">MD5: 0x1B18B4138E3F0E31E0766F8EEBD25CB7<br/>SHA-1: 0xAA8D9D79EEB1E5A0A7A155A670906D8599EEBB5D</td>
<td class="cell_2">(not available)</td>
</tr>
<tr><td class="cell_1">13</td>
<td class="cell_1">
%ProgramFiles%\Teemoon Video Matching\Teemoon.VideoId.UI.Matching.exe.config
</td>
<td class="cell_1">392 bytes</td>
<td class="cell_1">MD5: 0xA64D09537D30DC8904595D9BD1818B0C<br/>SHA-1: 0x59B7A90FCED1D10020C90085FA63C23A62ED710A</td>
<td class="cell_2">(not available)</td>
</tr>
<tr><td class="cell_1">14</td>
<td class="cell_1">
%ProgramFiles%\Teemoon Video Matching\tvid.ico
<br/>
%Windir%\Installer\{D7C2199A-56E6-4895-BA24-5CB917462B06}\_853F67D554F05449430E7E.exe
<br/>
%Windir%\Installer\{D7C2199A-56E6-4895-BA24-5CB917462B06}\_E4C8397A9DB3A72CD1F92D.exe
</td>
<td class="cell_1">122,726 bytes</td>
<td class="cell_1">MD5: 0x0F7300EC1A57B37D8CBE8BAE976099E8<br/>SHA-1: 0x6F30D82828CF7CD26B50C41049614E4360D3DDF6</td>
<td class="cell_2">(not available)</td>
</tr>
<tr><td class="cell_1">15</td>
<td class="cell_1">
%Windir%\Installer\33280.msi
</td>
<td class="cell_1">798,208 bytes</td>
<td class="cell_1">MD5: 0xDAAD72C3472BD3F2EBBC76F35E670F7F<br/>SHA-1: 0x39AB18B412ABDC10F7E9B3563F9532A55F4D5BA5</td>
<td class="cell_2">(not available)</td>
</tr>
<tr><td class="cell_1">16</td>
<td class="cell_1">
[file and pathname of the sample #1]
</td>
<td class="cell_1">1,392,640 bytes</td>
<td class="cell_1">MD5: 0xD59997A47E10791BFE72C5072ECD4DAB<br/>SHA-1: 0xFDC2A713CBB805E41FC7DEC962492F475DEC0D20</td>
<td class="cell_2">BackDoor-DKI.gen.bu [McAfee]<br/><a href="http://www.threatexpert.com/threats/trojan-win32-refroso.html" target="_blank">Trojan.Win32.Refroso<img src="./resources/flag.gif" style="border:none"/></a> [Ikarus]</td>
</tr>
</table></p>
<ul><li>Notes:</li><ul>
<li>%CommonPrograms% is a variable that refers to the file system directory that contains the directories for the common program groups that appear on the Start menu for all users. A typical path is C:\Documents and Settings\All Users\Start Menu\Programs (Windows NT/2000/XP).</li>
<li>%Temp% is a variable that refers to the temporary folder in the short path form. By default, this is C:\Documents and Settings\[UserName]\Local Settings\Temp\ (Windows NT/2000/XP).</li>
<li>%ProgramFiles% is a variable that refers to the Program Files folder. A typical path is C:\Program Files.</li>
<li>%Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows or C:\Winnt.</li>
</ul></ul>
<ul><li>The following directories were created:</li>
<ul>
<li>%AppData%\Teemoon Video Matching</li>
<li>%ProgramFiles%\Teemoon Video Matching</li>
<li>%Windir%\Installer\{D7C2199A-56E6-4895-BA24-5CB917462B06}</li>
</ul></ul>
<ul><li>Notes:</li><ul>
<li>%AppData% is a variable that refers to the file system directory that serves as a common repository for application-specific data. A typical path is C:\Documents and Settings\[UserName]\Application Data.</li>
</ul></ul>
<p>&nbsp;</p><table cellpadding="0" cellspacing="0" style="width:100%"><tr><td><img style="border: none" src="./resources/mem_mod.gif"/></td><td width="100%" class="h3">Memory Modifications</td></tr></table>
<ul><li>The following system service was modified:</li></ul>
<p><table class="tbl" cellpadding="5" cellspacing="0">
<tr><td class="cell_1_h">Service Name</td><td class="cell_1_h">Display Name</td><td class="cell_1_h">New Status</td><td class="cell_2_h">Service Filename</td></tr>
<tr><td class="cell_1">MSIServer</td><td class="cell_1">Windows Installer</td><td class="cell_1">"Running"</td><td class="cell_2">%System%\msiexec.exe /V</td></tr>
</table></p>
<ul><li>Notes:</li><ul>
<li>%System% is a variable that refers to the System folder. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).</li>
</ul></ul>
<p>&nbsp;</p><table cellpadding="0" cellspacing="0" style="width:100%"><tr><td><img style="border: none" src="./resources/reg_mod.gif"/></td><td width="100%" class="h3">Registry Modifications</td></tr></table>
<ul><li>The following Registry Keys were created:</li>
<ul>
<li>HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Features\A9912C7D6E655984AB42C59B7164B260</li>
<li>HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\A9912C7D6E655984AB42C59B7164B260</li>
<li>HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\A9912C7D6E655984AB42C59B7164B260\SourceList</li>
<li>HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\A9912C7D6E655984AB42C59B7164B260\SourceList\Media</li>
<li>HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\A9912C7D6E655984AB42C59B7164B260\SourceList\Net</li>
<li>HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\C8F1BE87237B90D458FAD3EA365D1E46</li>
<li>HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Assemblies</li>
<li>HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Program Files|Teemoon Video Matching|DirectShowLib-2005.dll</li>
<li>HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Program Files|Teemoon Video Matching|ICSharpCode.SharpZipLib.dll</li>
<li>HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Program Files|Teemoon Video Matching|NLog.dll</li>
<li>HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Program Files|Teemoon Video Matching|Teemoon.Updates.Client.dll</li>
<li>HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Program Files|Teemoon Video Matching|Teemoon.Updates.dll</li>
<li>HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Program Files|Teemoon Video Matching|Teemoon.VideoId.dll</li>
<li>HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Program Files|Teemoon Video Matching|Teemoon.VideoId.UI.Matching.exe</li>
<li>HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.vID</li>
<li>HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.vID\Teemoon VideoID File</li>
<li>HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.vID\Teemoon VideoID File\ShellNew</li>
<li>HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Teemoon VideoID File</li>
<li>HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Teemoon VideoID File\DefaultIcon</li>
<li>HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Teemoon VideoID File\shell</li>
<li>HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Teemoon VideoID File\shell\open</li>
<li>HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Teemoon VideoID File\shell\open\command</li>
<li>HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UpgradeCodes\C8F1BE87237B90D458FAD3EA365D1E46</li>
<li>HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{D7C2199A-56E6-4895-BA24-5CB917462B06}</li>
<li>HKEY_CURRENT_USER\Software\Teemoon</li>
<li>HKEY_CURRENT_USER\Software\Teemoon\Teemoon Video Matching 1.0.5</li>
<li>HKEY_CURRENT_USER\Software\Teemoon\Teemoon Video Matching 1.0.5\{0BD7BBF1-20B9-AFCF-9CC9-28B80DE12DB1}</li>
</ul></ul>
<ul><li>The newly created Registry Values are:</li><ul>
<li>[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Features\A9912C7D6E655984AB42C59B7164B260]</li><ul>
<li>DefaultFeature = ""</li>
</ul>
<li>[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\A9912C7D6E655984AB42C59B7164B260\SourceList\Net]</li><ul>
<li>1 = "%Temp%\"</li>
</ul>
<li>[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\A9912C7D6E655984AB42C59B7164B260\SourceList\Media]</li><ul>
<li>1 = ";"</li>
</ul>
<li>[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\A9912C7D6E655984AB42C59B7164B260\SourceList]</li><ul>
<li>PackageName = "19b9f.msi"</li>
<li>LastUsedSource = "n;1;%Temp%\"</li>
</ul>
<li>[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\A9912C7D6E655984AB42C59B7164B260]</li><ul>
<li>ProductName = "Teemoon Video Matching 1.0.5"</li>
<li>PackageCode = "C524500A62B0D0C42BFE904E50632FEC"</li>
<li>Language = 0x00000409</li>
<..
ASP.NET Debugging Enabled

ASP.NET Debugging Enabled
1 TOTAL
INFORMATION
Netsparker identified that ASP.NET Debugging is enabled.

Impact

This indicates that the debugging flag was left enabled in the production system. There is no direct impact of this issue and it is presented here only for information.

Remedy

Apply the following changes on your web.config file to disable ASP.NET debugging.
<System.Web>
     < compilation debug="false" /> 
</System.Web>

External References

- /report.aspx

/report.aspx

http://threatexpert.com/report.aspx?md5=d59997a47e10791bfe72c5072ecd4dab

Request

DEBUG /report.aspx?md5=d59997a47e10791bfe72c5072ecd4dab HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: threatexpert.com
Cookie: ASP.NET_SessionId=e5iz3355pemzq555sdskjg55
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 500 Internal Server Error
Date: Sat, 23 Apr 2011 04:15:43 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 27


DEBUG request is not valid.
[Possible] Internal Path Leakage (Windows)

[Possible] Internal Path Leakage (Windows)
1 TOTAL
INFORMATION
Netsparker identified an internal path in the document.

Impact

There is no direct impact however this information can help an attacker either to identify other vulnerabilities or during the exploitation of other identified vulnerabilities.

Remedy

First ensure that this is not a false positive. Due to the nature of the issue. Netsparker could not confirm that this file path was actually the real file path of the target web server.

External References

- /report.aspx

/report.aspx

http://threatexpert.com/report.aspx?md5=d59997a47e10791bfe72c5072ecd4dab

Identified Internal Path(s)

Request

GET /report.aspx?md5=d59997a47e10791bfe72c5072ecd4dab HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: threatexpert.com
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

Response

HTTP/1.1 200 OK
Date: Sat, 23 Apr 2011 04:15:43 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: ASP.NET_SessionId=44shuj55fvxqfobwpd1zxbu0; path=/; HttpOnly
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 20501


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<HTML><head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<meta name="description" content="ThreatExpert Report: BackDoor-DKI.gen.bu, Trojan.Win32.Refroso">
<style type="text/css">body a {color: #505050; text-decoration: none} body a:hover {color: #c00000; text-decoration: underline}</style>
<link href="./css/report.css" rel="stylesheet" type="text/css"/>
<title>ThreatExpert Report: BackDoor-DKI.gen.bu, Trojan.Win32.Refroso</title>
<script src="http://www.google-analytics.com/urchin.js" type="text/javascript"></script>
<script type="text/javascript">_uacct = "UA-1490218-5";_udn="threatexpert.com";urchinTracker();</script>
</head><body>
<table align="right"><tr class="top_link"><td><a href="http://www.threatexpert.com">Visit ThreatExpert web site</a></td>
<td style="color: #707070">|</td><td><a href="javascript:window.close();">Close Report</a></td></tr></table>
<a href="http://www.threatexpert.com"><img src="./resources/logo.gif" style="border: none"/></a>
<h2>Submission Summary:</h2>
<ul><li>Submission details:</li><ul>
<li>Submission received: 22 April 2011, 22:54:28</li>
<li>Processing time: 8 min 39 sec</li>
<li>Submitted sample:</li>
<ul>
<li>File MD5: 0xD59997A47E10791BFE72C5072ECD4DAB</li>
<li>File SHA-1: 0xFDC2A713CBB805E41FC7DEC962492F475DEC0D20</li>
<li>Filesize: 1,392,640 bytes</li>
<li>Alias:</li>
<ul><li>BackDoor-DKI.gen.bu [McAfee]</li>
<li><a href="http://www.threatexpert.com/threats/trojan-win32-refroso.html" target="_blank">Trojan.Win32.Refroso<img src="./resources/flag.gif" style="border:none"/></a> [Ikarus]</li>
</ul>
</ul>
</ul></ul>
<p>&nbsp;</p><h2>Technical Details:</h2>
<p>&nbsp;</p><table cellpadding="0" cellspacing="0" style="width:100%"><tr><td><img style="border: none" src="./resources/file_mod.gif"/></td><td width="100%" class="h3">File System Modifications</td></tr></table>
<ul><li>The following files were created in the system:</li></ul>
<p><table class="tbl" cellpadding="5" cellspacing="0">
<tr><td class="cell_1_h">#</td><td class="cell_1_h">Filename(s)</td><td class="cell_1_h">File Size</td><td class="cell_1_h">File Hash</td><td class="cell_2_h">Alias</td></tr>
<tr><td class="cell_1">1</td>
<td class="cell_1">
%CommonPrograms%\Teemoon Video Matching.lnk
</td>
<td class="cell_1">1,914 bytes</td>
<td class="cell_1">MD5: 0x56D6C61DEAAB26C4A020903FE1E52DB8<br/>SHA-1: 0x7D5C467DAFBC2618337846F62159192272C00979</td>
<td class="cell_2">(not available)</td>
</tr>
<tr><td class="cell_1">2</td>
<td class="cell_1">
%Temp%\19b9f.msi
<br/>
%Temp%\MSI1.tmp
</td>
<td class="cell_1">1,317,376 bytes</td>
<td class="cell_1">MD5: 0xA01F22C7D244F9F37FCDA36CBFD8EC1F<br/>SHA-1: 0x69E4939FA66C859F875C91E91C26873523E2C37E</td>
<td class="cell_2">(not available)</td>
</tr>
<tr><td class="cell_1">3</td>
<td class="cell_1">
%Temp%\CFG3.tmp
<br/>
%Temp%\CFG6.tmp
</td>
<td class="cell_1">123 bytes</td>
<td class="cell_1">MD5: 0x17AF548F88A3199AA8A63A72201F470F<br/>SHA-1: 0x4E64BB20A2F54D778ED684AA21ABEBAD63A5C2C0</td>
<td class="cell_2">(not available)</td>
</tr>
<tr><td class="cell_1">4</td>
<td class="cell_1">
%ProgramFiles%\Teemoon Video Matching\DirectShowLib-2005.dll
</td>
<td class="cell_1">282,624 bytes</td>
<td class="cell_1">MD5: 0x4386F1C7558AF3D3CC32B8A84B98BB90<br/>SHA-1: 0x805683789CE64F78604A6FE3DF9F9A5051DA92B7</td>
<td class="cell_2">(not available)</td>
</tr>
<tr><td class="cell_1">5</td>
<td class="cell_1">
%ProgramFiles%\Teemoon Video Matching\ICSharpCode.SharpZipLib.dll
</td>
<td class="cell_1">192,512 bytes</td>
<td class="cell_1">MD5: 0x0B3B4E8D1DE31F844E466D61CF7937B5<br/>SHA-1: 0xD699E5B46A14EA4D7C052E4193F85F0A4F2B29EB</td>
<td class="cell_2">(not available)</td>
</tr>
<tr><td class="cell_1">6</td>
<td class="cell_1">
%ProgramFiles%\Teemoon Video Matching\License.txt
</td>
<td class="cell_1">1,430 bytes</td>
<td class="cell_1">MD5: 0xD9652F16298681C975CF22F1B53C9E48<br/>SHA-1: 0x36350759F8B4B015BB4660BF756D42C2E2DB9091</td>
<td class="cell_2">(not available)</td>
</tr>
<tr><td class="cell_1">7</td>
<td class="cell_1">
%ProgramFiles%\Teemoon Video Matching\NLog.config
</td>
<td class="cell_1">666 bytes</td>
<td class="cell_1">MD5: 0x207388A17FEBD3F4ADB70FAF90BFC345<br/>SHA-1: 0x26961D67D715A1A140666672AEA24129536E556B</td>
<td class="cell_2">(not available)</td>
</tr>
<tr><td class="cell_1">8</td>
<td class="cell_1">
%ProgramFiles%\Teemoon Video Matching\<a href="http://www.threatexpert.com/files/NLog.dll.html" target="_blank">NLog.dll<img src="./resources/flag.gif" style="border:none"/></a>
</td>
<td class="cell_1">253,952 bytes</td>
<td class="cell_1">MD5: 0xF43F74C1B2A91FE9BD41CAC128E75023<br/>SHA-1: 0x9D70D8DE3695D7EBEDBCA34A8B2EFE4C3BEEDA78</td>
<td class="cell_2">(not available)</td>
</tr>
<tr><td class="cell_1">9</td>
<td class="cell_1">
%ProgramFiles%\Teemoon Video Matching\Teemoon.Updates.Client.dll
</td>
<td class="cell_1">33,792 bytes</td>
<td class="cell_1">MD5: 0xAD70AA0AEC382C7DC35A5F7312809468<br/>SHA-1: 0x7E9381676F4099D977C7EC1FFEC8311FB3AF94FC</td>
<td class="cell_2">(not available)</td>
</tr>
<tr><td class="cell_1">10</td>
<td class="cell_1">
%ProgramFiles%\Teemoon Video Matching\Teemoon.Updates.dll
</td>
<td class="cell_1">8,192 bytes</td>
<td class="cell_1">MD5: 0x4BFC7F5E3B70BD101A9C275E4E0566FC<br/>SHA-1: 0x6FAA7B050D52067660BFE9B104944E289BF187E9</td>
<td class="cell_2">(not available)</td>
</tr>
<tr><td class="cell_1">11</td>
<td class="cell_1">
%ProgramFiles%\Teemoon Video Matching\Teemoon.VideoId.dll
</td>
<td class="cell_1">26,624 bytes</td>
<td class="cell_1">MD5: 0x0B11EF7AE2EBAC414A5D04B84F30704C<br/>SHA-1: 0xBF8F5D5CF368D3C2C0AD53DE7E02854729A6082C</td>
<td class="cell_2">(not available)</td>
</tr>
<tr><td class="cell_1">12</td>
<td class="cell_1">
%ProgramFiles%\Teemoon Video Matching\Teemoon.VideoId.UI.Matching.exe
</td>
<td class="cell_1">367,616 bytes</td>
<td class="cell_1">MD5: 0x1B18B4138E3F0E31E0766F8EEBD25CB7<br/>SHA-1: 0xAA8D9D79EEB1E5A0A7A155A670906D8599EEBB5D</td>
<td class="cell_2">(not available)</td>
</tr>
<tr><td class="cell_1">13</td>
<td class="cell_1">
%ProgramFiles%\Teemoon Video Matching\Teemoon.VideoId.UI.Matching.exe.config
</td>
<td class="cell_1">392 bytes</td>
<td class="cell_1">MD5: 0xA64D09537D30DC8904595D9BD1818B0C<br/>SHA-1: 0x59B7A90FCED1D10020C90085FA63C23A62ED710A</td>
<td class="cell_2">(not available)</td>
</tr>
<tr><td class="cell_1">14</td>
<td class="cell_1">
%ProgramFiles%\Teemoon Video Matching\tvid.ico
<br/>
%Windir%\Installer\{D7C2199A-56E6-4895-BA24-5CB917462B06}\_853F67D554F05449430E7E.exe
<br/>
%Windir%\Installer\{D7C2199A-56E6-4895-BA24-5CB917462B06}\_E4C8397A9DB3A72CD1F92D.exe
</td>
<td class="cell_1">122,726 bytes</td>
<td class="cell_1">MD5: 0x0F7300EC1A57B37D8CBE8BAE976099E8<br/>SHA-1: 0x6F30D82828CF7CD26B50C41049614E4360D3DDF6</td>
<td class="cell_2">(not available)</td>
</tr>
<tr><td class="cell_1">15</td>
<td class="cell_1">
%Windir%\Installer\33280.msi
</td>
<td class="cell_1">798,208 bytes</td>
<td class="cell_1">MD5: 0xDAAD72C3472BD3F2EBBC76F35E670F7F<br/>SHA-1: 0x39AB18B412ABDC10F7E9B3563F9532A55F4D5BA5</td>
<td class="cell_2">(not available)</td>
</tr>
<tr><td class="cell_1">16</td>
<td class="cell_1">
[file and pathname of the sample #1]
</td>
<td class="cell_1">1,392,640 bytes</td>
<td class="cell_1">MD5: 0xD59997A47E10791BFE72C5072ECD4DAB<br/>SHA-1: 0xFDC2A713CBB805E41FC7DEC962492F475DEC0D20</td>
<td class="cell_2">BackDoor-DKI.gen.bu [McAfee]<br/><a href="http://www.threatexpert.com/threats/trojan-win32-refroso.html" target="_blank">Trojan.Win32.Refroso<img src="./resources/flag.gif" style="border:none"/></a> [Ikarus]</td>
</tr>
</table></p>
<ul><li>Notes:</li><ul>
<li>%CommonPrograms% is a variable that refers to the file system directory that contains the directories for the common program groups that appear on the Start menu for all users. A typical path is C:\Documents and Settings\All Users\Start Menu\Programs (Windows NT/2000/XP).</li>
<li>%Temp% is a variable that refers to the temporary folder in the short path form. By default, this is C:\Documents and Settings\[UserName]\Local Settings\Temp\ (Windows NT/2000/XP).</li>
<li>%ProgramFiles% is a variable that refers to the Program Files folder. A typical path is C:\Program Files.</li>
<li>%Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows or C:\Winnt.</li>
</ul></ul>
<ul><li>The following directories were created:</li>
<ul>
<li>%AppData%\Teemoon Video Matching</li>
<li>%ProgramFiles%\Teemoon Video Matching</li>
<li>%Windir%\Installer\{D7C2199A-56E6-4895-BA24-5CB917462B06}</li>
</ul></ul>
<ul><li>Notes:</li><ul>
<li>%AppData% is a variable that refers to the file system directory that serves as a common repository for application-specific data. A typical path is C:\Documents and Settings\[UserName]\Application Data.</li>
</ul></ul>
<p>&nbsp;</p><table cellpadding="0" cellspacing="0" style="width:100%"><tr><td><img style="border: none" src="./resources/mem_mod.gif"/></td><td width="100%" class="h3">Memory Modifications</td></tr></table>
<ul><li>The following system service was modified:</li></ul>
<p><table class="tbl" cellpadding="5" cellspacing="0">
<tr><td class="cell_1_h">Service Name</td><td class="cell_1_h">Display Name</td><td class="cell_1_h">New Status</td><td class="cell_2_h">Service Filename</td></tr>
<tr><td class="cell_1">MSIServer</td><td class="cell_1">Windows Installer</td><td class="cell_1">"Running"</td><td class="cell_2">%System%\msiexec.exe /V</td></tr>
</table></p>
<ul><li>Notes:</li><ul>
<li>%System% is a variable that refers to the System folder. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).</li>
</ul></ul>
<p>&nbsp;</p><table cellpadding="0" cellspacing="0" style="width:100%"><tr><td><img style="border: none" src="./resources/reg_mod.gif"/></td><td width="100%" class="h3">Registry Modifications</td></tr></table>
<ul><li>The following Registry Keys were created:</li>
<ul>
<li>HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Features\A9912C7D6E655984AB42C59B7164B260</li>
<li>HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\A9912C7D6E655984AB42C59B7164B260</li>
<li>HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\A9912C7D6E655984AB42C59B7164B260\SourceList</li>
<li>HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\A9912C7D6E655984AB42C59B7164B260\SourceList\Media</li>
<li>HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\A9912C7D6E655984AB42C59B7164B260\SourceList\Net</li>
<li>HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\C8F1BE87237B90D458FAD3EA365D1E46</li>
<li>HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Assemblies</li>
<li>HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Program Files|Teemoon Video Matching|DirectShowLib-2005.dll</li>
<li>HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Program Files|Teemoon Video Matching|ICSharpCode.SharpZipLib.dll</li>
<li>HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Program Files|Teemoon Video Matching|NLog.dll</li>
<li>HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Program Files|Teemoon Video Matching|Teemoon.Updates.Client.dll</li>
<li>HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Program Files|Teemoon Video Matching|Teemoon.Updates.dll</li>
<li>HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Program Files|Teemoon Video Matching|Teemoon.VideoId.dll</li>
<li>HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Program Files|Teemoon Video Matching|Teemoon.VideoId.UI.Matching.exe</li>
<li>HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.vID</li>
<li>HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.vID\Teemoon VideoID File</li>
<li>HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.vID\Teemoon VideoID File\ShellNew</li>
<li>HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Teemoon VideoID File</li>
<li>HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Teemoon VideoID File\DefaultIcon</li>
<li>HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Teemoon VideoID File\shell</li>
<li>HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Teemoon VideoID File\shell\open</li>
<li>HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Teemoon VideoID File\shell\open\command</li>
<li>HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UpgradeCodes\C8F1BE87237B90D458FAD3EA365D1E46</li>
<li>HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{D7C2199A-56E6-4895-BA24-5CB917462B06}</li>
<li>HKEY_CURRENT_USER\Software\Teemoon</li>
<li>HKEY_CURRENT_USER\Software\Teemoon\Teemoon Video Matching 1.0.5</li>
<li>HKEY_CURRENT_USER\Software\Teemoon\Teemoon Video Matching 1.0.5\{0BD7BBF1-20B9-AFCF-9CC9-28B80DE12DB1}</li>
</ul></ul>
<ul><li>The newly created Registry Values are:</li><ul>
<li>[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Features\A9912C7D6E655984AB42C59B7164B260]</li><ul>
<li>DefaultFeature = ""</li>
</ul>
<li>[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\A9912C7D6E655984AB42C59B7164B260\SourceList\Net]</li><ul>
<li>1 = "%Temp%\"</li>
</ul>
<li>[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\A9912C7D6E655984AB42C59B7164B260\SourceList\Media]</li><ul>
<li>1 = ";"</li>
</ul>
<li>[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\A9912C7D6E655984AB42C59B7164B260\SourceList]</li><ul>
<li>PackageName = "19b9f.msi"</li>
<li>LastUsedSource = "n;1;%Temp%\"</li>
</ul>
<li>[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\A9912C7D6E655984AB42C59B7164B260]</li><ul>
<li>ProductName = "Teemoon Video Matching 1.0.5"</li>
<li>PackageCode = "C524500A62B0D0C42BFE904E50632FEC"</li>
<li>Language = 0x00000409</li>
<..