Trojan-Downloader.Win32.Agent.btlp (Kaspersky), Trojan.Generic.1748385 (B) (Emsisoft), Trojan.Generic.1748385 (AdAware), GenericAutorunWorm.YR (Lavasoft MAS)Behaviour: Trojan-Downloader, Trojan, Worm, WormAutorun
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: 208d08554ff924a9ecfc0797d726d523
SHA1: c762491fd65f1500a087e1b481df06c6a286bb53
SHA256: 7fd33a60b5c90a374c80f0f22c815db41fff30f753ad7a1f64164c9ffe8e65df
SSDeep: 3072:08LcrhCS142TdbjkO5M8hpTPKzCJajPgpg4:DcrhCl8fXpTi92
Size: 114688 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: PECompactV2X, PECompactv20, UPolyXv05_v6
Company: no certificate found
Created at: 2007-12-19 15:13:47
Analyzed on: Windows7 SP1 32-bit
Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Dynamic Analysis
Payload
Behaviour | Description |
---|---|
WormAutorun | A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Trojan's file once a user opens a drive's folder in Windows Explorer. |
Process activity
The Trojan creates the following process(es):
Regsvr32.exe:3172
%original file name%.exe:3676
The Trojan injects its code into the following process(es):
userinit.exe:1524
system.exe:2764
Mutexes
The following mutexes were created/opened:No objects were found.
File activity
The process Regsvr32.exe:3172 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\Windows\System32\MSWINSCK.OCX (110 bytes)
The process %original file name%.exe:3676 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\Windows\userinit.exe (227 bytes)
The Trojan deletes the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\~DF19E6FF282D3255D3.TMP (0 bytes)
The process userinit.exe:1524 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\Windows\kdcoms.dll (199 bytes)
C:\Windows\System32\system.exe (227 bytes)
C:\Windows\System32\MSWINSCK.OCX (108 bytes)
Registry activity
The process Regsvr32.exe:3172 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCR\MSWinsock.Winsock]
"(Default)" = "Microsoft WinSock Control, version 6.0"
[HKCR\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ToolboxBitmap32]
"(Default)" = "C:\Windows\system32\MSWINSCK.OCX, 1"
[HKCR\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid]
"(Default)" = "{00020420-0000-0000-C000-000000000046}"
[HKCR\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32]
"(Default)" = "C:\Windows\system32\MSWINSCK.OCX"
[HKCR\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib]
"Version" = "1.0"
[HKCR\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\MiscStatus\1]
"(Default)" = "132497"
[HKCR\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}]
"(Default)" = "IMSWinsockControl"
[HKCR\MSWinsock.Winsock\CLSID]
"(Default)" = "{248DD896-BB45-11CF-9ABC-0080C7E7B78D}"
[HKCR\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D}]
"(Default)" = "Winsock General Property Page Object"
[HKCR\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\InProcServer32]
"(Default)" = "C:\Windows\system32\MSWINSCK.OCX"
[HKCR\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib]
"(Default)" = "{248DD890-BB45-11CF-9ABC-0080C7E7B78D}"
[HKCR\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\0\win32]
"(Default)" = "C:\Windows\system32\MSWINSCK.OCX"
[HKCR\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}]
"(Default)" = "DMSWinsockControlEvents"
[HKCR\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\VersionIndependentProgID]
"(Default)" = "MSWinsock.Winsock"
[HKCR\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\InProcServer32]
"ThreadingModel" = "Apartment"
[HKCR\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib]
"Version" = "1.0"
"(Default)" = "{248DD890-BB45-11CF-9ABC-0080C7E7B78D}"
[HKCR\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ProgID]
"(Default)" = "MSWinsock.Winsock.1"
[HKCR\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}]
"(Default)" = "Microsoft WinSock Control, version 6.0"
[HKCR\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0]
"(Default)" = "Microsoft Winsock Control 6.0"
[HKCR\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Version]
"(Default)" = "1.0"
[HKCR\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\FLAGS]
"(Default)" = "2"
[HKCR\MSWinsock.Winsock\CurVer]
"(Default)" = "MSWinsock.Winsock.1"
[HKCR\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32]
"(Default)" = "{00020420-0000-0000-C000-000000000046}"
[HKCR\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\MiscStatus]
"(Default)" = "0"
[HKCR\MSWinsock.Winsock.1\CLSID]
"(Default)" = "{248DD896-BB45-11CF-9ABC-0080C7E7B78D}"
[HKCR\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\HELPDIR]
"(Default)" = ""
[HKCR\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib]
"(Default)" = "{248DD890-BB45-11CF-9ABC-0080C7E7B78D}"
[HKCR\MSWinsock.Winsock.1]
"(Default)" = "Microsoft WinSock Control, version 6.0"
The Trojan deletes the following registry key(s):
[HKCR\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D}]
[HKCR\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}]
The Trojan deletes the following value(s) in system registry:
[HKCR\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32]
"ThreadingModel"
The process userinit.exe:1524 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
The Trojan adds the reference to itself to be executed when a user logs on:
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"UserInit" = "C:\Windows\userinit.exe"
Dropped PE files
MD5 | File path |
---|---|
9484c04258830aa3c2f2a70eb041414c | c:\Windows\System32\MSWINSCK.OCX |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Trojan's file once a user opens a drive's folder in Windows Explorer.
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
Regsvr32.exe:3172
%original file name%.exe:3676 - Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
C:\Windows\System32\MSWINSCK.OCX (110 bytes)
C:\Windows\userinit.exe (227 bytes)
C:\Windows\kdcoms.dll (199 bytes)
C:\Windows\System32\system.exe (227 bytes) - Remove the references to the Trojan by modifying the following registry value(s) (How to Work with System Registry):
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"UserInit" = "C:\Windows\userinit.exe" - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
- Reboot the computer.
Static Analysis
VersionInfo
Company Name:
Product Name: Hav_online
Product Version: 1.00
Legal Copyright:
Legal Trademarks:
Original Filename: task.exe
Internal Name: task
File Version: 1.00
File Description:
Comments:
Language: English (United States)
Company Name: Product Name: Hav_onlineProduct Version: 1.00Legal Copyright: Legal Trademarks: Original Filename: task.exeInternal Name: taskFile Version: 1.00File Description: Comments: Language: English (United States)
PE Sections
Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
---|---|---|---|---|---|
.text | 4096 | 241664 | 69120 | 5.54305 | fc36098e84c49c98bbea5c66d3091adb |
.rsrc | 245760 | 45056 | 42496 | 3.22524 | 64cbd44ed7e9127d6194bcb49260ab46 |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Network Activity
URLs
URL | IP |
---|---|
scsd.ath.cx | 184.169.145.165 |
dns.msftncsi.com | 131.107.255.255 |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
Map
The Trojan connects to the servers at the folowing location(s):