Trojan.Win32.MicroFake.ba (Kaspersky), Trojan.Microfake.D (B) (Emsisoft), Trojan.Microfake.D (AdAware), Trojan.Win32.Bumat.FD, Virus.Win32.Parite.B.FD, VirusParite.YR (Lavasoft MAS)Behaviour: Trojan, Virus
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: dea76138635e82dc579a8042f153c1b0
SHA1: 3ec06a23b6cc35dfe0b5d7004233dc34708ea741
SHA256: b5a4ef175bdcab9e5e34d7079f75bef1cafd28696fa7156067bddadf7078d8f2
SSDeep: 6144:zYjSj5yHDhu6wpADax48AAcYnerQxLWtubVYH:zYjSshuFp4aaztkxL88qH
Size: 251392 bytes
File type: DLL
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2010-06-08 12:59:36
Analyzed on: WindowsXP SP3 32-bit
Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The Trojan creates the following process(es):
regsvr32.exe:1236
imeumw.exe:468
hrl1.tmp:1164
The Trojan injects its code into the following process(es):
Explorer.EXE:880
Mutexes
The following mutexes were created/opened:No objects were found.
File activity
The process regsvr32.exe:1236 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\hrl1.tmp (243 bytes)
The process imeumw.exe:468 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\Temp\buc3.tmp (11010 bytes)
The process hrl1.tmp:1164 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsb2.tmp (11010 bytes)
%System%\imeumw.exe (1281 bytes)
Registry activity
The process regsvr32.exe:1236 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9E F5 30 FB 21 81 1F D9 CE 65 4A 5B F4 EB 8E A1"
The process hrl1.tmp:1164 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2E 59 0E 2F 1D 89 B0 E9 67 7B 83 5F 6C 64 B9 40"
Dropped PE files
MD5 | File path |
---|---|
f025f5466d22ce260c3e082b55f8b8fc | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\SOFTWARE.LOG |
685f1cbd4af30a1d0c25f252d399a666 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsb2.tmp |
685f1cbd4af30a1d0c25f252d399a666 | c:\WINDOWS\Temp\buc3.tmp |
f025f5466d22ce260c3e082b55f8b8fc | c:\WINDOWS\system32\imeumw.exe |
HOSTS file anomalies
The Trojan modifies "%System%\drivers\etc\hosts" file which is used to translate DNS entries to IP addresses. The modified file is 734 bytes in size. The following strings are added to the hosts file listed below:
127.0.0.1 | www.Brenz.pl |
Rootkit activity
The Trojan installs the following user-mode hooks in ntdll.dll:
NtQueryInformationProcess
ZwOpenFile
NtDeviceIoControlFile
NtCreateProcessEx
NtCreateProcess
NtCreateFile
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Scan a system with an anti-rootkit tool.
- Terminate malicious process(es) (How to End a Process With the Task Manager):
regsvr32.exe:1236
imeumw.exe:468
hrl1.tmp:1164 - Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
%Documents and Settings%\%current user%\Local Settings\Temp\hrl1.tmp (243 bytes)
%WinDir%\Temp\buc3.tmp (11010 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsb2.tmp (11010 bytes)
%System%\imeumw.exe (1281 bytes) - Restore the original content of the HOSTS file (%System%\drivers\etc\hosts): 127.0.0.1 localhost
- Reboot the computer.
Static Analysis
VersionInfo
No information is available.
No information is available.
PE Sections
Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
---|---|---|---|---|---|
.text | 4096 | 2860 | 3072 | 3.84485 | c9b6b9fbded3d4764666702b145428d1 |
.rdata | 8192 | 2505 | 2560 | 3.36056 | 6951ee1a0ff3a7f5a44727b4713506a3 |
.data | 12288 | 672 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
.rsrc | 16384 | 243832 | 244224 | 5.43004 | 5d3bfa9fbbf2ca636128322fe0e26c69 |
.reloc | 262144 | 494 | 512 | 3.52939 | cfa8d04dd000bb30ab126902176ed40d |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Network Activity
URLs
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
Map
The Trojan connects to the servers at the folowing location(s):
Strings from Dumps
regsvr32.exe_1236:
.text
.text
`.data
`.data
.rsrc
.rsrc
msvcrt.dll
msvcrt.dll
ADVAPI32.dll
ADVAPI32.dll
KERNEL32.dll
KERNEL32.dll
NTDLL.DLL
NTDLL.DLL
USER32.dll
USER32.dll
ole32.dll
ole32.dll
regsvr32.pdb
regsvr32.pdb
_wcmdln
_wcmdln
RegCloseKey
RegCloseKey
RegOpenKeyExW
RegOpenKeyExW
Excessive # of DLL's on cmdline
Excessive # of DLL's on cmdline
5.1.2600.5512 (xpsp.080413-2105)
5.1.2600.5512 (xpsp.080413-2105)
REGSVR32.EXE
REGSVR32.EXE
Windows
Windows
Operating System
Operating System
5.1.2600.5512
5.1.2600.5512
Usage: regsvr32 [/u] [/s] [/n] [/i[:cmdline]] dllname
Usage: regsvr32 [/u] [/s] [/n] [/i[:cmdline]] dllname
Call DllInstall passing it an optional [cmdline]; when used with /u calls dll uninstall
Call DllInstall passing it an optional [cmdline]; when used with /u calls dll uninstall
Unrecognized flag: %1"Extra argument on command line: This command is only valid when an OLE Custom Control project is open.
Unrecognized flag: %1"Extra argument on command line: This command is only valid when an OLE Custom Control project is open.
LoadLibrary("%1") failed - ,%1 was loaded, but the %2 entry point was not found.
LoadLibrary("%1") failed - ,%1 was loaded, but the %2 entry point was not found.
%1 does not appear to be a .DLL or .OCX file.V%1 was loaded, but the %2 entry point was not found.
%1 does not appear to be a .DLL or .OCX file.V%1 was loaded, but the %2 entry point was not found.
OleUninitialize failed.["%1" is not an executable file and no registration
OleUninitialize failed.["%1" is not an executable file and no registration
Explorer.EXE_880_rwx_01F71000_00071000:
UDPSockError
UDPSockError
NMUDP
NMUDP
Errmsg
Errmsg
Port
Port
TNMUDP
TNMUDP
RemotePort
RemotePort
LocalPort
LocalPort
ReportLevelLk
ReportLevelLk
0.0.0.0
0.0.0.0
%d.%d.%d.%d
%d.%d.%d.%d
AutoHotkeys
AutoHotkeys
:].tJ
:].tJ
EInvalidGraphicOperation,0
EInvalidGraphicOperation,0
EInvalidGraphicOperation
EInvalidGraphicOperation
KeyPreview,
KeyPreview,
WindowState
WindowState
OnKeyDown
OnKeyDown
OnKeyPressdz
OnKeyPressdz
OnKeyUp
OnKeyUp
ssHotTrack
ssHotTrack
TWindowState
TWindowState
poProportional
poProportional
TWMKey
TWMKey
System\CurrentControlSet\Control\Keyboard Layouts\%.8x
System\CurrentControlSet\Control\Keyboard Layouts\%.8x
vcltest3.dll
vcltest3.dll
TDragOperation
TDragOperation
TKeyEvent
TKeyEvent
TKeyPressEvent
TKeyPressEvent
crSQLWait
crSQLWait
%s (%s)
%s (%s)
IMM32.DLL
IMM32.DLL
EInvalidOperation
EInvalidOperation
%s[%d]
%s[%d]
%s_%d
%s_%d
USER32.DLL
USER32.DLL
comctl32.dll
comctl32.dll
MSWHEEL_ROLLMSG
MSWHEEL_ROLLMSG
MSH_WHEELSUPPORT_MSG
MSH_WHEELSUPPORT_MSG
MSH_SCROLL_LINES_MSG
MSH_SCROLL_LINES_MSG
kernel32.dll
kernel32.dll
Portions Copyright (c) 1983,99 Borland
Portions Copyright (c) 1983,99 Borland
explorer.exe
explorer.exe
Software\Microsoft\Windows\CurrentVersion\Explorer
Software\Microsoft\Windows\CurrentVersion\Explorer
*.TMP
*.TMP
Kernel32.dll
Kernel32.dll
ADVAPI32.dll
ADVAPI32.dll
RegOpenKeyExA
RegOpenKeyExA
RegCloseKey
RegCloseKey
readbook.exe
readbook.exe
rundll32.exe
rundll32.exe
*.exe
*.exe
*.scr
*.scr
UdpT
UdpT
UdpOnDataReceived
UdpOnDataReceived
xxtype.cpp
xxtype.cpp
derv->tpClass.tpcFlags & CF_HAS_BASES
derv->tpClass.tpcFlags & CF_HAS_BASES
Inappropriate I/O control operation
Inappropriate I/O control operation
Broken pipe
Broken pipe
Operation not permitted
Operation not permitted
%H:%M:%S
%H:%M:%S
%m/%d/%y
%m/%d/%y
%A, %B %d, %Y
%A, %B %d, %Y
d/d/d d:d:d.d
d/d/d d:d:d.d
An exception (X) occurred during DllEntryPoint or DllMain in module:
An exception (X) occurred during DllEntryPoint or DllMain in module:
xx.cpp
xx.cpp
varType->tpClass.tpcFlags & CF_HAS_DTOR
varType->tpClass.tpcFlags & CF_HAS_DTOR
varType->tpClass.tpcDtorAddr
varType->tpClass.tpcDtorAddr
(errPtr->ERRcInitDtc >= varType->tpClass.tpcDtorCount) || flags
(errPtr->ERRcInitDtc >= varType->tpClass.tpcDtorCount) || flags
memType->tpClass.tpcFlags & CF_HAS_DTOR
memType->tpClass.tpcFlags & CF_HAS_DTOR
varType->tpArr.tpaElemType->tpClass.tpcFlags & CF_HAS_DTOR
varType->tpArr.tpaElemType->tpClass.tpcFlags & CF_HAS_DTOR
dttPtr->dttType->tpPtr.tppBaseType->tpClass.tpcFlags & CF_HAS_DTOR
dttPtr->dttType->tpPtr.tppBaseType->tpClass.tpcFlags & CF_HAS_DTOR
IS_CLASS(dttPtr->dttType->tpMask) && (dttPtr->dttType->tpClass.tpcFlags & CF_HAS_DTOR)
IS_CLASS(dttPtr->dttType->tpMask) && (dttPtr->dttType->tpClass.tpcFlags & CF_HAS_DTOR)
elemType->tpClass.tpcFlags & CF_HAS_DTOR
elemType->tpClass.tpcFlags & CF_HAS_DTOR
ReportLevel
ReportLevel
GetCPInfo
GetCPInfo
GetProcessHeap
GetProcessHeap
GetWindowsDirectoryA
GetWindowsDirectoryA
RegCreateKeyExA
RegCreateKeyExA
RegFlushKey
RegFlushKey
SetViewportOrgEx
SetViewportOrgEx
ActivateKeyboardLayout
ActivateKeyboardLayout
EnumThreadWindows
EnumThreadWindows
EnumWindows
EnumWindows
GetKeyNameTextA
GetKeyNameTextA
GetKeyState
GetKeyState
GetKeyboardLayout
GetKeyboardLayout
GetKeyboardLayoutList
GetKeyboardLayoutList
GetKeyboardState
GetKeyboardState
GetKeyboardType
GetKeyboardType
LoadKeyboardLayoutA
LoadKeyboardLayoutA
MapVirtualKeyA
MapVirtualKeyA
MsgWaitForMultipleObjects
MsgWaitForMultipleObjects
SetWindowsHookExA
SetWindowsHookExA
UnhookWindowsHookEx
UnhookWindowsHookEx
VprK|%Ud
VprK|%Ud
€00404
€00404
8 @ @ @ @ @
8 @ @ @ @ @
.text
.text
`.data
`.data
.idata
.idata
@.edata
@.edata
@.rsrc
@.rsrc
@.reloc
@.reloc
70"!(&&$
70"!(&&$
External exception %x
External exception %x
Interface not supported
Interface not supported
%s (%s, line %d)
%s (%s, line %d)
Abstract Error?Access violation at address %p in module '%s'. %s of address %p
Abstract Error?Access violation at address %p in module '%s'. %s of address %p
Win32 Error. Code: %d.
Win32 Error. Code: %d.
Invalid pointer operation
Invalid pointer operation
Invalid class typecast0Access violation at address %p. %s of address %p
Invalid class typecast0Access violation at address %p. %s of address %p
Operation aborted%Exception %s in module %s at %p.
Operation aborted%Exception %s in module %s at %p.
Application Error1Format '%s' invalid or incompatible with argument
Application Error1Format '%s' invalid or incompatible with argument
No argument for format '%s'
No argument for format '%s'
Invalid variant operation"Variant method calls not supported
Invalid variant operation"Variant method calls not supported
I/O error %d
I/O error %d
Integer overflow Invalid floating point operation
Integer overflow Invalid floating point operation
Invalid data type for '%s'
Invalid data type for '%s'
Failed to set data for '%s'
Failed to set data for '%s'
Failed to get data for '%s'/Menu '%s' is already being used by another form*Windows socket error: %s (%d), on API '%s'
Failed to get data for '%s'/Menu '%s' is already being used by another form*Windows socket error: %s (%d), on API '%s'
Asynchronous socket error %d
Asynchronous socket error %d
- Dock zone has no control%List does not allow duplicates ($0%x)!'%s' is not a valid integer value
- Dock zone has no control%List does not allow duplicates ($0%x)!'%s' is not a valid integer value
Alt Clipboard does not support Icons
Alt Clipboard does not support Icons
!Control '%s' has no parent window
!Control '%s' has no parent window
Error reading %s%s%s: %s
Error reading %s%s%s: %s
Ancestor for '%s' not found
Ancestor for '%s' not found
Unsupported clipboard format
Unsupported clipboard format
Class %s not found
Class %s not found
Resource %s not found
Resource %s not found
List index out of bounds (%d) List capacity out of bounds (%d)
List index out of bounds (%d) List capacity out of bounds (%d)
List count out of bounds (%d) Operation not allowed on sorted string list%String list does not allow duplicates#A component named %s already exists$''%s'' is not a valid component name
List count out of bounds (%d) Operation not allowed on sorted string list%String list does not allow duplicates#A component named %s already exists$''%s'' is not a valid component name
A class named %s already exists
A class named %s already exists
Cannot assign a %s to a %s
Cannot assign a %s to a %s
Cannot create file %s
Cannot create file %s
Cannot open file %s
Cannot open file %s