Trojan.Generic.1748385_208d08554f

Dynamic Analysis

Payload

Behaviour	Description
WormAutorun	A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Trojan's file once a user opens a drive's folder in Windows Explorer.

Process activity

The Trojan creates the following process(es):

Regsvr32.exe:3172
%original file name%.exe:3676

The Trojan injects its code into the following process(es):

userinit.exe:1524
system.exe:2764

Mutexes

The following mutexes were created/opened:No objects were found.

File activity

The process Regsvr32.exe:3172 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

C:\Windows\System32\MSWINSCK.OCX (110 bytes)

The process %original file name%.exe:3676 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

C:\Windows\userinit.exe (227 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\~DF19E6FF282D3255D3.TMP (0 bytes)

The process userinit.exe:1524 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

C:\Windows\kdcoms.dll (199 bytes)
C:\Windows\System32\system.exe (227 bytes)
C:\Windows\System32\MSWINSCK.OCX (108 bytes)

Registry activity

The process Regsvr32.exe:3172 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKCR\MSWinsock.Winsock]
"(Default)" = "Microsoft WinSock Control, version 6.0"

[HKCR\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ToolboxBitmap32]
"(Default)" = "C:\Windows\system32\MSWINSCK.OCX, 1"

[HKCR\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid]
"(Default)" = "{00020420-0000-0000-C000-000000000046}"

[HKCR\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32]
"(Default)" = "C:\Windows\system32\MSWINSCK.OCX"

[HKCR\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib]
"Version" = "1.0"

[HKCR\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\MiscStatus\1]
"(Default)" = "132497"

[HKCR\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}]
"(Default)" = "IMSWinsockControl"

[HKCR\MSWinsock.Winsock\CLSID]
"(Default)" = "{248DD896-BB45-11CF-9ABC-0080C7E7B78D}"

[HKCR\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D}]
"(Default)" = "Winsock General Property Page Object"

[HKCR\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\InProcServer32]
"(Default)" = "C:\Windows\system32\MSWINSCK.OCX"

[HKCR\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib]
"(Default)" = "{248DD890-BB45-11CF-9ABC-0080C7E7B78D}"

[HKCR\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\0\win32]
"(Default)" = "C:\Windows\system32\MSWINSCK.OCX"

[HKCR\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}]
"(Default)" = "DMSWinsockControlEvents"

[HKCR\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\VersionIndependentProgID]
"(Default)" = "MSWinsock.Winsock"

[HKCR\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\InProcServer32]
"ThreadingModel" = "Apartment"

[HKCR\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib]
"Version" = "1.0"
"(Default)" = "{248DD890-BB45-11CF-9ABC-0080C7E7B78D}"

[HKCR\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ProgID]
"(Default)" = "MSWinsock.Winsock.1"

[HKCR\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}]
"(Default)" = "Microsoft WinSock Control, version 6.0"

[HKCR\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0]
"(Default)" = "Microsoft Winsock Control 6.0"

[HKCR\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Version]
"(Default)" = "1.0"

[HKCR\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\FLAGS]
"(Default)" = "2"

[HKCR\MSWinsock.Winsock\CurVer]
"(Default)" = "MSWinsock.Winsock.1"

[HKCR\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32]
"(Default)" = "{00020420-0000-0000-C000-000000000046}"

[HKCR\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\MiscStatus]
"(Default)" = "0"

[HKCR\MSWinsock.Winsock.1\CLSID]
"(Default)" = "{248DD896-BB45-11CF-9ABC-0080C7E7B78D}"

[HKCR\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\HELPDIR]
"(Default)" = ""

[HKCR\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib]
"(Default)" = "{248DD890-BB45-11CF-9ABC-0080C7E7B78D}"

[HKCR\MSWinsock.Winsock.1]
"(Default)" = "Microsoft WinSock Control, version 6.0"

The Trojan deletes the following registry key(s):

[HKCR\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D}]
[HKCR\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}]

The Trojan deletes the following value(s) in system registry:

[HKCR\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32]
"ThreadingModel"

The process userinit.exe:1524 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

The Trojan adds the reference to itself to be executed when a user logs on:

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"UserInit" = "C:\Windows\userinit.exe"

Dropped PE files

MD5	File path
9484c04258830aa3c2f2a70eb041414c	c:\Windows\System32\MSWINSCK.OCX

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Trojan's file once a user opens a drive's folder in Windows Explorer.

Removals

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Terminate malicious process(es) (How to End a Process With the Task Manager):

   Regsvr32.exe:3172
   %original file name%.exe:3676
   

2. Delete the original Trojan file.
   
3. Delete or disinfect the following files created/modified by the Trojan:

   C:\Windows\System32\MSWINSCK.OCX (110 bytes)
   C:\Windows\userinit.exe (227 bytes)
   C:\Windows\kdcoms.dll (199 bytes)
   C:\Windows\System32\system.exe (227 bytes)
   

4. Remove the references to the Trojan by modifying the following registry value(s) (How to Work with System Registry):

   [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
   "UserInit" = "C:\Windows\userinit.exe"

5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
   
6. Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
   
7. Reboot the computer.
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Static Analysis

VersionInfo

Company Name:
Product Name: Hav_online
Product Version: 1.00
Legal Copyright:
Legal Trademarks:
Original Filename: task.exe
Internal Name: task
File Version: 1.00
File Description:
Comments:
Language: English (United States)

Company Name: Product Name: Hav_onlineProduct Version: 1.00Legal Copyright: Legal Trademarks: Original Filename: task.exeInternal Name: taskFile Version: 1.00File Description: Comments: Language: English (United States)

PE Sections

Name	Virtual Address	Virtual Size	Raw Size	Entropy	Section MD5
.text	4096	241664	69120	5.54305	fc36098e84c49c98bbea5c66d3091adb
.rsrc	245760	45056	42496	3.22524	64cbd44ed7e9127d6194bcb49260ab46

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Network Activity

URLs

URL	IP
scsd.ath.cx	184.169.145.165
dns.msftncsi.com	131.107.255.255

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

Map

The Trojan connects to the servers at the folowing location(s):

Strings from Dumps