not-a-virus:AdWare.Win32.ConvertAd.ayi (Kaspersky), Trojan.Win32.Bumat.FD, Virus.Win32.Parite.B.FD, VirusParite.YR (Lavasoft MAS)Behaviour: Trojan, Virus, Adware
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: 2c14e1f89eeca5d48c1d3f6199683363
SHA1: 876cd1732fdf4dd92b1bdee75158e4832b18bd52
SHA256: 800df19290209f158bd96132b49233253ca831b449dccb404caa551567276f78
SSDeep: 6144:QZ8Bb8h vI3s4h7bnoS1OKjzbItqKUDManZumFhTnEM6HHGi0 lv1H3:Mobe vIce7bnAcbIteYanZumv77fK3
Size: 321490 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: LLC Pentagon
Created at: 2015-08-15 18:11:26
Analyzed on: WindowsXP SP3 32-bit
Summary: Virus. A program that recursively replicates a possibly evolved copy of itself.
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The Virus creates the following process(es):
%original file name%.exe:856
The Virus injects its code into the following process(es):
Explorer.EXE:1572
Mutexes
The following mutexes were created/opened:No objects were found.
File activity
The process %original file name%.exe:856 makes changes in the file system.
The Virus creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WT2N852Z\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\YTW81N8N\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\desktop.ini (159 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\uda1.tmp (11010 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\0HKR9E6W\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CLQV4DMV\desktop.ini (67 bytes)
Registry activity
The process %original file name%.exe:856 makes changes in the system registry.
The Virus creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1B 00 00 00 01 00 00 00 00 00 00 00"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E4 AF E6 0B 04 CB 41 6A 88 8D E5 24 4F 39 1D 5E"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
The Virus modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Virus modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Virus modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Virus deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
Dropped PE files
MD5 | File path |
---|---|
685f1cbd4af30a1d0c25f252d399a666 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\uda1.tmp |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
%original file name%.exe:856
- Delete the original Virus file.
- Delete or disinfect the following files created/modified by the Virus:
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WT2N852Z\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\YTW81N8N\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\desktop.ini (159 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\uda1.tmp (11010 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\0HKR9E6W\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CLQV4DMV\desktop.ini (67 bytes) - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Reboot the computer.
Static Analysis
VersionInfo
No information is available.
No information is available.
PE Sections
Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
---|---|---|---|---|---|
.text | 4096 | 112949 | 113152 | 4.47183 | 25192e76b437af7ef9f76b2e67c7afd8 |
.rdata | 118784 | 16794 | 16896 | 3.67682 | 01910cd90af9f21fc88833252edeec91 |
.data | 139264 | 13060 | 5120 | 2.44354 | ab4e5e7bbda75911e401e9674c910700 |
.rsrc | 155648 | 436 | 512 | 3.5438 | f6ab0bea429a6127369ecee73cd00d8c |
.reloc | 159744 | 7118 | 7168 | 3.16281 | 7cabc193f9f8173aa0177b29475e55fc |
.qnk | 167936 | 4096 | 1536 | 4.90604 | cba7310ebc9949c44f3880a9c4d77b75 |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Network Activity
URLs
URL | IP |
---|---|
hxxp://ibf-cmi-1938953175.us-east-1.elb.amazonaws.com/ | 174.129.23.198 |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: NSIS_Inetc (Mozilla)
Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com
Content-Length: 148
Cache-Control: no-cache
{"data":"{\"channel_id\":\"\",\"event_event_id\":\"5482\",\"utm_addition\":\"&v=37\",\"guid\":\"\",\"browser_name\":\"\"}","table":"event_has_user"}
HTTP/1.1 200 OK
Access-Control-Allow-Methods: GET,HEAD,PUT,POST,DELETE
Access-Control-Allow-Origin: *
Content-Type: application/json; charset=utf-8
Date: Sun, 21 Feb 2016 08:56:12 GMT
Content-Length: 15
Connection: keep-alive
{"Status":"OK"}....
POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: NSIS_Inetc (Mozilla)
Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com
Content-Length: 148
Cache-Control: no-cache
{"data":"{\"channel_id\":\"\",\"event_event_id\":\"5504\",\"utm_addition\":\"&v=37\",\"guid\":\"\",\"browser_name\":\"\"}","table":"event_has_user"}
HTTP/1.1 200 OK
Access-Control-Allow-Methods: GET,HEAD,PUT,POST,DELETE
Access-Control-Allow-Origin: *
Content-Type: application/json; charset=utf-8
Date: Sun, 21 Feb 2016 08:56:12 GMT
Content-Length: 15
Connection: keep-alive
{"Status":"OK"}....
POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: NSIS_Inetc (Mozilla)
Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com
Content-Length: 161
Cache-Control: no-cache
{"data":"{\"channel_id\":\"\",\"event_event_id\":\"5483\",\"utm_addition\":\"reason=2&cmd=&v=37\",\"guid\":\"\",\"browser_name\":\"\"}","table":"event_has_user"}
HTTP/1.1 200 OK
Access-Control-Allow-Methods: GET,HEAD,PUT,POST,DELETE
Access-Control-Allow-Origin: *
Content-Type: application/json; charset=utf-8
Date: Sun, 21 Feb 2016 08:56:12 GMT
Content-Length: 15
Connection: keep-alive
{"Status":"OK"}HTTP/1.1 200 OK..Access-Control-Allow-Methods: GET,HEAD,PUT,POST,DELETE..Access-Control-Allow-Origin: *..Content-Type: application/json; charset=utf-8..Date: Sun, 21 Feb 2016 08:56:12 GMT..Content-Length: 15..Connection: keep-alive..{"Status":"OK"}..
Map
The Virus connects to the servers at the folowing location(s):
Strings from Dumps
Explorer.EXE_1572_rwx_01EA1000_00071000:
UDPSockError
UDPSockError
NMUDP
NMUDP
Errmsg
Errmsg
Port
Port
TNMUDP
TNMUDP
RemotePort
RemotePort
LocalPort
LocalPort
ReportLevelLk
ReportLevelLk
0.0.0.0
0.0.0.0
%d.%d.%d.%d
%d.%d.%d.%d
AutoHotkeys
AutoHotkeys
:].tJ
:].tJ
EInvalidGraphicOperation,0
EInvalidGraphicOperation,0
EInvalidGraphicOperation
EInvalidGraphicOperation
KeyPreview,
KeyPreview,
WindowState
WindowState
OnKeyDown
OnKeyDown
OnKeyPressdz
OnKeyPressdz
OnKeyUp
OnKeyUp
ssHotTrack
ssHotTrack
TWindowState
TWindowState
poProportional
poProportional
TWMKey
TWMKey
System\CurrentControlSet\Control\Keyboard Layouts\%.8x
System\CurrentControlSet\Control\Keyboard Layouts\%.8x
vcltest3.dll
vcltest3.dll
TDragOperation
TDragOperation
TKeyEvent
TKeyEvent
TKeyPressEvent
TKeyPressEvent
crSQLWait
crSQLWait
%s (%s)
%s (%s)
IMM32.DLL
IMM32.DLL
EInvalidOperation
EInvalidOperation
%s[%d]
%s[%d]
%s_%d
%s_%d
USER32.DLL
USER32.DLL
comctl32.dll
comctl32.dll
MSWHEEL_ROLLMSG
MSWHEEL_ROLLMSG
MSH_WHEELSUPPORT_MSG
MSH_WHEELSUPPORT_MSG
MSH_SCROLL_LINES_MSG
MSH_SCROLL_LINES_MSG
kernel32.dll
kernel32.dll
Portions Copyright (c) 1983,99 Borland
Portions Copyright (c) 1983,99 Borland
explorer.exe
explorer.exe
Software\Microsoft\Windows\CurrentVersion\Explorer
Software\Microsoft\Windows\CurrentVersion\Explorer
*.TMP
*.TMP
Kernel32.dll
Kernel32.dll
ADVAPI32.dll
ADVAPI32.dll
RegOpenKeyExA
RegOpenKeyExA
RegCloseKey
RegCloseKey
readbook.exe
readbook.exe
rundll32.exe
rundll32.exe
*.exe
*.exe
*.scr
*.scr
UdpT
UdpT
UdpOnDataReceived
UdpOnDataReceived
xxtype.cpp
xxtype.cpp
derv->tpClass.tpcFlags & CF_HAS_BASES
derv->tpClass.tpcFlags & CF_HAS_BASES
Inappropriate I/O control operation
Inappropriate I/O control operation
Broken pipe
Broken pipe
Operation not permitted
Operation not permitted
%H:%M:%S
%H:%M:%S
%m/%d/%y
%m/%d/%y
%A, %B %d, %Y
%A, %B %d, %Y
d/d/d d:d:d.d
d/d/d d:d:d.d
An exception (X) occurred during DllEntryPoint or DllMain in module:
An exception (X) occurred during DllEntryPoint or DllMain in module:
xx.cpp
xx.cpp
varType->tpClass.tpcFlags & CF_HAS_DTOR
varType->tpClass.tpcFlags & CF_HAS_DTOR
varType->tpClass.tpcDtorAddr
varType->tpClass.tpcDtorAddr
(errPtr->ERRcInitDtc >= varType->tpClass.tpcDtorCount) || flags
(errPtr->ERRcInitDtc >= varType->tpClass.tpcDtorCount) || flags
memType->tpClass.tpcFlags & CF_HAS_DTOR
memType->tpClass.tpcFlags & CF_HAS_DTOR
varType->tpArr.tpaElemType->tpClass.tpcFlags & CF_HAS_DTOR
varType->tpArr.tpaElemType->tpClass.tpcFlags & CF_HAS_DTOR
dttPtr->dttType->tpPtr.tppBaseType->tpClass.tpcFlags & CF_HAS_DTOR
dttPtr->dttType->tpPtr.tppBaseType->tpClass.tpcFlags & CF_HAS_DTOR
IS_CLASS(dttPtr->dttType->tpMask) && (dttPtr->dttType->tpClass.tpcFlags & CF_HAS_DTOR)
IS_CLASS(dttPtr->dttType->tpMask) && (dttPtr->dttType->tpClass.tpcFlags & CF_HAS_DTOR)
elemType->tpClass.tpcFlags & CF_HAS_DTOR
elemType->tpClass.tpcFlags & CF_HAS_DTOR
ReportLevel
ReportLevel
GetCPInfo
GetCPInfo
GetProcessHeap
GetProcessHeap
GetWindowsDirectoryA
GetWindowsDirectoryA
RegCreateKeyExA
RegCreateKeyExA
RegFlushKey
RegFlushKey
SetViewportOrgEx
SetViewportOrgEx
ActivateKeyboardLayout
ActivateKeyboardLayout
EnumThreadWindows
EnumThreadWindows
EnumWindows
EnumWindows
GetKeyNameTextA
GetKeyNameTextA
GetKeyState
GetKeyState
GetKeyboardLayout
GetKeyboardLayout
GetKeyboardLayoutList
GetKeyboardLayoutList
GetKeyboardState
GetKeyboardState
GetKeyboardType
GetKeyboardType
LoadKeyboardLayoutA
LoadKeyboardLayoutA
MapVirtualKeyA
MapVirtualKeyA
MsgWaitForMultipleObjects
MsgWaitForMultipleObjects
SetWindowsHookExA
SetWindowsHookExA
UnhookWindowsHookEx
UnhookWindowsHookEx
VprK|%Ud
VprK|%Ud
€00404
€00404
8 @ @ @ @ @
8 @ @ @ @ @
.text
.text
`.data
`.data
.idata
.idata
@.edata
@.edata
@.rsrc
@.rsrc
@.reloc
@.reloc
70"!(&&$
70"!(&&$
External exception %x
External exception %x
Interface not supported
Interface not supported
%s (%s, line %d)
%s (%s, line %d)
Abstract Error?Access violation at address %p in module '%s'. %s of address %p
Abstract Error?Access violation at address %p in module '%s'. %s of address %p
Win32 Error. Code: %d.
Win32 Error. Code: %d.
Invalid pointer operation
Invalid pointer operation
Invalid class typecast0Access violation at address %p. %s of address %p
Invalid class typecast0Access violation at address %p. %s of address %p
Operation aborted%Exception %s in module %s at %p.
Operation aborted%Exception %s in module %s at %p.
Application Error1Format '%s' invalid or incompatible with argument
Application Error1Format '%s' invalid or incompatible with argument
No argument for format '%s'
No argument for format '%s'
Invalid variant operation"Variant method calls not supported
Invalid variant operation"Variant method calls not supported
I/O error %d
I/O error %d
Integer overflow Invalid floating point operation
Integer overflow Invalid floating point operation
Invalid data type for '%s'
Invalid data type for '%s'
Failed to set data for '%s'
Failed to set data for '%s'
Failed to get data for '%s'/Menu '%s' is already being used by another form*Windows socket error: %s (%d), on API '%s'
Failed to get data for '%s'/Menu '%s' is already being used by another form*Windows socket error: %s (%d), on API '%s'
Asynchronous socket error %d
Asynchronous socket error %d
- Dock zone has no control%List does not allow duplicates ($0%x)!'%s' is not a valid integer value
- Dock zone has no control%List does not allow duplicates ($0%x)!'%s' is not a valid integer value
Alt Clipboard does not support Icons
Alt Clipboard does not support Icons
!Control '%s' has no parent window
!Control '%s' has no parent window
Error reading %s%s%s: %s
Error reading %s%s%s: %s
Ancestor for '%s' not found
Ancestor for '%s' not found
Unsupported clipboard format
Unsupported clipboard format
Class %s not found
Class %s not found
Resource %s not found
Resource %s not found
List index out of bounds (%d) List capacity out of bounds (%d)
List index out of bounds (%d) List capacity out of bounds (%d)
List count out of bounds (%d) Operation not allowed on sorted string list%String list does not allow duplicates#A component named %s already exists$''%s'' is not a valid component name
List count out of bounds (%d) Operation not allowed on sorted string list%String list does not allow duplicates#A component named %s already exists$''%s'' is not a valid component name
A class named %s already exists
A class named %s already exists
Cannot assign a %s to a %s
Cannot assign a %s to a %s
Cannot create file %s
Cannot create file %s
Cannot open file %s
Cannot open file %s