not-a-virus:HEUR:AdWare.Win32.AdLoad.heur (Kaspersky), Trojan.NSIS.StartPage.FD, mzpefinder_pcap_file.YR (Lavasoft MAS)Behaviour: Trojan, Adware
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: fc4d25972acadcae51348feb7c711c5f
SHA1: 42acf0d5617280b8618c911292f0ae388cb711e8
SHA256: 858db4e31fdfb3536ec413f43d677e740acdb3a1127f622da604614a09f8a174
SSDeep: 98304:z4J4DQILVFYWL7mNMG/RYglabbK9lpSyElvALLeK4krycBGFOxYq8FNw/:z4JLUdL7mN/ZYglabb l5EJAneLKuJNk
Size: 6217725 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2009-12-06 00:50:52
Analyzed on: WindowsXP SP3 32-bit
Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The Trojan creates the following process(es):No processes have been created.The Trojan injects its code into the following process(es):
cpSetup.exe:1624
gKvx9Vb2eO.exe:1724
%original file name%.exe:668
Mutexes
The following mutexes were created/opened:No objects were found.
File activity
The process cpSetup.exe:1624 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0004582e.a (1731 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0004532d.a (76 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\0JP3NNO3\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\EYJ5XCEM\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\TWQ30O7D\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Y2SW6UK6\desktop.ini (67 bytes)
The process gKvx9Vb2eO.exe:1724 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsj4.tmp\cpSetup.exe (12184 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj4.tmp\NSISdl.dll (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj4.tmp\1157049897 (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj4.tmp\nsArray.dll (6 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsj4.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd3.tmp (0 bytes)
The process %original file name%.exe:668 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsp2.tmp\S (183 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsp2.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsp2.tmp\NSISdl.dll (14 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsp2.tmp\gKvx9Vb2eO.exe (9068 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsp2.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu1.tmp (0 bytes)
Registry activity
The process cpSetup.exe:1624 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "4A B4 70 9C 7F E6 CA F5 89 60 28 0C FE AE 89 7F"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"ID" = "1454521114"
"Name" = "cpSetup.exe"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"@xpsp3res.dll,-20001" = "Diagnose Connection Problems..."
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
"IntranetName" = "1"
The process gKvx9Vb2eO.exe:1724 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "77 C2 B9 66 A4 D2 15 A5 BF D7 10 85 43 E3 6F 25"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
The process %original file name%.exe:668 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "14 D5 FB AE 96 CD 3F CB 62 F2 F9 0F A3 B3 F0 17"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
Dropped PE files
| MD5 | File path |
|---|---|
| f60e597323c2fe854ba7879beb425cc9 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\0004532d.a |
| c3ce6975ba30faf1daec06c9d1f71d92 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\0004582e.a |
| 7caaf58a526da33c24cbe122e7839693 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsj4.tmp\NSISdl.dll |
| 4b5c06a4c37a7f1efc4dcb1d26363ba7 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsj4.tmp\cpSetup.exe |
| 89d40ecddf3ce6f3b0e6a84f40936912 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsj4.tmp\nsArray.dll |
| a5f8399a743ab7f9c88c645c35b1ebb5 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsp2.tmp\NSISdl.dll |
| c17103ae9072a06da581dec998343fc1 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsp2.tmp\System.dll |
| c0c21cf3f40d2a5703f9b790d38b665a | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsp2.tmp\gKvx9Vb2eO.exe |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
- Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0004582e.a (1731 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0004532d.a (76 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\0JP3NNO3\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\EYJ5XCEM\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\TWQ30O7D\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Y2SW6UK6\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj4.tmp\cpSetup.exe (12184 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj4.tmp\NSISdl.dll (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj4.tmp\1157049897 (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj4.tmp\nsArray.dll (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsp2.tmp\S (183 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsp2.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsp2.tmp\NSISdl.dll (14 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsp2.tmp\gKvx9Vb2eO.exe (9068 bytes) - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Reboot the computer.
Static Analysis
VersionInfo
No information is available.
No information is available.
PE Sections
| Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
|---|---|---|---|---|---|
| .text | 4096 | 23628 | 24064 | 4.46394 | 856b32eb77dfd6fb67f21d6543272da5 |
| .rdata | 28672 | 4764 | 5120 | 3.4982 | dc77f8a1e6985a4361c55642680ddb4f |
| .data | 36864 | 154712 | 1024 | 3.3278 | 7922d4ce117d7d5b3ac2cffe4b0b5e4f |
| .ndata | 192512 | 40960 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
| .rsrc | 233472 | 47384 | 47616 | 3.47357 | b19867e5d06bc11c2a9eeafb589aaf2f |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Network Activity
URLs
| URL | IP |
|---|---|
| hxxp://dna4mm5c1mahl.cloudfront.net/launch_reb.php?p=sevenzip&tid=4251180&pid=1505&n=WW91ciB1bmluc3RhbGxlciBwcm8gNy41IDIwMTQgMDMuMjAxNCDQoNChIHJlcGFjayBbMTMwNjE1QkFQXQ==&b_typ=pe | |
| hxxp://d1gahxamcuu9d3.cloudfront.net/stub_maker.php?program=sevenzip&tid=4251180&pid=1505&b_typ=pe&reb=1&name&j..F........F.....h..A........... <<<>>> &instId&ho_trackingid&trackingId&cc&id&id&id&id&id&id&id&id&id&id&id&id&id&id&id&id&id&id&id&id&id&id&id&id&id&id&id&id&id&id&id&id&id&id&id&id&id&id&id&id&id&id&id&id&id&id&id&id&id&id&id&id&id&id&id&id&id&id >>&&T........i.W.:&TUQ...>&<&<&>>>>& <<<>>> &tid&pid&b_typ&reb&name < <<<>>> &pid&tid&b_typ&n&reb&ic &appTitle&s1&s2&setupName&appVersion&instId&d&l&dynamicname&filename&exeurl>&ts&con&prl&d1&d2&monitor&z2&ci&appsetupurl&prefix&instid&instid&instid&affiliateid&productname&producturl&productimage&productversion&producteula&productsize&productcmd&publishercontact&productbusiness&antivirusPolicy&subid&subid2 <<<>>> &aff_id&source&aff_sub&aff_sub2&aff_sub3&aff_sub4&aff_sub5&url&trackingId&instId&ho_trackingid&cc&cc_typ&sb&wv&db &aff_id&source&aff_sub&aff_sub2&aff_sub3&aff_sub4&aff_sub5&url&trackingId&instId&ho_trackingid&cc&cc_typ&sb&wv&db <><><><><><><><&&&&&&&&{}&trackingId&instId&ho_trackingid{}&cc{}&cc_typ&sb&wv&db><><> &aff_id&source&aff_sub&aff_sub2&aff_sub3&aff_sub4&aff_sub5&url&trackingId&instId&ho_trackingid&cc&cc_typ&sb&wv&db &trackingId&instId&ho_trackingid&cc&cc_typ&sb&wv&db <><><><><><><><><><><&&&&&&&&><><><><> &tid&pid&b_typ&reb&name &tid&pid&b_typ&reb&name &tid&pid&b_typ&reb&name &tid&pid&b_typ&reb&name &tid&pid&b_typ&reb&name &tid&pid&b_typ&reb&name &tid&pid&b_typ&reb&name &tid&pid&b_typ&reb&name &tid&pid&b_typ&reb&name &tid&pid&b_typ&reb&name |
&producturl&productimage&productversion&producteula&productsize&productcmd&publishercontact&productbusiness&antivirusPolicy&subid&subid2
&producturl&productimage&productversion&producteula&productsize&productcmd&publishercontact&productbusiness&antivirusPolicy&subid&subid2
&productimage&productversion&producteula&productsize&productcmd&publishercontact&productbusiness&antivirusPolicy&subid&subid2
&productimage&productversion&producteula&productsize&productcmd&publishercontact&productbusiness&antivirusPolicy&subid&subid2
&appTitle&s1&s2&setupName&appVersion&instId
&appTitle&s1&s2&setupName&appVersion&instId
&productimage&productversion&producteula&productsize&productcmd&publishercontact&productbusiness&antivirusPolicy&subid&subid2
&productimage&productversion&producteula&productsize&productcmd&publishercontact&productbusiness&antivirusPolicy&subid&subid2
&pid&tid&b_typ&n&reb&ic
&pid&tid&b_typ&n&reb&ic