Skip to main content

Win32.Virtob.Gen.12_bfbe90b5af


HEUR:Trojan.Win32.Generic (Kaspersky), Win32.Virtob.Gen.12 (AdAware), VirusVirut.YR (Lavasoft MAS) Behaviour: Trojan, Virus

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

MD5: bfbe90b5af26cb1d2920ae9035f52f78 SHA1: 08863ed2cbb6bbc4e31a0fa2e78df4cd10482430 SHA256: ae60f26d097c2885a6c881ee5d8c2cc3013d659d933f2490e01378001af966e9 SSDeep: 1536:3Y8lYfSccCgwWYaziLoF2N2CFLcVyg6hvQNWq0RuaUkbvWYfsBU5V:3CSccsWlXCFLcVygYvajjkLWEsBU5V Size: 136087 bytes File type: EXE Platform: WIN32 Entropy: Not Packed PEID: UPolyXv05_v6 Company: no certificate found Created at: 2004-09-12 12:55:29 Analyzed on: Windows7 SP1 32-bit

Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Dynamic Analysis

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

ntvdm.exe:848

The Trojan injects its code into the following process(es):

%original file name%.exe:644

Mutexes

The following mutexes were created/opened: No objects were found.

File activity

The process ntvdm.exe:848 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\scsF95B.tmp (335 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\scsF95C.tmp (269 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\scsF95B.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\scsF95C.tmp (0 bytes)

The process %original file name%.exe:644 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\bfbe90b5af26cb1d2920ae9035f52f78.usr (24924 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Adobe\Reader 9.3\Setup Files\Setup.exe (408872 bytes)
C:\Windows\System32\USR_Shohdi_Photo_USR.rsu (21682 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Adobe\Reader 9.3\Setup Files\Reader9\Setup.exe (444160 bytes)
C:\Windows\USR_Shohdi_Photo_USR.exe (6889123 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Adobe\Reader 9.3\Setup Files\Reader9\Setup.usr (0 bytes)
C:\Windows\System32\USR_Shohdi_Photo_USR.rsu (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Adobe\Reader 9.3\Setup Files\Setup.usr (0 bytes)

Registry activity

Dropped PE files

MD5 File path
57958bc87e41b7d12acbd2f1d7339339 c:\bfbe90b5af26cb1d2920ae9035f52f78.usr

HOSTS file anomalies

The Trojan modifies "%System%\drivers\etc\hosts" file which is used to translate DNS entries to IP addresses. The modified file is 864 bytes in size. The following strings are added to the hosts file listed below:
127.0.0.1 jL.chura.pl
127.0.0.1 validation.sls.microsoft.com
 

Rootkit activity

The Trojan installs the following user-mode hooks in ntdll.dll:

NtQueryInformationProcess
ZwOpenFile
NtDeviceIoControlFile
ZwCreateUserProcess
ZwCreateProcessEx
NtCreateProcess
ZwCreateFile

Propagation

Static Analysis<

VersionInfo

No information is available.

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
  4096 16384 6656 5.29942 ed41050c46cf2dea26cf5a8d78627828
.rsrc 20480 102400 102400 2.93276 acbb54ad74dab65240fe19eea951f628
petite 122880 379 512 2.83683 d9152af36e3787ad41768ba5d11906da

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 6 b2aab92d99f03af303b25aae13eeb289 a3d3c15c97c2ebb97340bfcedadc7bda bf16c92476d156ca2f2cc1e9d01ae586 bdb67f83e6289ca4eb53f16c6d9d16e6 bad6dd116684e79855f768b0f3dd4102 a487fa44b39cd08de7c7a2df2d4af69e

Network Activity

URLs

URL IP
sys.zief.pl 148.81.111.121
 

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

Map

The Trojan connects to the servers at the folowing location(s):

Strings from Dumps

%original file name%.exe_644: 
`.rsrc
D$(PSSh
ccRegVfy.exe
ccApp.exe
IEXPLORE.EXE
windows
\*.exe
.text
.data
.rsrc
msvcrt.dll
KERNEL32.dll
nddeapir.pdb
_acmdln
m.Zw%
ADVAPI32.DLL
\USERINIT.EXE
%s:*:enabled:@shell32.dll,-1
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
Qoysys.zief.pl
core.ircgalaxy.pl
NICK avabcadz
SFC.DLL
SFC_OS.DLL
USER32.DLL
SHLWAPI.DLL
WSOCK32.DLL
WININET.DLL
%.6x . . :%c%.8x%x %s
JOIN
127.0.0.1 jL.chura.pl
#%26lt;iframe src="hXXp://jL.c%26#104;ura%26#46;pl/rc/" style="width:1px;height:1px"%26gt;%26lt;/iframe%26gt;
KERNEL32.DLL
windowsupdate
drweb
user32.dll
kernel32.dll
MSVCIRT.dll
MSVCRT.dll
5.1.2600.0 (xpclient.010817-1148)
NDDEAPIR.EXE
Windows
Operating System
5.1.2600.0
\BaseNamedObjects\bcrtVt
%original file name%.exe_644_rwx_00401000_00002000: 
D$(PSSh
%original file name%.exe_644_rwx_00419000_00005000: 
ADVAPI32.DLL
\USERINIT.EXE
%s:*:enabled:@shell32.dll,-1
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
Qoysys.zief.pl
core.ircgalaxy.pl
NICK avabcadz
SFC.DLL
SFC_OS.DLL
USER32.DLL
SHLWAPI.DLL
WSOCK32.DLL
WININET.DLL
%.6x . . :%c%.8x%x %s
JOIN
127.0.0.1 jL.chura.pl
#%26lt;iframe src="hXXp://jL.c%26#104;ura%26#46;pl/rc/" style="width:1px;height:1px"%26gt;%26lt;/iframe%26gt;
KERNEL32.DLL
windowsupdate
drweb
\BaseNamedObjects\bcrtVt

Removals

Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.

Manual removal*

  1. Scan a system with an anti-rootkit tool.
  2. Terminate malicious process(es) (How to End a Process With the Task Manager):

    ntvdm.exe:848

  3. Delete the original Trojan file.
  4. Delete or disinfect the following files created/modified by the Trojan:

    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\scsF95B.tmp (335 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\scsF95C.tmp (269 bytes)
    C:\bfbe90b5af26cb1d2920ae9035f52f78.usr (24924 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Adobe\Reader 9.3\Setup Files\Setup.exe (408872 bytes)
    C:\Windows\System32\USR_Shohdi_Photo_USR.rsu (21682 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Adobe\Reader 9.3\Setup Files\Reader9\Setup.exe (444160 bytes)
    C:\Windows\USR_Shohdi_Photo_USR.exe (6889123 bytes)

  5. Restore the original content of the HOSTS file (%System%\drivers\etc\hosts): 127.0.0.1 localhost
  6. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  7. Reboot the computer.
*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Related articles