not-a-virus:AdWare.Win32.Inffinity.yas (Kaspersky), Trojan.NSIS.StartPage.FD (Lavasoft MAS)Behaviour: Trojan, Adware
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: bde22ac03a3f59684b84f95b09c929fd
SHA1: d7117729bc5918d673c1f52094ac7f5c8ac4138a
SHA256: 2d527c905318f87fd82890eb9e8ebfd7e2da13f89113e1018e50b82c76ecafc6
SSDeep: 6144:He34R2lhmWzh36dqXEV2rnCeZG/t7FTBqTzP7n7O7L6K2Bfo7pu:T2bbzh36VV2Go0ZTsnz7O7L6ju7pu
Size: 566824 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2009-12-06 00:50:52
Analyzed on: Windows7 SP1 32-bit
Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The Trojan creates the following process(es):
%original file name%.exe:1784
The Trojan injects its code into the following process(es):No processes have been created.
Mutexes
The following mutexes were created/opened:No objects were found.
File activity
The process %original file name%.exe:1784 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss7945.tmp\NSISdl.dll (30 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss7945.tmp\UAC.dll (37 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss7945.tmp\modern-wizard.bmp (1568 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\captura.bmp (1568 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss7945.tmp\BrandingURL.dll (8 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss7945.tmp\ioSpecial.ini (7139 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss7945.tmp\InstallOptions.dll (30 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss7945.tmp\LangDLL.dll (13 bytes)
The Trojan deletes the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss7945.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss7944.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss7945.tmp\show_page_toolbar (0 bytes)
Registry activity
Dropped PE files
| MD5 | File path |
|---|---|
| 71c46b663baa92ad941388d082af97e7 | c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss7945.tmp\BrandingURL.dll |
| 325b008aec81e5aaa57096f05d4212b5 | c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss7945.tmp\InstallOptions.dll |
| 9384f4007c492d4fa040924f31c00166 | c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss7945.tmp\LangDLL.dll |
| a5f8399a743ab7f9c88c645c35b1ebb5 | c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss7945.tmp\NSISdl.dll |
| 09caf01bc8d88eeb733abc161acff659 | c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss7945.tmp\UAC.dll |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
%original file name%.exe:1784
- Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss7945.tmp\NSISdl.dll (30 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss7945.tmp\UAC.dll (37 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss7945.tmp\modern-wizard.bmp (1568 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\captura.bmp (1568 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss7945.tmp\BrandingURL.dll (8 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss7945.tmp\ioSpecial.ini (7139 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss7945.tmp\InstallOptions.dll (30 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss7945.tmp\LangDLL.dll (13 bytes) - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
Static Analysis
VersionInfo
No information is available.
No information is available.
PE Sections
| Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
|---|---|---|---|---|---|
| .text | 4096 | 23628 | 24064 | 4.46394 | 856b32eb77dfd6fb67f21d6543272da5 |
| .rdata | 28672 | 4764 | 5120 | 3.4982 | dc77f8a1e6985a4361c55642680ddb4f |
| .data | 36864 | 154712 | 1024 | 3.3278 | 7922d4ce117d7d5b3ac2cffe4b0b5e4f |
| .ndata | 192512 | 110592 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
| .rsrc | 303104 | 16544 | 16896 | 4.13341 | e957b93201e1ddf40aa35ce0a75289ff |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Total found: 5612
0a1caace976174f8bffc383c4c3c0fa8
6c0dd3fd53001055d10e6c3b58b132fc
34fc7a7d6c5c000de38f15416e248650
1fe5758661d47a7463311a23be5afc6d
47a989cbf81ee8781ab8e4fcea78e0a6
80fc6018bfb9bfa9c6106a2f6671af3c
53fb1689dda0202c988a9647598a7076
82ab071eb5dae7c473a6a532df07ee4f
d608c8b5046a858542a4be4bc1518cd6
274f9329d87252ba0759faae6d54efab
a2c42bcfa6b9b4ae21d5d30a3fc4449c
9cd7fed5983dc222494dee5067d07d44
e46a6f026f343b82ef1b89c8547087df
a73568d4b4cf791553d20452cb3f2059
562afd7351e91104bccde6123ac2ed62
f2f2f48ed0f0bb349c59226586843b18
d7ef7dba9427c6ac00635ef58b3af430
c97e53869fb36099d60bbfd5a4e3618d
bcc26e9c2ef7871d62fefcca0adeb2de
06af7d27eea09bbf0c878a5c8f90bf85
9dc462916a0e3561935005d57bb68b17
edd3ca449e3aeb7304af05a848d953e1
6d029e8f6961ffb648035057d7d9e826
edaf5fce3680f79f13548f2fc46d5b48
921efa2fcc2ae90b9125b617e545bb96
Network Activity
URLs
| URL | IP |
|---|---|
| hxxp://phpnuke.org/installers/nsis/pantallatoolbar_babylon_coupish_en.ini | |
| hxxp://download.phpnuke.org/installers/nsis/pantallatoolbar_babylon_coupish_en.ini | 91.134.159.129 |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
Map
The Trojan connects to the servers at the folowing location(s):