Trojan.Win32.DNSChanger.ueb (Kaspersky), DeepScan:Generic.Zlob.7.1FED44BB (B) (Emsisoft), DeepScan:Generic.Zlob.7.1FED44BB (AdAware), Trojan.NSIS.StartPage.FD, GenericInjector.YR (Lavasoft MAS)Behaviour: Trojan
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: 4b61bfb74b4518d0733aa550c6fc7f0b
SHA1: 940e255e7f360235b33282e0b0a4aa600b9cd681
SHA256: f94591b202032534dc5a945891aac816808291b91975c8a47220c5835bef39d4
SSDeep: 3072:nbLpZuEskJoU4CqQ1LNALc9gWhQh22c4uSiDmXy3PnHbhEdILWoja4jbeRmotu:nbOOxBdNeczhQk4Til/nHF/jFjimH
Size: 197913 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: PC Utilities Software Limited
Created at: 2006-07-01 21:05:54
Analyzed on: WindowsXP SP3 32-bit
Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The DeepScan creates the following process(es):
02.exe:312
UnRAR.exe:896
01.exe:1952
The DeepScan injects its code into the following process(es):
imapi.exe:1992
%original file name%.exe:1336
vmacthlp.exe:940
csrss.exe:692
winlogon.exe:724
services.exe:768
lsass.exe:780
Explorer.EXE:884
svchost.exe:952
svchost.exe:1056
svchost.exe:1144
svchost.exe:1244
svchost.exe:1364
spoolsv.exe:1468
jqs.exe:1620
Mutexes
The following mutexes were created/opened:No objects were found.
File activity
The process %original file name%.exe:1336 makes changes in the file system.
The DeepScan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsp3.tmp\nsExec.dll (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsp3.tmp\modern-header.bmp (9 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsp3.tmp\ns4.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\UnRAR.exe (3312 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj2.tmp (6357 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\1.rar (1552 bytes)
The DeepScan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsp3.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu1.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsp3.tmp\ns4.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\UnRAR.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\1.rar (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\01.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\02.exe (0 bytes)
The process UnRAR.exe:896 makes changes in the file system.
The DeepScan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\02.exe (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\01.exe (2064 bytes)
The process 01.exe:1952 makes changes in the file system.
The DeepScan creates and/or writes to the following file(s):
%System%\kdgxy.exe (63 bytes)
Registry activity
The process %original file name%.exe:1336 makes changes in the system registry.
The DeepScan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "EB 67 8C 76 D3 A1 7F 4E D0 20 79 FB 4E E2 0C E3"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
The process 02.exe:312 makes changes in the system registry.
The DeepScan creates and/or sets the following values in system registry:
[HKLM\System\CurrentControlSet\Services\Tcpip\Parameters]
"DhcpNameServer" = "85.255.116.78 85.255.112.227"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{E1070104-F404-44CE-B556-0622F9D63EE5}]
"NameServer" = "85.255.116.78,85.255.112.227"
"DhcpNameServer" = "85.255.116.78,85.255.112.227"
[HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{BF770B77-F559-4142-BC28-45811EFECA81}]
"NameServer" = "85.255.116.78,85.255.112.227"
"DhcpNameServer" = "85.255.116.78,85.255.112.227"
[HKLM\System\CurrentControlSet\Services\Tcpip\Parameters]
"NameServer" = "85.255.116.78 85.255.112.227"
The process 01.exe:1952 makes changes in the system registry.
The DeepScan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2F F6 BF 8F 48 08 D4 EE 28 6E 77 E1 E3 2D 3C F1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System" = "kdgxy.exe"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
Dropped PE files
MD5 | File path |
---|---|
03a1a9be1f1e72f926ec9161825eedd6 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsp3.tmp\nsExec.dll |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
The DeepScan installs the following user-mode hooks in ntdll.dll:
ZwSetValueKey
NtQueryDirectoryFile
ZwDeleteValueKey
NtCreateThread
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Scan a system with an anti-rootkit tool.
- Terminate malicious process(es) (How to End a Process With the Task Manager):
02.exe:312
UnRAR.exe:896
01.exe:1952 - Delete the original DeepScan file.
- Delete or disinfect the following files created/modified by the DeepScan:
%Documents and Settings%\%current user%\Local Settings\Temp\nsp3.tmp\nsExec.dll (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsp3.tmp\modern-header.bmp (9 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsp3.tmp\ns4.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\UnRAR.exe (3312 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj2.tmp (6357 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\1.rar (1552 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\02.exe (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\01.exe (2064 bytes)
%System%\kdgxy.exe (63 bytes) - Reboot the computer.
Static Analysis
VersionInfo
No information is available.
No information is available.
PE Sections
Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
---|---|---|---|---|---|
.text | 4096 | 23100 | 23552 | 4.43358 | 6f78fc1de8f5f67eabee63c82d06fe57 |
.rdata | 28672 | 4338 | 4608 | 3.50085 | 8e200768cddae49a4df8d340f3025521 |
.data | 36864 | 112660 | 1024 | 3.55915 | 709e767046a1d70f97c766d422853f45 |
.ndata | 151552 | 36864 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
.rsrc | 188416 | 16888 | 16896 | 4.07739 | 6df8fb32068a79617c01c24b97d89205 |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Total found: 19
3ffb3336d9384d41f0bac4c2b8d82e3f
2075a2654dd5b81d14a2a4eeed09a2d2
aa70890f8e5014db307ca3f08acb9797
11d8462b2b9525de37655407917e8a0c
cd541dbf34f9c0c0291ed04e69ca52a2
f58210eb23b46b33f2b3a7e58d191eeb
6d7962ba73746e39c007c97a4c1b4220
702590e673c626d5d43bd3651a8228eb
12a0b976982e5eff5d5c60493887676f
1b83f559e47d3f367300f6630e87741e
0b3565b87640fa94b1c98f4023d645a4
b8f08b83773467cec410800ab024d10f
ed5efac45ea5977cb23871b5e5c7ad84
23ead42a8992207ac7942b32ff639ccb
87addd642f325e0bdc04ee1b85defd52
657f1c97025339c3bf80da2209308123
bb030a70df5cbbd7da0a5cd1676821c3
c4bb89c7082f18edb3c894754fe9ccf8
7ba53e066ca765e0b9e4e6855e7baae6
Network Activity
URLs
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
Map
The DeepScan connects to the servers at the folowing location(s):
Strings from Dumps
%original file name%.exe_1336:
.text
.text
`.rdata
`.rdata
@.data
@.data
.ndata
.ndata
.rsrc
.rsrc
t%SPV
t%SPV
tDSSh
tDSSh
shlwapi.dll
shlwapi.dll
.DEFAULT\Control Panel\International
.DEFAULT\Control Panel\International
GetWindowsDirectoryA
GetWindowsDirectoryA
KERNEL32.dll
KERNEL32.dll
ExitWindowsEx
ExitWindowsEx
USER32.dll
USER32.dll
GDI32.dll
GDI32.dll
SHFileOperationA
SHFileOperationA
ShellExecuteA
ShellExecuteA
SHELL32.dll
SHELL32.dll
RegEnumKeyA
RegEnumKeyA
RegCreateKeyExA
RegCreateKeyExA
RegCloseKey
RegCloseKey
RegDeleteKeyA
RegDeleteKeyA
RegOpenKeyExA
RegOpenKeyExA
ADVAPI32.dll
ADVAPI32.dll
COMCTL32.dll
COMCTL32.dll
ole32.dll
ole32.dll
VERSION.dll
VERSION.dll
%s %s
%s %s
... %d%%
... %d%%
verifying installer: %d%%
verifying installer: %d%%
unpacking data: %d%%
unpacking data: %d%%
Au_.exe
Au_.exe
~nsu.tmp\
~nsu.tmp\
RichEd20.dll
RichEd20.dll
%u.%u%s%s
%u.%u%s%s
\wininit.ini
\wininit.ini
%s=%s
%s=%s
%Program Files%
%Program Files%
Software\Microsoft\Windows\CurrentVersion
Software\Microsoft\Windows\CurrentVersion
*?|/":
*?|/":
ME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsp3.tmp\modern-header.bmp
ME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsp3.tmp\modern-header.bmp
:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsp3.tmp\nsExec.dll
:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsp3.tmp\nsExec.dll
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsp3.tmp
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsp3.tmp
adm\LOCALS~1\Temp\nsp3.tmp\modern-header.bmp
adm\LOCALS~1\Temp\nsp3.tmp\modern-header.bmp
StartMenu.dll
StartMenu.dll
%7XXZUVZVWZZX%
%7XXZUVZVWZZX%
&&,%/*--30,&
&&,%/*--30,&
>(*?0%%/
>(*?0%%/
%,,,,%