Trojan.Win32.Swrort.3.FD, GenericInjector.YR (Lavasoft MAS)Behaviour: Trojan
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: ca9c1271ef481e67db63af9a07d4a378
SHA1: 4a998bcee5ec188493f298448804849a196fe941
SHA256: 8592a3c5bf845ec567d72144290c4bc9fb054ca2794914cc0d08a745485abf17
SSDeep: 98304:j7A3gwMiN1t 6dXTPaGpCvr5PTrnzVuV7CukT51lH934p:jJibt UPah5brz6ChlHl4p
Size: 3728296 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: ????????????
Created at: 2012-02-24 21:19:59
Analyzed on: Windows7 SP1 32-bit
Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The Trojan creates the following process(es):
mytime.exe:3148
%original file name%.exe:1976
The Trojan injects its code into the following process(es):
mytime.exe:3584
Mutexes
The following mutexes were created/opened:No objects were found.
File activity
The process mytime.exe:3148 makes changes in the file system.
The Trojan deletes the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\install[1].aspx (0 bytes)
The process mytime.exe:3584 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Program Files%\Ruanmei\PCMaster\config\mytime\countdown.xml (158 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\ip[1].htm (25 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\101010100[1].htm (14574 bytes)
%Program Files%\Ruanmei\PCMaster\config\mytime\191B.tmp (196 bytes)
%Program Files%\Ruanmei\PCMaster\plugins\weathericon\default.icn (125 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\mytime[1].xml (3 bytes)
%Program Files%\Ruanmei\PCMaster\config\mytime\mytimeset.cfg (11405 bytes)
%Program Files%\Ruanmei\PCMaster\config\mytime\2017.xml (53 bytes)
%Program Files%\Ruanmei\PCMaster\config\mytime\remind.xml (152 bytes)
%Program Files%\Ruanmei\PCMaster\plugins\sound\remind.wav (21 bytes)
%Program Files%\Ruanmei\PCMaster\config\mytime\weatherlist.xml (152 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\MagicTray\Config\remind.xml (152 bytes)
%Program Files%\Ruanmei\PCMaster\plugins\mytime.dll (108 bytes)
The Trojan deletes the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\postdata[1].htm (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\mytime[1].xml (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\ip[1].htm (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\101010100[1].htm (0 bytes)
%Program Files%\Ruanmei\PCMaster\mytime.txt (0 bytes)
The process %original file name%.exe:1976 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Program Files%\Ruanmei\PCMaster\plugins\remind.dll (12024 bytes)
| &a&r&t&t1&t2 | |
&a&r&t&t1&t2
>&&&z.<&<&>&r.w..q.ND.E...<>&&K..<<&Q..t..0....
<<<>>>
<><><><><><><><><><><><><><><><><><><><><><><><><><><><
<<<>>>
&q&&N...<>&>&<&&<<><><<
<<<>>>
&
&
&H
&H
&
&
&
&
&oe&hl&q
&oe&hl&q
&ie&word
&ie&word
&action&ie&from
&action&ie&from
&r
&r
&uid
&uid
&t2
&t2
&v
&v
&uid
&uid
&k1
&k1
&ie
&ie
&ie&pid
&ie&pid
&unc&cid&ie
&unc&cid&ie
&forid&ie&oe&hl&q
&forid&ie&oe&hl&q
&fade
&fade
&password&day
&password&day
&_
&_