[INFO]
AnalystName=Chandra mohan. G
AnalystEMailID=gmohan@comodo.com
Team=India
Date=09-MAR-2010
Type=TrojWare
Platform=Win32
SubType=
Family=Scar
Variant=A

[OVERVIEW]
This trojan program performs like a kind of network Bot and creates unwanted traffic to specific malware domain

[TECHNICAL_DESCRIPTION]
Registry Values Added:
	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce "debugger" = C:\Config.Msi\5ce97.rbf.exe
	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa "forceguest" = REG_DWORD, value: 00000000
	HKEY_LOCAL_MACHINE\SOFTWARE\Intel "999" = REG_DWORD, value: 00000001
	HKEY_LOCAL_MACHINE\SOFTWARE\Intel "01" = REG_DWORD, value: 00000000
	HKEY_LOCAL_MACHINE\SOFTWARE\Intel "02" = REG_DWORD, value: 00000000
	HKEY_LOCAL_MACHINE\SOFTWARE\Intel "03" = REG_DWORD, value: 00000000
	HKEY_LOCAL_MACHINE\SOFTWARE\Intel "04" = REG_DWORD, value: 00000000
	HKEY_LOCAL_MACHINE\SOFTWARE\Intel "05" = REG_DWORD, value: 00000000
	HKEY_LOCAL_MACHINE\SOFTWARE\Intel "06" = REG_DWORD, value: 00000000
	HKEY_LOCAL_MACHINE\SOFTWARE\Intel "07" = REG_DWORD, value: 00000000
Registry Values Modified:
	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced "Hidden" = REG_DWORD, value: 00000002
	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced "HideFileExt" = REG_DWORD, value: 00000001
	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced "ShowSuperHidden" = REG_DWORD, value: 00000000
	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced "SuperHidden" = REG_DWORD, value: 00000000
	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\LanmanServer "Start" = REG_DWORD, value: 00000002
	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\lanmanworkstation "Start" = REG_DWORD, value: 00000002
Files Added:
	%windir%\system32\Drivers\PCIDump.sys
	%systemdrive%\Config.Msi\5ce97.rbf.exe
	%systemdrive%\Config.Msi\ssss.wav
	%systemdrive%\WINDOWS\security\database\db32.idx
	%systemdrive%\Config.Msi\yyyy.bmp
Directory Added:
	%SYSTEMDRIVE%\Config.Msi
Connection made for the following:
	dell-d3e62f7e26  	 10.1.9.2
	theworldnews.byethost5.com 	209.190.24.3
	www.microsoft.com 	65.55.12.249
Activates "Guest" account of the system
%windir%system32\cmd.exe /c net user guest /active

[SYMPTOMS]
Guest account added, if already not available
Network traffic to 209.190.24.3
Existence of Config.Msi folder in %System% Drive

[DISINFECTION]
Remove Config.Msi folder in %SYSTEMDRIVE%
Delete following registry key 
	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce "debugger" = C:\Config.Msi\5ce97.rbf.exe