[INFO] AnalystName=RAJA BABU .A AnalystEMailID=rajababua@comodo.com Team=India Date=02-MAR-2010 Type=TrojWare Platform=Win32 SubType= Family=Sasfis Variant= [OVERVIEW] This Trojan program injects its code into other applications. It may also download malicious program from remote machine. It may also perform as a keylogger. [TECHNICAL_DESCRIPTION] It is a harmful program, it creates a startup registry entry and inject its code into iexplorer.exe. By using iexplorer.exe it establish a connection to the remote machine and may download other malicious files onto a targeted machine. It may also have keylogger capabilities, enabling it to capture users’ sensitive data. Keys added: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Microsoft Windows Regscan HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Microsoft Windows Regscan Values added: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Microsoft Windows Regscan\Security\Security: 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 00 01 02 00 00 00 00 00 05 20 00 00 00 20 02 00 00 00 00 14 00 8D 01 02 00 01 01 00 00 00 00 00 05 0B 00 00 00 00 00 18 00 FD 01 02 00 01 02 00 00 00 00 00 05 20 00 00 00 23 02 00 00 01 01 00 00 00 00 00 05 12 00 00 00 01 01 00 00 00 00 00 05 12 00 00 00 HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Microsoft Windows Regscan\Type: 0x00000110 HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Microsoft Windows Regscan\Start: 0x00000002 HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Microsoft Windows Regscan\ErrorControl: 0x00000000 HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Microsoft Windows Regscan\ImagePath: "%WINDOWS%\Microsoft Windows Regscan" HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Microsoft Windows Regscan\DisplayName: "Microsoft Windows Regscan" HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Microsoft Windows Regscan\ObjectName: "LocalSystem" HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Microsoft Windows Regscan\Description: "Microsoft Windows Regscan" HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Microsoft Windows Regscan\Security\Security: 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 00 01 02 00 00 00 00 00 05 20 00 00 00 20 02 00 00 00 00 14 00 8D 01 02 00 01 01 00 00 00 00 00 05 0B 00 00 00 00 00 18 00 FD 01 02 00 01 02 00 00 00 00 00 05 20 00 00 00 23 02 00 00 01 01 00 00 00 00 00 05 12 00 00 00 01 01 00 00 00 00 00 05 12 00 00 00 HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Microsoft Windows Regscan\Type: 0x00000110 HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Microsoft Windows Regscan\Start: 0x00000002 HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Microsoft Windows Regscan\ErrorControl: 0x00000000 HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Microsoft Windows Regscan\ImagePath: "%WINDOWS%\Microsoft Windows Regscan" HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Microsoft Windows Regscan\DisplayName: "Microsoft Windows Regscan" HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Microsoft Windows Regscan\ObjectName: "LocalSystem" HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Microsoft Windows Regscan\Description: "Microsoft Windows Regscan" Files added: %WINDOWS%\Microsoft Windows Regscan Files deleted: Original Malware file will deleted(Self delete). Remote connection details: Remote Name : .3322.org Remote Address : 59.50.147.210 Remote Port : 11020 Mutex Object Created: HgzVipCom@%^#$ [SYMPTOMS] The following service name may indicate the presence of this malware: Microsoft Windows Regscan [DISINFECTION] Stop the service "Microsoft Windows Regscan". Kill the iexplorer.exe process using task manager. Delete the following file: %WINDOWS%\Microsoft Windows Regscan.