Trojan.MSIL.Disfa.kwqw (Kaspersky), Zum.Rastarby.3 (AdAware), GenericAutorunWorm.YR (Lavasoft MAS)Behaviour: Trojan, Worm, WormAutorun
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: 439e8970a49597f1297a16c2a8d8254f
SHA1: 900ccf130e6691dfe581da877a586917a269d07a
SHA256: 0d92d5db4950c977a97b5cfcdece0bc0073c549d236a9219fc8f6b7b34c16ac4
SSDeep: 6144:rc0h522p3l04ZMSmIp3Uy28uhy45Il3u1dAgC1VqV0ulKSoZVFqfJ3XmSdPVlfj:bhxp3lZnT9bDkCl3IdX30HcWSFVlL
Size: 434695 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2016-08-14 22:15:49
Analyzed on: Windows7 SP1 32-bit
Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Dynamic Analysis
Payload
| Behaviour | Description |
|---|---|
| WormAutorun | A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Zum's file once a user opens a drive's folder in Windows Explorer. |
Process activity
The Zum creates the following process(es):
%original file name%.exe:2928
sever.exe:2980
porn.exe:1796
The Zum injects its code into the following process(es):
trojaner.exe:2528
Mutexes
The following mutexes were created/opened:No objects were found.
File activity
The process %original file name%.exe:2928 makes changes in the file system.
The Zum creates and/or writes to the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RarSFX0\porn.exe (3409 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RarSFX0\porn.bat (27 bytes)
The Zum deletes the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RarSFX0 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RarSFX0\porn.exe (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RarSFX0\porn.bat (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RarSFX0\__tmp_rar_sfx_access_check_424572 (0 bytes)
The process sever.exe:2980 makes changes in the file system.
The Zum creates and/or writes to the following file(s):
C:\Windows\trojaner\trojaner.exe (96 bytes)
The Zum deletes the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\~DF992C79608D27EEF3.TMP (0 bytes)
The process porn.exe:1796 makes changes in the file system.
The Zum creates and/or writes to the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RarSFX1\sever.Exe (96 bytes)
The Zum deletes the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RarSFX1\__tmp_rar_sfx_access_check_424915 (0 bytes)
Registry activity
The process %original file name%.exe:2928 makes changes in the system registry.
The Zum creates and/or sets the following values in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
[HKCU\Software\WinRAR SFX]
"C%%Program Files%%temp&" = "C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RarSFX0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"
The Zum deletes the following value(s) in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
The process trojaner.exe:2528 makes changes in the system registry.
The Zum creates and/or sets the following values in system registry:
To automatically run itself each time Windows is booted, the Zum adds the following link to its file to the system registry autorun key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"trojaner" = "C:\Windows\trojaner\trojaner.exe"
The process porn.exe:1796 makes changes in the system registry.
The Zum creates and/or sets the following values in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
"UNCAsIntranet" = "0"
The Zum deletes the following value(s) in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
Dropped PE files
| MD5 | File path |
|---|---|
| 5bebf9911e659ff0e5fb49086615de79 | c:\Users\"%CurrentUserName%"\AppData\Local\Temp\RarSFX1\sever.Exe |
| 5bebf9911e659ff0e5fb49086615de79 | c:\Windows\trojaner\trojaner.exe |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Zum's file once a user opens a drive's folder in Windows Explorer.
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
%original file name%.exe:2928
sever.exe:2980
porn.exe:1796 - Delete the original Zum file.
- Delete or disinfect the following files created/modified by the Zum:
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RarSFX0\porn.exe (3409 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RarSFX0\porn.bat (27 bytes)
C:\Windows\trojaner\trojaner.exe (96 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RarSFX1\sever.Exe (96 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"trojaner" = "C:\Windows\trojaner\trojaner.exe" - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
- Reboot the computer.
Static Analysis
VersionInfo
No information is available.
No information is available.
PE Sections
| Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
|---|---|---|---|---|---|
| .text | 4096 | 188392 | 188416 | 4.65119 | 2ae181684b1677561119f5765623448e |
| .rdata | 192512 | 39376 | 39424 | 3.57169 | 0e0f6a60d8fa917a060c8ef7becc0888 |
| .data | 233472 | 129208 | 3072 | 2.28424 | 4e4aa728d9cced1622c2be27733e3fc5 |
| .gfids | 364544 | 240 | 512 | 1.47202 | c923099e27bf0e45a5c402d935d0620b |
| .rsrc | 368640 | 19363 | 19456 | 3.22423 | 8a59705cbff75c61fb5c54602ab7afee |
| .reloc | 389120 | 8076 | 8192 | 4.59547 | d13d3f8a8adfe6861c49a01d81cf73ed |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Total found: 7
7998a7f7e227c2e50ff5a7803cc68900
a31cf8a5c0878eb20b080e211edfa03b
fc5ec84bb3e7e2cb9fa8067ee38cfc2d
cd6886a90b9f806a9b54e9447d96c8cc
2bfa346a8352e82dcea968b994e2e4f9
6cf40788e674f459c9e414b8794ee3be
5c37d8d2322321dc9f2621b4e3f31b98
Network Activity
URLs
| URL | IP |
|---|---|
| xfunx.ddns.net | 77.20.141.107 |
| dns.msftncsi.com | 131.107.255.255 |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
Map
The Zum connects to the servers at the folowing location(s):