Skip to main content

Trojan.Generic.15484775_2546bbb5b6


HEUR:Trojan.Win32.Generic (Kaspersky), Trojan.Generic.15484775 (B) (Emsisoft), Trojan.Generic.15484775 (AdAware), Worm.Win32.AutoIt.FD, WormAutoItGen.YR (Lavasoft MAS)Behaviour: Trojan, Worm

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

MD5: 2546bbb5b6e5cb0d8dc274abd3ba7459

SHA1: d9ff1394ae014e3bab1c05f9888568cd1706d63b

SHA256: ffd48bd9ca39feddab8ca114958bed4d40fc07e0324f1602ef3eaffce1f87dd9

SSDeep: 24576:ZRmJkcoQricOIQxiZY1iaxzcj0oa4CdcstlneOVrPXh7fgyr6NpdpiFs4lvU/Jq4:2JZoQrbTFZY1iaxzcjHa4 zfvJPXhg8I

Size: 1553895 bytes

File type: EXE

Platform: WIN32

Entropy: Packed

PEID: UPolyXv05_v6

Company: no certificate found

Created at: 2012-01-29 23:32:28

Analyzed on: WindowsXP SP3 32-bit

Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Dynamic Analysis

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

attrib.exe:968
attrib.exe:1640
%original file name%.exe:1820
%original file name%.exe:228
ntvdm.exe:1384
ntvdm.exe:308
notepad.exe:1112
schtasks.exe:1832
schtasks.exe:1968
schtasks.exe:1312
schtasks.exe:772
schtasks.exe:1336
schtasks.exe:1920
schtasks.exe:1112
schtasks.exe:644
schtasks.exe:1928
schtasks.exe:1912

The Trojan injects its code into the following process(es):No processes have been created.

Mutexes

The following mutexes were created/opened:No objects were found.

File activity

The process %original file name%.exe:1820 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\All Users\Start Menu\Programs\Java\Java Update\jusched.exe (9605 bytes)

The process %original file name%.exe:228 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\37\Spotify.exe (16853 bytes)
%Program Files%\Common Files\VMware\Drivers\Virtual Printer\TPOGPS\i386\~hjpdthq.tmp (2 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\15\~zstzfte.tmp (2 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\26\~rridkjb.tmp (2 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\37\~htccpbn.tmp (2 bytes)
%Program Files%\Common Files\VMware\Drivers\Virtual Printer\TPOGPS\i386\CLPSLA.exe (16853 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\06ZW593K\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\15\ati2s9ag.exe (16853 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\26\AdobeARM.exe (16853 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\desktop.ini (159 bytes)
%Program Files%\Common Files\VMware\Drivers\memctl\~cbguruu.tmp (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\7CVM4VS6\desktop.ini (67 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Startup\HPWuSchd2.exe (16853 bytes)
%Program Files%\Common Files\VMware\Drivers\memctl\CLPSLA.exe (16853 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AdobeARM.exe (3635 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4L1GRUKJ\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Z27OFNPK\desktop.ini (67 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\26\AdobeARM.exe (0 bytes)
%Program Files%\Common Files\VMware\Drivers\memctl\~cbguruu.tmp (0 bytes)
%Program Files%\Common Files\VMware\Drivers\Virtual Printer\TPOGPS\i386\CLPSLA.exe (0 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\37\Spotify.exe (0 bytes)
%Program Files%\Common Files\VMware\Drivers\Virtual Printer\TPOGPS\i386\~hjpdthq.tmp (0 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\37\~htccpbn.tmp (0 bytes)
%Program Files%\Common Files\VMware\Drivers\memctl\CLPSLA.exe (0 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\26\~rridkjb.tmp (0 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Startup\HPWuSchd2.exe (0 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\15\ati2s9ag.exe (0 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\15\~zstzfte.tmp (0 bytes)

The process ntvdm.exe:1384 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

C:\DOCUMENTS AND SETTINGS (4 bytes)
%Program Files%\WIRESHARK (16 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\index.dat (400 bytes)
%Documents and Settings%\%current user%\Local Settings (4 bytes)
%WinDir%\REGISTRATION (4 bytes)
%WinDir% (576 bytes)
C:\$Directory (792 bytes)
%WinDir%\Temp\scs2.tmp (10145 bytes)
%System% (1920 bytes)
%Program Files%\COMMON FILES (4 bytes)
%WinDir%\WinSxS\Policies\x86_Policy.6.0.Microsoft.Windows.Common-Controls_6595b64144ccf1df_x-ww_5ddad775 (4 bytes)
C:\PROGRAM FILES (8 bytes)
%Documents and Settings%\%current user%\APPLICATION DATA (4 bytes)
%System%\wbem (1064 bytes)
%System%\drivers (32 bytes)
%Documents and Settings%\%current user% (4 bytes)
%WinDir%\Temp\scs1.tmp (33880 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (16 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\index.dat (16 bytes)
%Program Files%\Common Files\VMware\Drivers (4 bytes)

The Trojan deletes the following file(s):

%WinDir%\Temp\scs1.tmp (0 bytes)
%WinDir%\Temp\scs2.tmp (0 bytes)

The process ntvdm.exe:308 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%WinDir%\Temp\Perflib_Perfdata_638.dat (4 bytes)
%WinDir%\Temp\scs4.tmp (10145 bytes)
%WinDir% (96 bytes)
C:\ (4 bytes)
%Documents and Settings%\%current user% (4 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\index.dat (16 bytes)
%Documents and Settings%\All Users\Start Menu (4 bytes)
%Documents and Settings%\All Users (4 bytes)
%Documents and Settings%\All Users\DOCUMENTS (4 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (16 bytes)
%System%\config (4 bytes)
C:\$Directory (968 bytes)
%System% (3952 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\index.dat (388 bytes)
%WinDir%\Temp\scs3.tmp (33880 bytes)

The Trojan deletes the following file(s):

%WinDir%\Temp\scs4.tmp (0 bytes)
%WinDir%\Temp\scs3.tmp (0 bytes)

The process notepad.exe:1112 makes changes in the file system.


The Trojan deletes the following file(s):

C:\%original file name%.exe (0 bytes)

Registry activity

The process attrib.exe:968 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "AD 88 78 E2 83 9E C6 7D 9F 11 44 4E 10 25 5A 74"

The process attrib.exe:1640 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "21 C8 73 5E EA 9F 95 0C 6A AE C5 69 28 A2 8B 1B"

The process %original file name%.exe:1820 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B4 B9 58 F0 C7 9C E3 FA 71 EE 13 56 70 DD 38 DF"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Programs" = "%Documents and Settings%\All Users\Start Menu\Programs"
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Documents and Settings%\All Users\Start Menu\Programs\Java\Java Update]
"jusched.exe" = "jusched"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

The Trojan adds the reference to itself to be executed when a user logs on:

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"UserInit" = "%System%\userinit.exe,%Documents and Settings%\All Users\Start Menu\Programs\Java\Java Update\jusched.exe"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Java Update" = "%Documents and Settings%\All Users\Start Menu\Programs\Java\Java Update\jusched.exe"

The process %original file name%.exe:228 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Favorites" = "%Documents and Settings%\All Users\Favorites"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Programs" = "%Documents and Settings%\%current user%\Start Menu\Programs"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1B 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"GlobalUserOffline" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKCU\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers\%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\26]
"adobearm.exe" = "RUNASADMIN"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%System%]
"schtasks.exe" = "Schedule Tasks"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Startup" = "%Documents and Settings%\All Users\Start Menu\Programs\Startup"

[HKCU\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers\%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\15]
"ati2s9ag.exe" = "RUNASADMIN"

[HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\Spotify]
"StubPath" = "%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\37\Spotify.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Startup" = "%Documents and Settings%\%current user%\Start Menu\Programs\Startup"

[HKCU\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers\%Program Files%\VMware\VMware Tools\Drivers]
"sttray64.exe" = "RUNASADMIN"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "33 EB BC 3E 18 41 6F 38 42 03 CB ED AE 31 AA 1D"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Programs" = "%Documents and Settings%\All Users\Start Menu\Programs"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\Spotify]
"Version" = "12,1,7601,9171"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Favorites" = "%Documents and Settings%\%current user%\Favorites"

"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCU\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers\%Program Files%\Common Files\VMware\Drivers\Virtual Printer\TPOGPS\i386]
"CLPSLA.exe" = "RUNASADMIN"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"Adobe Reader and Acrobat Manager" = "%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\26\AdobeARM.exe"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"ATISmart" = "%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\15\ati2s9ag.exe"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IDT PC Audio" = "%Program Files%\VMware\VMware Tools\Drivers\sttray64.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Comodo" = "%Program Files%\Common Files\VMware\Drivers\Virtual Printer\TPOGPS\i386\CLPSLA.exe"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process notepad.exe:1112 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "10 39 C2 D0 BD 55 11 64 94 25 50 AB 5C F6 02 B8"

The process schtasks.exe:1832 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "21 15 A0 18 A7 C5 BE B5 1B 88 38 21 6A 4E 7E C1"

The process schtasks.exe:1968 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "92 B6 7D 04 79 11 07 A7 5F 8D CD 6E 52 EA CE DB"

The process schtasks.exe:1312 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A3 A5 DD 7D 78 B8 8F 88 79 09 7A 79 9E 2C 57 22"

The process schtasks.exe:772 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "20 25 29 E2 57 55 C0 3B 1C 73 71 82 33 AE BE 68"

The process schtasks.exe:1336 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "06 A1 E7 FF 6E CA D8 72 2A A2 3B 62 46 39 B4 D6"

The process schtasks.exe:1920 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "66 3D 40 59 39 5B 4E 0F 56 8F 05 9E B2 D6 84 02"

The process schtasks.exe:1112 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E2 F2 AE 11 3F 34 E9 32 DB 9A ED 6B 6C E5 69 39"

The process schtasks.exe:644 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "03 BD D9 8F 96 2A E0 C6 54 61 CC 08 E4 85 D8 6A"

The process schtasks.exe:1928 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "47 E1 86 56 20 59 83 8F 30 A4 3E FC 5F C0 CD F7"

The process schtasks.exe:1912 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "BA 47 D1 06 86 86 20 90 CF 41 A1 EF 8E BF 3E E7"

Dropped PE files

MD5 File path
0a88c93ab506bc3e01257eb438605ef8c:\Documents and Settings\All Users\Start Menu\Programs\Startup\HPWuSchd2.exe
e89729be4966e092c517222058f3e261c:\Documents and Settings\"%CurrentUserName%"\Application Data\Sun\Java\Deployment\SystemCache\6.0\15\ati2s9ag.exe
a512ad1ddc93341b617ead15c78d4a4fc:\Documents and Settings\"%CurrentUserName%"\Application Data\Sun\Java\Deployment\SystemCache\6.0\26\AdobeARM.exe
b23fd3dbfa6cdd11c8f907d33d62146ec:\Documents and Settings\"%CurrentUserName%"\Application Data\Sun\Java\Deployment\SystemCache\6.0\37\Spotify.exe
95b7ea06c89ffdc243d3c5defbcf2818c:\Program Files\Common Files\VMware\Drivers\Virtual Printer\TPOGPS\i386\CLPSLA.exe
15dc472347ed815ff9f3a52aa4e370ffc:\Program Files\Common Files\VMware\Drivers\memctl\CLPSLA.exe
d6254397f0c3f2735319cbd56329d6e5c:\Program Files\VMware\VMware Tools\Drivers\sttray64.exe
ae5acac04c7ad758014ecdacab211621c:\Program Files\VMware\VMware Tools\help\wwhdata\js\search\pairs\HPWuSchd2.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

Removals

Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.

Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    attrib.exe:968
    attrib.exe:1640
    %original file name%.exe:1820
    %original file name%.exe:228
    ntvdm.exe:1384
    ntvdm.exe:308
    notepad.exe:1112
    schtasks.exe:1832
    schtasks.exe:1968
    schtasks.exe:1312
    schtasks.exe:772
    schtasks.exe:1336
    schtasks.exe:1920
    schtasks.exe:1112
    schtasks.exe:644
    schtasks.exe:1928
    schtasks.exe:1912

  2. Delete the original Trojan file.
  3. Delete or disinfect the following files created/modified by the Trojan:

    %Documents and Settings%\All Users\Start Menu\Programs\Java\Java Update\jusched.exe (9605 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\37\Spotify.exe (16853 bytes)
    %Program Files%\Common Files\VMware\Drivers\Virtual Printer\TPOGPS\i386\~hjpdthq.tmp (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\15\~zstzfte.tmp (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\26\~rridkjb.tmp (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\37\~htccpbn.tmp (2 bytes)
    %Program Files%\Common Files\VMware\Drivers\Virtual Printer\TPOGPS\i386\CLPSLA.exe (16853 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\06ZW593K\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\15\ati2s9ag.exe (16853 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\26\AdobeARM.exe (16853 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\History\History.IE5\desktop.ini (159 bytes)
    %Program Files%\Common Files\VMware\Drivers\memctl\~cbguruu.tmp (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\7CVM4VS6\desktop.ini (67 bytes)
    %Documents and Settings%\All Users\Start Menu\Programs\Startup\HPWuSchd2.exe (16853 bytes)
    %Program Files%\Common Files\VMware\Drivers\memctl\CLPSLA.exe (16853 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\AdobeARM.exe (3635 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4L1GRUKJ\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Z27OFNPK\desktop.ini (67 bytes)
    C:\DOCUMENTS AND SETTINGS (4 bytes)
    %Program Files%\WIRESHARK (16 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\index.dat (400 bytes)
    %WinDir%\REGISTRATION (4 bytes)
    C:\$Directory (792 bytes)
    %WinDir%\Temp\scs2.tmp (10145 bytes)
    %System% (1920 bytes)
    %Program Files%\COMMON FILES (4 bytes)
    %WinDir%\WinSxS\Policies\x86_Policy.6.0.Microsoft.Windows.Common-Controls_6595b64144ccf1df_x-ww_5ddad775 (4 bytes)
    C:\PROGRAM FILES (8 bytes)
    %Documents and Settings%\%current user%\APPLICATION DATA (4 bytes)
    %System%\wbem (1064 bytes)
    %System%\drivers (32 bytes)
    %WinDir%\Temp\scs1.tmp (33880 bytes)
    %Documents and Settings%\%current user%\Cookies\index.dat (16 bytes)
    %Documents and Settings%\%current user%\Local Settings\History\History.IE5\index.dat (16 bytes)
    %WinDir%\Temp\Perflib_Perfdata_638.dat (4 bytes)
    %WinDir%\Temp\scs4.tmp (10145 bytes)
    %Documents and Settings%\All Users\DOCUMENTS (4 bytes)
    %System%\config (4 bytes)
    %WinDir%\Temp\scs3.tmp (33880 bytes)

  4. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "Java Update" = "%Documents and Settings%\All Users\Start Menu\Programs\Java\Java Update\jusched.exe"

    [HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce]
    "Adobe Reader and Acrobat Manager" = "%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\26\AdobeARM.exe"

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
    "ATISmart" = "%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\15\ati2s9ag.exe"

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "IDT PC Audio" = "%Program Files%\VMware\VMware Tools\Drivers\sttray64.exe"

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "Comodo" = "%Program Files%\Common Files\VMware\Drivers\Virtual Printer\TPOGPS\i386\CLPSLA.exe"

  5. Remove the references to the Trojan by modifying the following registry value(s) (How to Work with System Registry):

    [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
    "UserInit" = "%System%\userinit.exe,%Documents and Settings%\All Users\Start Menu\Programs\Java\Java Update\jusched.exe"

  6. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  7. Reboot the computer.
*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Static Analysis

VersionInfo

Company Name:
Product Name:
Product Version:
Legal Copyright:
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 3, 3, 8, 1
File Description:
Comments:
Language: Chinese (Simplified, PRC)

Company Name: Product Name: Product Version: Legal Copyright: Legal Trademarks: Original Filename: Internal Name: File Version: 3, 3, 8, 1File Description: Comments: Language: Chinese (Simplified, PRC)

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text40965258525263364.6334761ffce4768976fa0dd2a8f6a97b1417a
.rdata53248057280573443.326930354bc5f2376b5e9a4a3ba38b682dff1
.data589824108376266241.490328033f5a38941b4685bc2299e78f31221
.rsrc70041610200102402.48753640bc742b83032975c9f113c57f618b1

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:


Total found: 20
1ead5ffc46964bcdcf395b960a87bb40
7b488a6d157876f4148fefa7ea4b43ed
9c02b04d47f5fe246ba8605f33638910
2599268479685a1beaa590bb75da17b4
0f6ba808a287d36477d14a7e123be53c
d8f0b719f7097a6a9a525157de5709aa
d65b580db5bb446942aea6bc3ad9943b
b5a1711253e3cd0dca8dba4c00ccaaa7
eff6df5c38f713cc7370eef30ea531c8
ee19935ccf4593b3fc7c25dc0c613788
7accbeec33ac0bb3a26ec3b2fecce097
2e6247f7bb5f1919f52203da0dc97b79
f2fcd4678bee9d13d80649eaa3900463
eb106a14ae0efbc52f0815c2be5b4926
85196aa5cba244d88ed00224d6c243d3
cadeb1d79ee8f2f32e6ed969c67250c8
96ac704a88e6a6d8abbf58f58b1dbe4d
f8da43f6e31d5826ba9840c7c2052b38
f661a1fbfd5059f763567dc262f1d0b8
fc66297be389ef68c2e3223bb7fa6177

Network Activity

URLs

URL IP
hxxp://update.gpr0xy.com/version.txt91.195.241.121
hxxp://update.gpr0xy.com/8a8bc5f3a301eff8e06be4e000db87c791.195.241.121

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET /version.txt HTTP/1.1

User-Agent: AutoIt

Host: update.gpr0xy.com

Cache-Control: no-cache

HTTP/1.1 200 OK

Date: Mon, 20 Jun 2016 21:52:09 GMT

Server: Apache/2.2.22 (Debian)

X-Powered-By: PHP/5.4.45-0 deb7u3

Vary: Accept-Encoding

Content-Length: 737

Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://VVV.w3.org/TR/html4/loose.dtd">.<html>.<head>..<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">..<meta name="robots" content="index,follow"/>..<meta name="revisit-after" content="7 days" />..<meta name="expires" content="now" />..<meta http-equiv="pragma" content="no-cache" />..<title>Domain Expires</title>.</head>.<body>...<div style="width: 100%; text-align: center; ">...<img src="/img/warning.jpg">....<h3 style="font-size: 30px;">This domain name has expired.</h3>...<h4 style="font-size: 16px;">....In order to restore the domain and continue the service you will have to contact your registrar immediately....</h4>..</div>.</body>.</html>....

GET /8a8bc5f3a301eff8e06be4e000db87c7 HTTP/1.1

User-Agent: AutoIt

Host: update.gpr0xy.com

HTTP/1.1 200 OK

Date: Mon, 20 Jun 2016 21:52:09 GMT

Server: Apache/2.2.22 (Debian)

X-Powered-By: PHP/5.4.45-0 deb7u3

Vary: Accept-Encoding

Content-Length: 737

Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://VVV.w3.org/TR/html4/loose.dtd">.<html>.<head>..<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">..<meta name="robots" content="index,follow"/>..<meta name="revisit-after" content="7 days" />..<meta name="expires" content="now" />..<meta http-equiv="pragma" content="no-cache" />..<title>Domain Expires</title>.</head>.<body>...<div style="width: 100%; text-align: center; ">...<img src="/img/warning.jpg">....<h3 style="font-size: 30px;">This domain name has expired.</h3>...<h4 style="font-size: 16px;">....In order to restore the domain and continue the service you will have to contact your r..

GET /version.txt HTTP/1.1

User-Agent: AutoIt

Host: update.gpr0xy.com

Cache-Control: no-cache

HTTP/1.1 200 OK

Date: Mon, 20 Jun 2016 21:51:30 GMT

Server: Apache/2.2.22 (Debian)

X-Powered-By: PHP/5.4.45-0 deb7u3

Vary: Accept-Encoding

Content-Length: 737

Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://VVV.w3.org/TR/html4/loose.dtd">.<html>.<head>..<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">..<meta name="robots" content="index,follow"/>..<meta name="revisit-after" content="7 days" />..<meta name="expires" content="now" />..<meta http-equiv="pragma" content="no-cache" />..<title>Domain Expires</title>.</head>.<body>...<div style="width: 100%; text-align: center; ">...<img src="/img/warning.jpg">....<h3 style="font-size: 30px;">This domain name has expired.</h3>...<h4 style="font-size: 16px;">....In order to restore the domain and continue the service you will have to contact your registrar immediately....</h4>..</div>.</body>.</html>....

GET /8a8bc5f3a301eff8e06be4e000db87c7 HTTP/1.1

User-Agent: AutoIt

Host: update.gpr0xy.com

HTTP/1.1 200 OK

Date: Mon, 20 Jun 2016 21:51:30 GMT

Server: Apache/2.2.22 (Debian)

X-Powered-By: PHP/5.4.45-0 deb7u3

Vary: Accept-Encoding

Content-Length: 737

Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://VVV.w3.org/TR/html4/loose.dtd">.<html>.<head>..<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">..<meta name="robots" content="index,follow"/>..<meta name="revisit-after" content="7 days" />..<meta name="expires" content="now" />..<meta http-equiv="pragma" content="no-cache" />..<title>Domain Expires</title>.</head>.<body>...<div style="width: 100%; text-align: center; ">...<img src="/img/warning.jpg">....<h3 style="font-size: 30px;">This domain name has expired.</h3>...<h4 style="font-size: 16px;">....In order to restore the domain and continue the service you will have to contact your registrar immediately....</h4>..</div>.</body>.</html>HTTP/1.1 200 OK..Date: Mon, 20 Jun 2016 21:51:30 GMT..Server: Apache/2.2.22 (Debian)..X-Powered-By: PHP/5.4.45-0 deb7u3..Vary: Accept-Encoding..Content-Length: 737..Content-Type: text/html..<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "hXXp://VVV.w3.org/TR/html4/loose.dtd">.<html>.<head>..<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">..<meta name="robots" content="index,follow"/>..<meta name="revisit-after" content="7 days" />..<meta name="expires" content="now" />..<meta http-equiv="pragma" content="no-cache" />..<title>Domain Expires</title>.</head>.<body&g

<<< skipped >>>

Map

The Trojan connects to the servers at the folowing location(s):

Strings from Dumps