Skip to main content

Gen.Variant.Zusy.199421_97ac9fe88d


Gen:Variant.Zusy.199421 (BitDefender), HEUR:Trojan.Win32.Generic (Kaspersky), BackDoor.Bladabindi.13678 (DrWeb), Gen:Variant.Zusy.199421 (B) (Emsisoft), Artemis!97AC9FE88D1F (McAfee), Trojan.Gen.2 (Symantec), Trojan-Downloader.Win32.Autohk (Ikarus), Gen:Variant.Zusy.199421 (FSecure), Win32/DH{Ow?} (AVG), Win32:Malware-gen (Avast), Gen:Variant.Zusy.199421 (AdAware), Trojan.MSIL.Bladabindi.FD, GenericAutorunWorm.YR (Lavasoft MAS)Behaviour: Trojan-Downloader, Trojan, Worm, WormAutorun, Malware

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

MD5: 97ac9fe88d1f649dd19fede6ade1fc09

SHA1: 7de351b8e0d53e1d04c9658d706006b12b68d827

SHA256: 1e6d931c2371c48f85adc591c5793159304056c01fd459a537c46cfe29462dca

SSDeep: 6144:sbbs8miuWxBn061wjr36UIU yoTiKVpwCbC/ry7YOTD0zoL69 rOV4bXWCH:MgrTMn061M36RUOTvpwpNO/0zoL6UrOi

Size: 348160 bytes

File type: EXE

Platform: WIN32

Entropy: Packed

PEID: UPolyXv05_v6

Company: DriverPack

Created at: 2016-01-16 08:27:22

Analyzed on: Windows7 SP1 32-bit

Summary: Trojan-Downloader. Trojan program, which downloads files from the Internet without user's notice and executes them.

Dynamic Analysis

Payload

Behaviour Description
WormAutorunA worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Trojan's file once a user opens a drive's folder in Windows Explorer.


Process activity

The Trojan creates the following process(es):

%original file name%.exe:2936

The Trojan injects its code into the following process(es):

svchost.exe:1784

Mutexes

The following mutexes were created/opened:No objects were found.

File activity

The process %original file name%.exe:2936 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\%original file name%.exe (2105 bytes)

Registry activity

The process %original file name%.exe:2936 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:


To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"Aj7IlyiqVj3xkitP" = "C:\Users\"%CurrentUserName%"\AppData\Local\Temp\%original file name%.exe"

Dropped PE files

There are no dropped PE files.

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Trojan's file once a user opens a drive's folder in Windows Explorer.

Removals

Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.

Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    %original file name%.exe:2936

  2. Delete the original Trojan file.
  3. Delete or disinfect the following files created/modified by the Trojan:

    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\%original file name%.exe (2105 bytes)

  4. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce]
    "Aj7IlyiqVj3xkitP" = "C:\Users\"%CurrentUserName%"\AppData\Local\Temp\%original file name%.exe"

  5. Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
  6. Reboot the computer.
*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Static Analysis

VersionInfo

Company Name:
Product Name:
Product Version: 1.1.23.00
Legal Copyright:
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 1.1.23.00
File Description:
Comments:
Language: English (United States)

Company Name: Product Name: Product Version: 1.1.23.00Legal Copyright: Legal Trademarks: Original Filename: Internal Name: File Version: 1.1.23.00File Description: Comments: Language: English (United States)

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.MPRESS140969256963358725.5447777107171c39e07e95efeb6fc4e3ebd6f
.MPRESS2929792365640963.8871b348d1b2fe61a513f7e48b729678eb3
.rsrc933888756076803.7750866f1091e31786183f208c9c000f92d88

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Network Activity

URLs

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

Map

The Trojan connects to the servers at the folowing location(s):

Strings from Dumps

svchost.exe_1784:

.text

.text

`.rsrc

`.rsrc

@.reloc

@.reloc

lSystem.Resources.ResourceReader, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet

lSystem.Resources.ResourceReader, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet

v2.0.50727

v2.0.50727

DRSTUB.exe

DRSTUB.exe

Microsoft.VisualBasic

Microsoft.VisualBasic

System.Windows.Forms

System.Windows.Forms

System.Drawing

System.Drawing

avicap32.dll

avicap32.dll

user32.dll

user32.dll

kernel32.dll

kernel32.dll

DRSTUB.Resources.resources

DRSTUB.Resources.resources

DRSTUB.My

DRSTUB.My

Microsoft.VisualBasic.ApplicationServices

Microsoft.VisualBasic.ApplicationServices

.ctor

.ctor

System.Diagnostics

System.Diagnostics

System.ComponentModel

System.ComponentModel

System.CodeDom.Compiler

System.CodeDom.Compiler

Microsoft.VisualBasic.Devices

Microsoft.VisualBasic.Devices

.cctor

.cctor

get_WebServices

get_WebServices

HelpKeywordAttribute

HelpKeywordAttribute

System.ComponentModel.Design

System.ComponentModel.Design

Microsoft.VisualBasic.CompilerServices

Microsoft.VisualBasic.CompilerServices

MyWebServices

MyWebServices

System.Runtime.CompilerServices

System.Runtime.CompilerServices

System.Runtime.InteropServices

System.Runtime.InteropServices

System.IO

System.IO

System.Net.Sockets

System.Net.Sockets

RegistryKey

RegistryKey

Microsoft.Win32

Microsoft.Win32

Operators

Operators

GetKey

GetKey

System.Collections

System.Collections

ProcessWindowStyle

ProcessWindowStyle

WebClient

WebClient

System.Net

System.Net

System.Threading

System.Threading

CopyPixelOperation

CopyPixelOperation

System.Drawing.Imaging

System.Drawing.Imaging

System.Reflection

System.Reflection

TcpClient

TcpClient

System.Text

System.Text

System.IO.Compression

System.IO.Compression

System.Collections.Generic

System.Collections.Generic

OperatingSystem

OperatingSystem

Microsoft.VisualBasic.MyServices

Microsoft.VisualBasic.MyServices

get_ExecutablePath

get_ExecutablePath

wolf_usb_exe

wolf_usb_exe

GetKeyboardLayout

GetKeyboardLayout

GetAsyncKeyState

GetAsyncKeyState

vKey

vKey

MapVirtualKey

MapVirtualKey

GetKeyboardState

GetKeyboardState

lpKeyState

lpKeyState

Keys

Keys

wVirtKey

wVirtKey

Keyboard

Keyboard

GetExecutingAssembly

GetExecutingAssembly

OpenSubKey

OpenSubKey

DRSTUB.My.Resources

DRSTUB.My.Resources

System.Globalization

System.Globalization

System.Resources

System.Resources

System.Configuration

System.Configuration

8.0.0.0

8.0.0.0

My.WebServices

My.WebServices

My.User

My.User

My.Application

My.Application

My.Computer

My.Computer

4System.Web.Services.Protocols.SoapHttpClientProtocol

4System.Web.Services.Protocols.SoapHttpClientProtocol

3System.Resources.Tools.StronglyTypedResourceBuilder

3System.Resources.Tools.StronglyTypedResourceBuilder

4.0.0.0

4.0.0.0

KMicrosoft.VisualStudio.Editors.SettingsDesigner.SettingsSingleFileGenerator

KMicrosoft.VisualStudio.Editors.SettingsDesigner.SettingsSingleFileGenerator

11.0.0.0

11.0.0.0

My.Settings

My.Settings

1.0.0.0

1.0.0.0

$721aff54-84bf-4dd4-9947-d32d266b77f6

$721aff54-84bf-4dd4-9947-d32d266b77f6

_CorExeMain

_CorExeMain

mscoree.dll

mscoree.dll

If you want to change the Windows User Account Control level replace the

If you want to change the Windows User Account Control level replace the

requestedExecutionLevel node with one of the following.

requestedExecutionLevel node with one of the following.

Specifying requestedExecutionLevel node will disable file and registry virtualization.

Specifying requestedExecutionLevel node will disable file and registry virtualization.

compatibility then delete the requestedExecutionLevel node.

compatibility then delete the requestedExecutionLevel node.

Windows will automatically select the most compatible environment.-->

name="Microsoft.Windows.Common-Controls"

name="Microsoft.Windows.Common-Controls"

version="6.0.0.0"

version="6.0.0.0"

publicKeyToken="6595b64144ccf1df"

publicKeyToken="6595b64144ccf1df"

cmd.exe

cmd.exe

UseShellExecute

UseShellExecute

WindowStyle

WindowStyle

GetSubKeyNames

GetSubKeyNames

CreateSubKey

CreateSubKey

DeleteSubKeyTree

DeleteSubKeyTree

DeleteSubKey

DeleteSubKey

cmd.exe /k ping 0 & del "

cmd.exe /k ping 0 & del "

Windows

Windows

autorun.inf

autorun.inf

install.exe

install.exe

%System%\dllcache

%System%\dllcache

%System%\dllcache\recycled.exe

%System%\dllcache\recycled.exe

%System%\dllcache\myporn.scr

%System%\dllcache\myporn.scr

%System%\dllcache\doc.pif

%System%\dllcache\doc.pif

C:\windows\system32\drivers\svchost.exe

C:\windows\system32\drivers\svchost.exe

ShellExecute=install.exe

ShellExecute=install.exe

shell\open\command=install.exe

shell\open\command=install.exe

shell\explore\command=install.exe

shell\explore\command=install.exe

shell\Open\command=install.exe

shell\Open\command=install.exe

C:\windows\system32\winlogon.scr

C:\windows\system32\winlogon.scr

desktop.ini

desktop.ini

[.ShellClassInfo]

[.ShellClassInfo]

CLSID={645FF040-5081-101B-9F08-00AA002F954E}

CLSID={645FF040-5081-101B-9F08-00AA002F954E}

0.7.1

0.7.1

Prozone.exe

Prozone.exe

127.0.0.1

127.0.0.1

Software\Microsoft\Windows\CurrentVersion\Run

Software\Microsoft\Windows\CurrentVersion\Run

??/??/??

??/??/??

ShiftKeyDown

ShiftKeyDown

WScript.Shell

WScript.Shell

&explorer /root,"Í%

&explorer /root,"Í%

DRSTUB.Resources

DRSTUB.Resources

svchost.exe_1784_rwx_00400000_00014000:

.text

.text

`.rsrc

`.rsrc

@.reloc

@.reloc

lSystem.Resources.ResourceReader, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet

lSystem.Resources.ResourceReader, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet

v2.0.50727

v2.0.50727

DRSTUB.exe

DRSTUB.exe

Microsoft.VisualBasic

Microsoft.VisualBasic

System.Windows.Forms

System.Windows.Forms

System.Drawing

System.Drawing

avicap32.dll

avicap32.dll

user32.dll

user32.dll

kernel32.dll

kernel32.dll

DRSTUB.Resources.resources

DRSTUB.Resources.resources

DRSTUB.My

DRSTUB.My

Microsoft.VisualBasic.ApplicationServices

Microsoft.VisualBasic.ApplicationServices

.ctor

.ctor

System.Diagnostics

System.Diagnostics

System.ComponentModel

System.ComponentModel

System.CodeDom.Compiler

System.CodeDom.Compiler

Microsoft.VisualBasic.Devices

Microsoft.VisualBasic.Devices

.cctor

.cctor

get_WebServices

get_WebServices

HelpKeywordAttribute

HelpKeywordAttribute

System.ComponentModel.Design

System.ComponentModel.Design

Microsoft.VisualBasic.CompilerServices

Microsoft.VisualBasic.CompilerServices

MyWebServices

MyWebServices

System.Runtime.CompilerServices

System.Runtime.CompilerServices

System.Runtime.InteropServices

System.Runtime.InteropServices

System.IO

System.IO

System.Net.Sockets

System.Net.Sockets

RegistryKey

RegistryKey

Microsoft.Win32

Microsoft.Win32

Operators

Operators

GetKey

GetKey

System.Collections

System.Collections

ProcessWindowStyle

ProcessWindowStyle

WebClient

WebClient

System.Net

System.Net

System.Threading

System.Threading

CopyPixelOperation

CopyPixelOperation

System.Drawing.Imaging

System.Drawing.Imaging

System.Reflection

System.Reflection

TcpClient

TcpClient

System.Text

System.Text

System.IO.Compression

System.IO.Compression

System.Collections.Generic

System.Collections.Generic

OperatingSystem

OperatingSystem

Microsoft.VisualBasic.MyServices

Microsoft.VisualBasic.MyServices

get_ExecutablePath

get_ExecutablePath

wolf_usb_exe

wolf_usb_exe

GetKeyboardLayout

GetKeyboardLayout

GetAsyncKeyState

GetAsyncKeyState

vKey

vKey

MapVirtualKey

MapVirtualKey

GetKeyboardState

GetKeyboardState

lpKeyState

lpKeyState

Keys

Keys

wVirtKey

wVirtKey

Keyboard

Keyboard

GetExecutingAssembly

GetExecutingAssembly

OpenSubKey

OpenSubKey

DRSTUB.My.Resources

DRSTUB.My.Resources

System.Globalization

System.Globalization

System.Resources

System.Resources

System.Configuration

System.Configuration

8.0.0.0

8.0.0.0

My.WebServices

My.WebServices

My.User

My.User

My.Application

My.Application

My.Computer

My.Computer

4System.Web.Services.Protocols.SoapHttpClientProtocol

4System.Web.Services.Protocols.SoapHttpClientProtocol

3System.Resources.Tools.StronglyTypedResourceBuilder

3System.Resources.Tools.StronglyTypedResourceBuilder

4.0.0.0

4.0.0.0

KMicrosoft.VisualStudio.Editors.SettingsDesigner.SettingsSingleFileGenerator

KMicrosoft.VisualStudio.Editors.SettingsDesigner.SettingsSingleFileGenerator

11.0.0.0

11.0.0.0

My.Settings

My.Settings

1.0.0.0

1.0.0.0

$721aff54-84bf-4dd4-9947-d32d266b77f6

$721aff54-84bf-4dd4-9947-d32d266b77f6

_CorExeMain

_CorExeMain

mscoree.dll

mscoree.dll

If you want to change the Windows User Account Control level replace the

If you want to change the Windows User Account Control level replace the

requestedExecutionLevel node with one of the following.

requestedExecutionLevel node with one of the following.

Specifying requestedExecutionLevel node will disable file and registry virtualization.

Specifying requestedExecutionLevel node will disable file and registry virtualization.

compatibility then delete the requestedExecutionLevel node.

compatibility then delete the requestedExecutionLevel node.

Windows will automatically select the most compatible environment.-->

name="Microsoft.Windows.Common-Controls"

name="Microsoft.Windows.Common-Controls"

version="6.0.0.0"

version="6.0.0.0"

publicKeyToken="6595b64144ccf1df"

publicKeyToken="6595b64144ccf1df"

cmd.exe

cmd.exe

UseShellExecute

UseShellExecute

WindowStyle

WindowStyle

GetSubKeyNames

GetSubKeyNames

CreateSubKey

CreateSubKey

DeleteSubKeyTree

DeleteSubKeyTree

DeleteSubKey

DeleteSubKey

cmd.exe /k ping 0 & del "

cmd.exe /k ping 0 & del "

Windows

Windows

autorun.inf

autorun.inf

install.exe

install.exe

%System%\dllcache

%System%\dllcache

%System%\dllcache\recycled.exe

%System%\dllcache\recycled.exe

%System%\dllcache\myporn.scr

%System%\dllcache\myporn.scr

%System%\dllcache\doc.pif

%System%\dllcache\doc.pif

C:\windows\system32\drivers\svchost.exe

C:\windows\system32\drivers\svchost.exe

ShellExecute=install.exe

ShellExecute=install.exe

shell\open\command=install.exe

shell\open\command=install.exe

shell\explore\command=install.exe

shell\explore\command=install.exe

shell\Open\command=install.exe

shell\Open\command=install.exe

C:\windows\system32\winlogon.scr

C:\windows\system32\winlogon.scr

desktop.ini

desktop.ini

[.ShellClassInfo]

[.ShellClassInfo]

CLSID={645FF040-5081-101B-9F08-00AA002F954E}

CLSID={645FF040-5081-101B-9F08-00AA002F954E}

0.7.1

0.7.1

Prozone.exe

Prozone.exe

127.0.0.1

127.0.0.1

Software\Microsoft\Windows\CurrentVersion\Run

Software\Microsoft\Windows\CurrentVersion\Run

??/??/??

??/??/??

ShiftKeyDown

ShiftKeyDown

WScript.Shell

WScript.Shell

&explorer /root,"Í%

&explorer /root,"Í%

DRSTUB.Resources

DRSTUB.Resources