HEUR:Trojan.Win32.Generic (Kaspersky), Trojan.Generic.15484775 (B) (Emsisoft), Trojan.Generic.15484775 (AdAware), Worm.Win32.AutoIt.FD, WormAutoItGen.YR (Lavasoft MAS)Behaviour: Trojan, Worm
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: 2546bbb5b6e5cb0d8dc274abd3ba7459
SHA1: d9ff1394ae014e3bab1c05f9888568cd1706d63b
SHA256: ffd48bd9ca39feddab8ca114958bed4d40fc07e0324f1602ef3eaffce1f87dd9
SSDeep: 24576:ZRmJkcoQricOIQxiZY1iaxzcj0oa4CdcstlneOVrPXh7fgyr6NpdpiFs4lvU/Jq4:2JZoQrbTFZY1iaxzcjHa4 zfvJPXhg8I
Size: 1553895 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2012-01-29 23:32:28
Analyzed on: WindowsXP SP3 32-bit
Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The Trojan creates the following process(es):
attrib.exe:968
attrib.exe:1640
%original file name%.exe:1820
%original file name%.exe:228
ntvdm.exe:1384
ntvdm.exe:308
notepad.exe:1112
schtasks.exe:1832
schtasks.exe:1968
schtasks.exe:1312
schtasks.exe:772
schtasks.exe:1336
schtasks.exe:1920
schtasks.exe:1112
schtasks.exe:644
schtasks.exe:1928
schtasks.exe:1912
The Trojan injects its code into the following process(es):No processes have been created.
Mutexes
The following mutexes were created/opened:No objects were found.
File activity
The process %original file name%.exe:1820 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\All Users\Start Menu\Programs\Java\Java Update\jusched.exe (9605 bytes)
The process %original file name%.exe:228 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\37\Spotify.exe (16853 bytes)
%Program Files%\Common Files\VMware\Drivers\Virtual Printer\TPOGPS\i386\~hjpdthq.tmp (2 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\15\~zstzfte.tmp (2 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\26\~rridkjb.tmp (2 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\37\~htccpbn.tmp (2 bytes)
%Program Files%\Common Files\VMware\Drivers\Virtual Printer\TPOGPS\i386\CLPSLA.exe (16853 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\06ZW593K\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\15\ati2s9ag.exe (16853 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\26\AdobeARM.exe (16853 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\desktop.ini (159 bytes)
%Program Files%\Common Files\VMware\Drivers\memctl\~cbguruu.tmp (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\7CVM4VS6\desktop.ini (67 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Startup\HPWuSchd2.exe (16853 bytes)
%Program Files%\Common Files\VMware\Drivers\memctl\CLPSLA.exe (16853 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AdobeARM.exe (3635 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4L1GRUKJ\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Z27OFNPK\desktop.ini (67 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\26\AdobeARM.exe (0 bytes)
%Program Files%\Common Files\VMware\Drivers\memctl\~cbguruu.tmp (0 bytes)
%Program Files%\Common Files\VMware\Drivers\Virtual Printer\TPOGPS\i386\CLPSLA.exe (0 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\37\Spotify.exe (0 bytes)
%Program Files%\Common Files\VMware\Drivers\Virtual Printer\TPOGPS\i386\~hjpdthq.tmp (0 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\37\~htccpbn.tmp (0 bytes)
%Program Files%\Common Files\VMware\Drivers\memctl\CLPSLA.exe (0 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\26\~rridkjb.tmp (0 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Startup\HPWuSchd2.exe (0 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\15\ati2s9ag.exe (0 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\15\~zstzfte.tmp (0 bytes)
The process ntvdm.exe:1384 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\DOCUMENTS AND SETTINGS (4 bytes)
%Program Files%\WIRESHARK (16 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\index.dat (400 bytes)
%Documents and Settings%\%current user%\Local Settings (4 bytes)
%WinDir%\REGISTRATION (4 bytes)
%WinDir% (576 bytes)
C:\$Directory (792 bytes)
%WinDir%\Temp\scs2.tmp (10145 bytes)
%System% (1920 bytes)
%Program Files%\COMMON FILES (4 bytes)
%WinDir%\WinSxS\Policies\x86_Policy.6.0.Microsoft.Windows.Common-Controls_6595b64144ccf1df_x-ww_5ddad775 (4 bytes)
C:\PROGRAM FILES (8 bytes)
%Documents and Settings%\%current user%\APPLICATION DATA (4 bytes)
%System%\wbem (1064 bytes)
%System%\drivers (32 bytes)
%Documents and Settings%\%current user% (4 bytes)
%WinDir%\Temp\scs1.tmp (33880 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (16 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\index.dat (16 bytes)
%Program Files%\Common Files\VMware\Drivers (4 bytes)
The Trojan deletes the following file(s):
%WinDir%\Temp\scs1.tmp (0 bytes)
%WinDir%\Temp\scs2.tmp (0 bytes)
The process ntvdm.exe:308 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\Temp\Perflib_Perfdata_638.dat (4 bytes)
%WinDir%\Temp\scs4.tmp (10145 bytes)
%WinDir% (96 bytes)
C:\ (4 bytes)
%Documents and Settings%\%current user% (4 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\index.dat (16 bytes)
%Documents and Settings%\All Users\Start Menu (4 bytes)
%Documents and Settings%\All Users (4 bytes)
%Documents and Settings%\All Users\DOCUMENTS (4 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (16 bytes)
%System%\config (4 bytes)
C:\$Directory (968 bytes)
%System% (3952 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\index.dat (388 bytes)
%WinDir%\Temp\scs3.tmp (33880 bytes)
The Trojan deletes the following file(s):
%WinDir%\Temp\scs4.tmp (0 bytes)
%WinDir%\Temp\scs3.tmp (0 bytes)
The process notepad.exe:1112 makes changes in the file system.
The Trojan deletes the following file(s):
C:\%original file name%.exe (0 bytes)
Registry activity
The process attrib.exe:968 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "AD 88 78 E2 83 9E C6 7D 9F 11 44 4E 10 25 5A 74"
The process attrib.exe:1640 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "21 C8 73 5E EA 9F 95 0C 6A AE C5 69 28 A2 8B 1B"
The process %original file name%.exe:1820 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B4 B9 58 F0 C7 9C E3 FA 71 EE 13 56 70 DD 38 DF"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Programs" = "%Documents and Settings%\All Users\Start Menu\Programs"
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Documents and Settings%\All Users\Start Menu\Programs\Java\Java Update]
"jusched.exe" = "jusched"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
The Trojan adds the reference to itself to be executed when a user logs on:
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"UserInit" = "%System%\userinit.exe,%Documents and Settings%\All Users\Start Menu\Programs\Java\Java Update\jusched.exe"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Java Update" = "%Documents and Settings%\All Users\Start Menu\Programs\Java\Java Update\jusched.exe"
The process %original file name%.exe:228 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Favorites" = "%Documents and Settings%\All Users\Favorites"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Programs" = "%Documents and Settings%\%current user%\Start Menu\Programs"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1B 00 00 00 01 00 00 00 00 00 00 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"GlobalUserOffline" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKCU\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers\%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\26]
"adobearm.exe" = "RUNASADMIN"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%System%]
"schtasks.exe" = "Schedule Tasks"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Startup" = "%Documents and Settings%\All Users\Start Menu\Programs\Startup"
[HKCU\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers\%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\15]
"ati2s9ag.exe" = "RUNASADMIN"
[HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\Spotify]
"StubPath" = "%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\37\Spotify.exe"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Startup" = "%Documents and Settings%\%current user%\Start Menu\Programs\Startup"
[HKCU\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers\%Program Files%\VMware\VMware Tools\Drivers]
"sttray64.exe" = "RUNASADMIN"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "33 EB BC 3E 18 41 6F 38 42 03 CB ED AE 31 AA 1D"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Programs" = "%Documents and Settings%\All Users\Start Menu\Programs"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\Spotify]
"Version" = "12,1,7601,9171"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Favorites" = "%Documents and Settings%\%current user%\Favorites"
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKCU\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers\%Program Files%\Common Files\VMware\Drivers\Virtual Printer\TPOGPS\i386]
"CLPSLA.exe" = "RUNASADMIN"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"Adobe Reader and Acrobat Manager" = "%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\26\AdobeARM.exe"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"ATISmart" = "%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\15\ati2s9ag.exe"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IDT PC Audio" = "%Program Files%\VMware\VMware Tools\Drivers\sttray64.exe"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Comodo" = "%Program Files%\Common Files\VMware\Drivers\Virtual Printer\TPOGPS\i386\CLPSLA.exe"
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process notepad.exe:1112 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "10 39 C2 D0 BD 55 11 64 94 25 50 AB 5C F6 02 B8"
The process schtasks.exe:1832 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "21 15 A0 18 A7 C5 BE B5 1B 88 38 21 6A 4E 7E C1"
The process schtasks.exe:1968 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "92 B6 7D 04 79 11 07 A7 5F 8D CD 6E 52 EA CE DB"
The process schtasks.exe:1312 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A3 A5 DD 7D 78 B8 8F 88 79 09 7A 79 9E 2C 57 22"
The process schtasks.exe:772 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "20 25 29 E2 57 55 C0 3B 1C 73 71 82 33 AE BE 68"
The process schtasks.exe:1336 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "06 A1 E7 FF 6E CA D8 72 2A A2 3B 62 46 39 B4 D6"
The process schtasks.exe:1920 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "66 3D 40 59 39 5B 4E 0F 56 8F 05 9E B2 D6 84 02"
The process schtasks.exe:1112 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E2 F2 AE 11 3F 34 E9 32 DB 9A ED 6B 6C E5 69 39"
The process schtasks.exe:644 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "03 BD D9 8F 96 2A E0 C6 54 61 CC 08 E4 85 D8 6A"
The process schtasks.exe:1928 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "47 E1 86 56 20 59 83 8F 30 A4 3E FC 5F C0 CD F7"
The process schtasks.exe:1912 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "BA 47 D1 06 86 86 20 90 CF 41 A1 EF 8E BF 3E E7"
Dropped PE files
MD5 | File path |
---|---|
0a88c93ab506bc3e01257eb438605ef8 | c:\Documents and Settings\All Users\Start Menu\Programs\Startup\HPWuSchd2.exe |
e89729be4966e092c517222058f3e261 | c:\Documents and Settings\"%CurrentUserName%"\Application Data\Sun\Java\Deployment\SystemCache\6.0\15\ati2s9ag.exe |
a512ad1ddc93341b617ead15c78d4a4f | c:\Documents and Settings\"%CurrentUserName%"\Application Data\Sun\Java\Deployment\SystemCache\6.0\26\AdobeARM.exe |
b23fd3dbfa6cdd11c8f907d33d62146e | c:\Documents and Settings\"%CurrentUserName%"\Application Data\Sun\Java\Deployment\SystemCache\6.0\37\Spotify.exe |
95b7ea06c89ffdc243d3c5defbcf2818 | c:\Program Files\Common Files\VMware\Drivers\Virtual Printer\TPOGPS\i386\CLPSLA.exe |
15dc472347ed815ff9f3a52aa4e370ff | c:\Program Files\Common Files\VMware\Drivers\memctl\CLPSLA.exe |
d6254397f0c3f2735319cbd56329d6e5 | c:\Program Files\VMware\VMware Tools\Drivers\sttray64.exe |
ae5acac04c7ad758014ecdacab211621 | c:\Program Files\VMware\VMware Tools\help\wwhdata\js\search\pairs\HPWuSchd2.exe |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
attrib.exe:968
attrib.exe:1640
%original file name%.exe:1820
%original file name%.exe:228
ntvdm.exe:1384
ntvdm.exe:308
notepad.exe:1112
schtasks.exe:1832
schtasks.exe:1968
schtasks.exe:1312
schtasks.exe:772
schtasks.exe:1336
schtasks.exe:1920
schtasks.exe:1112
schtasks.exe:644
schtasks.exe:1928
schtasks.exe:1912 - Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
%Documents and Settings%\All Users\Start Menu\Programs\Java\Java Update\jusched.exe (9605 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\37\Spotify.exe (16853 bytes)
%Program Files%\Common Files\VMware\Drivers\Virtual Printer\TPOGPS\i386\~hjpdthq.tmp (2 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\15\~zstzfte.tmp (2 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\26\~rridkjb.tmp (2 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\37\~htccpbn.tmp (2 bytes)
%Program Files%\Common Files\VMware\Drivers\Virtual Printer\TPOGPS\i386\CLPSLA.exe (16853 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\06ZW593K\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\15\ati2s9ag.exe (16853 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\26\AdobeARM.exe (16853 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\desktop.ini (159 bytes)
%Program Files%\Common Files\VMware\Drivers\memctl\~cbguruu.tmp (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\7CVM4VS6\desktop.ini (67 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Startup\HPWuSchd2.exe (16853 bytes)
%Program Files%\Common Files\VMware\Drivers\memctl\CLPSLA.exe (16853 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AdobeARM.exe (3635 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4L1GRUKJ\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Z27OFNPK\desktop.ini (67 bytes)
C:\DOCUMENTS AND SETTINGS (4 bytes)
%Program Files%\WIRESHARK (16 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\index.dat (400 bytes)
%WinDir%\REGISTRATION (4 bytes)
C:\$Directory (792 bytes)
%WinDir%\Temp\scs2.tmp (10145 bytes)
%System% (1920 bytes)
%Program Files%\COMMON FILES (4 bytes)
%WinDir%\WinSxS\Policies\x86_Policy.6.0.Microsoft.Windows.Common-Controls_6595b64144ccf1df_x-ww_5ddad775 (4 bytes)
C:\PROGRAM FILES (8 bytes)
%Documents and Settings%\%current user%\APPLICATION DATA (4 bytes)
%System%\wbem (1064 bytes)
%System%\drivers (32 bytes)
%WinDir%\Temp\scs1.tmp (33880 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (16 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\index.dat (16 bytes)
%WinDir%\Temp\Perflib_Perfdata_638.dat (4 bytes)
%WinDir%\Temp\scs4.tmp (10145 bytes)
%Documents and Settings%\All Users\DOCUMENTS (4 bytes)
%System%\config (4 bytes)
%WinDir%\Temp\scs3.tmp (33880 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Java Update" = "%Documents and Settings%\All Users\Start Menu\Programs\Java\Java Update\jusched.exe"
[HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"Adobe Reader and Acrobat Manager" = "%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\26\AdobeARM.exe"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"ATISmart" = "%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\15\ati2s9ag.exe"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IDT PC Audio" = "%Program Files%\VMware\VMware Tools\Drivers\sttray64.exe"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Comodo" = "%Program Files%\Common Files\VMware\Drivers\Virtual Printer\TPOGPS\i386\CLPSLA.exe" - Remove the references to the Trojan by modifying the following registry value(s) (How to Work with System Registry):
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"UserInit" = "%System%\userinit.exe,%Documents and Settings%\All Users\Start Menu\Programs\Java\Java Update\jusched.exe" - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Reboot the computer.
Static Analysis
VersionInfo
Company Name:
Product Name:
Product Version:
Legal Copyright:
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 3, 3, 8, 1
File Description:
Comments:
Language: Chinese (Simplified, PRC)
Company Name: Product Name: Product Version: Legal Copyright: Legal Trademarks: Original Filename: Internal Name: File Version: 3, 3, 8, 1File Description: Comments: Language: Chinese (Simplified, PRC)
PE Sections
Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
---|---|---|---|---|---|
.text | 4096 | 525852 | 526336 | 4.63347 | 61ffce4768976fa0dd2a8f6a97b1417a |
.rdata | 532480 | 57280 | 57344 | 3.32693 | 0354bc5f2376b5e9a4a3ba38b682dff1 |
.data | 589824 | 108376 | 26624 | 1.49032 | 8033f5a38941b4685bc2299e78f31221 |
.rsrc | 700416 | 10200 | 10240 | 2.48753 | 640bc742b83032975c9f113c57f618b1 |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Total found: 20
1ead5ffc46964bcdcf395b960a87bb40
7b488a6d157876f4148fefa7ea4b43ed
9c02b04d47f5fe246ba8605f33638910
2599268479685a1beaa590bb75da17b4
0f6ba808a287d36477d14a7e123be53c
d8f0b719f7097a6a9a525157de5709aa
d65b580db5bb446942aea6bc3ad9943b
b5a1711253e3cd0dca8dba4c00ccaaa7
eff6df5c38f713cc7370eef30ea531c8
ee19935ccf4593b3fc7c25dc0c613788
7accbeec33ac0bb3a26ec3b2fecce097
2e6247f7bb5f1919f52203da0dc97b79
f2fcd4678bee9d13d80649eaa3900463
eb106a14ae0efbc52f0815c2be5b4926
85196aa5cba244d88ed00224d6c243d3
cadeb1d79ee8f2f32e6ed969c67250c8
96ac704a88e6a6d8abbf58f58b1dbe4d
f8da43f6e31d5826ba9840c7c2052b38
f661a1fbfd5059f763567dc262f1d0b8
fc66297be389ef68c2e3223bb7fa6177
Network Activity
URLs
URL | IP |
---|---|
hxxp://update.gpr0xy.com/version.txt | 91.195.241.121 |
hxxp://update.gpr0xy.com/8a8bc5f3a301eff8e06be4e000db87c7 | 91.195.241.121 |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
GET /version.txt HTTP/1.1
User-Agent: AutoIt
Host: update.gpr0xy.com
Cache-Control: no-cache
HTTP/1.1 200 OK
Date: Mon, 20 Jun 2016 21:52:09 GMT
Server: Apache/2.2.22 (Debian)
X-Powered-By: PHP/5.4.45-0 deb7u3
Vary: Accept-Encoding
Content-Length: 737
Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://VVV.w3.org/TR/html4/loose.dtd">.<html>.<head>..<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">..<meta name="robots" content="index,follow"/>..<meta name="revisit-after" content="7 days" />..<meta name="expires" content="now" />..<meta http-equiv="pragma" content="no-cache" />..<title>Domain Expires</title>.</head>.<body>...<div style="width: 100%; text-align: center; ">...<img src="/img/warning.jpg">....<h3 style="font-size: 30px;">This domain name has expired.</h3>...<h4 style="font-size: 16px;">....In order to restore the domain and continue the service you will have to contact your registrar immediately....</h4>..</div>.</body>.</html>....
GET /8a8bc5f3a301eff8e06be4e000db87c7 HTTP/1.1
User-Agent: AutoIt
Host: update.gpr0xy.com
HTTP/1.1 200 OK
Date: Mon, 20 Jun 2016 21:52:09 GMT
Server: Apache/2.2.22 (Debian)
X-Powered-By: PHP/5.4.45-0 deb7u3
Vary: Accept-Encoding
Content-Length: 737
Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://VVV.w3.org/TR/html4/loose.dtd">.<html>.<head>..<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">..<meta name="robots" content="index,follow"/>..<meta name="revisit-after" content="7 days" />..<meta name="expires" content="now" />..<meta http-equiv="pragma" content="no-cache" />..<title>Domain Expires</title>.</head>.<body>...<div style="width: 100%; text-align: center; ">...<img src="/img/warning.jpg">....<h3 style="font-size: 30px;">This domain name has expired.</h3>...<h4 style="font-size: 16px;">....In order to restore the domain and continue the service you will have to contact your r..
GET /version.txt HTTP/1.1
User-Agent: AutoIt
Host: update.gpr0xy.com
Cache-Control: no-cache
HTTP/1.1 200 OK
Date: Mon, 20 Jun 2016 21:51:30 GMT
Server: Apache/2.2.22 (Debian)
X-Powered-By: PHP/5.4.45-0 deb7u3
Vary: Accept-Encoding
Content-Length: 737
Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://VVV.w3.org/TR/html4/loose.dtd">.<html>.<head>..<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">..<meta name="robots" content="index,follow"/>..<meta name="revisit-after" content="7 days" />..<meta name="expires" content="now" />..<meta http-equiv="pragma" content="no-cache" />..<title>Domain Expires</title>.</head>.<body>...<div style="width: 100%; text-align: center; ">...<img src="/img/warning.jpg">....<h3 style="font-size: 30px;">This domain name has expired.</h3>...<h4 style="font-size: 16px;">....In order to restore the domain and continue the service you will have to contact your registrar immediately....</h4>..</div>.</body>.</html>....
GET /8a8bc5f3a301eff8e06be4e000db87c7 HTTP/1.1
User-Agent: AutoIt
Host: update.gpr0xy.com
HTTP/1.1 200 OK
Date: Mon, 20 Jun 2016 21:51:30 GMT
Server: Apache/2.2.22 (Debian)
X-Powered-By: PHP/5.4.45-0 deb7u3
Vary: Accept-Encoding
Content-Length: 737
Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://VVV.w3.org/TR/html4/loose.dtd">.<html>.<head>..<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">..<meta name="robots" content="index,follow"/>..<meta name="revisit-after" content="7 days" />..<meta name="expires" content="now" />..<meta http-equiv="pragma" content="no-cache" />..<title>Domain Expires</title>.</head>.<body>...<div style="width: 100%; text-align: center; ">...<img src="/img/warning.jpg">....<h3 style="font-size: 30px;">This domain name has expired.</h3>...<h4 style="font-size: 16px;">....In order to restore the domain and continue the service you will have to contact your registrar immediately....</h4>..</div>.</body>.</html>HTTP/1.1 200 OK..Date: Mon, 20 Jun 2016 21:51:30 GMT..Server: Apache/2.2.22 (Debian)..X-Powered-By: PHP/5.4.45-0 deb7u3..Vary: Accept-Encoding..Content-Length: 737..Content-Type: text/html..<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "hXXp://VVV.w3.org/TR/html4/loose.dtd">.<html>.<head>..<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">..<meta name="robots" content="index,follow"/>..<meta name="revisit-after" content="7 days" />..<meta name="expires" content="now" />..<meta http-equiv="pragma" content="no-cache" />..<title>Domain Expires</title>.</head>.<body&g
<<< skipped >>>
Map
The Trojan connects to the servers at the folowing location(s):