Trojan.Win32.IRCbot.fhk (Kaspersky), Trojan.Win32.Injector (A) (Emsisoft), Trojan.GenericKD.2157264 (AdAware), GenericAutorunWorm.YR, GenericInjector.YR, GenericIRCBot.YR (Lavasoft MAS)Behaviour: Trojan, Worm, WormAutorun, IRCBot
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: e7a3330b78419cb72f8a3b05281cfcd1
SHA1: cdfc94b3cbcfb8a23f2fd74ed03ce5e6e135ed13
SHA256: 3024b852d3e472edf4fe27b510f03645374ed1b7cdc525393d25bb8847176e47
SSDeep: 12288:ytb20Qc3lT7af41ePBRYuQLKpqeUhbTv5OFgNuPPpHSgaJTaqg6A:ytb20pkaCqT5TBWgNQ7aNaqg6A
Size: 904704 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: UPolyXv05_v6
Company: PublicationBrowserApps
Created at: 2015-02-10 04:24:56
Analyzed on: WindowsXP SP3 32-bit
Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Dynamic Analysis
Payload
Behaviour | Description |
---|---|
WormAutorun | A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Trojan's file once a user opens a drive's folder in Windows Explorer. |
IRCBot | A bot can communicate with command and control servers via IRC channel. |
Process activity
The Trojan creates the following process(es):
vbc.exe:1664
rundll32.exe:1804
%original file name%.exe:1288
The Trojan injects its code into the following process(es):
Explorer.EXE:1572
Mutexes
The following mutexes were created/opened:No objects were found.
File activity
The process %original file name%.exe:1288 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\r2.oc (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\s.c (39 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\r.oc (532 bytes)
%Documents and Settings%\%current user%\Application Data\svchost (6841 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\aut3.tmp (1764 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\aut1.tmp (400 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\aut2.tmp (1 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\aut1.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\aut2.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\aut3.tmp (0 bytes)
Registry activity
The process vbc.exe:1664 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "68 8B 54 F4 ED 81 14 74 CA 88 58 3C 8C 3E 48 B9"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"apocsec" = "%Documents and Settings%\%current user%\Application Data\apocsec"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"apocsec" = "%Documents and Settings%\%current user%\Application Data\apocsec"
The process rundll32.exe:1804 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A7 94 58 26 4A B9 4C 6B 4A 66 E9 71 60 41 C6 0D"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Program Files%\Windows NT\Accessories]
"WORDPAD.EXE" = "WordPad"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%System%]
"shimgvw.dll" = "Windows Picture and Fax Viewer"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Program Files%\Windows Media Player]
"wmplayer.exe" = "Windows Media Player"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%System%]
"NOTEPAD.EXE" = "Notepad"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Program Files%\VMware\VMware Tools]
"VMwareHostOpen.exe" = "Default Host Application"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%System%]
"mspaint.exe" = "Paint"
The process %original file name%.exe:1288 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B8 9F 7F 89 25 BF 68 8E 99 89 60 64 A5 D0 33 07"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%System%]
"shell32.dll" = "Windows Shell Common Dll"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"svchost.exe" = "c:\%original file name%.exe"
Dropped PE files
MD5 | File path |
---|---|
c1d7a29bf0f5af1a2e6744160b0c0ce8 | c:\Documents and Settings\"%CurrentUserName%"\Application Data\apocsec |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Trojan's file once a user opens a drive's folder in Windows Explorer.
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
vbc.exe:1664
rundll32.exe:1804
%original file name%.exe:1288 - Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
%Documents and Settings%\%current user%\Local Settings\Temp\r2.oc (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\s.c (39 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\r.oc (532 bytes)
%Documents and Settings%\%current user%\Application Data\svchost (6841 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\aut3.tmp (1764 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\aut1.tmp (400 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\aut2.tmp (1 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"apocsec" = "%Documents and Settings%\%current user%\Application Data\apocsec"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"apocsec" = "%Documents and Settings%\%current user%\Application Data\apocsec"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"svchost.exe" = "c:\%original file name%.exe" - Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
- Reboot the computer.
Static Analysis
VersionInfo
Company Name:
Product Name:
Product Version:
Legal Copyright:
Legal Trademarks:
Original Filename:
Internal Name:
File Version:
File Description:
Comments:
Language: English (United States)
Company Name: Product Name: Product Version: Legal Copyright: Legal Trademarks: Original Filename: Internal Name: File Version: File Description: Comments: Language: English (United States)
PE Sections
Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
---|---|---|---|---|---|
.text | 4096 | 570703 | 570880 | 4.63051 | f437a6545e938612764dbb0a314376fc |
.rdata | 577536 | 183362 | 183808 | 3.99959 | 827ffd24759e8e420890ecf164be989e |
.data | 761856 | 40276 | 25088 | 1.38816 | e0a519f8e3a35fae0d9c2cfd5a4bacfc |
.rsrc | 802816 | 81356 | 81408 | 4.88141 | 8ed059a3c2c7487fc5d78da9daed933c |
.reloc | 884736 | 42100 | 42496 | 3.63585 | 0bc98f8631ef0bde830a7f83bb06ff08 |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Network Activity
URLs
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
Map
The Trojan connects to the servers at the folowing location(s):
Strings from Dumps
rundll32.exe_1804:
.text
.text
`.data
`.data
.rsrc
.rsrc
msvcrt.dll
msvcrt.dll
KERNEL32.dll
KERNEL32.dll
NTDLL.DLL
NTDLL.DLL
GDI32.dll
GDI32.dll
USER32.dll
USER32.dll
IMAGEHLP.dll
IMAGEHLP.dll
rundll32.pdb
rundll32.pdb
.....eZXnnnnnnnnnnnn3
.....eZXnnnnnnnnnnnn3
....eDXnnnnnnnnnnnn3
....eDXnnnnnnnnnnnn3
...eDXnnnnnnnnnnnn,
...eDXnnnnnnnnnnnn,
.eDXnnnnnnnnnnnn,
.eDXnnnnnnnnnnnn,
%Xnnnnnnnnnnnnnnn1
%Xnnnnnnnnnnnnnnn1
O3$dS7"%U9
O3$dS7"%U9
.manifest
.manifest
5.1.2600.5512 (xpsp.080413-2105)
5.1.2600.5512 (xpsp.080413-2105)
RUNDLL.EXE
RUNDLL.EXE
Windows
Windows
Operating System
Operating System
5.1.2600.5512
5.1.2600.5512
YThere is not enough memory to run the file %s.
YThere is not enough memory to run the file %s.
Please close other windows and try again.
Please close other windows and try again.
9The file %s or one of its components could not be opened.
9The file %s or one of its components could not be opened.
0The file %s or one of its components cannot run.
0The file %s or one of its components cannot run.
MThe file %s or one of its components requires a different version of Windows.
MThe file %s or one of its components requires a different version of Windows.
UThe file %s or one of its components cannot run in standard or enhanced mode Windows.3Another instance of the file %s is already running./An exception occurred while trying to run "%s"
UThe file %s or one of its components cannot run in standard or enhanced mode Windows.3Another instance of the file %s is already running./An exception occurred while trying to run "%s"
Error in %s
Error in %s
Missing entry:%s
Missing entry:%s
Error loading %s
Error loading %s
Explorer.EXE_1572_rwx_00FF0000_0000E000:
.data
.data
.idata
.idata
.rsrc
.rsrc
@.reloc
@.reloc
Successfully Killed And Removed Malicious File: "%s"
Successfully Killed And Removed Malicious File: "%s"
Usage: %s IP PORT DELAY LENGTH
Usage: %s IP PORT DELAY LENGTH
Failed To Start Thread: "%d"
Failed To Start Thread: "%d"
Failed: "%d"
Failed: "%d"
Failed: Mis Parameter, Usage: %s [SHOW/HIDE] [URL]
Failed: Mis Parameter, Usage: %s [SHOW/HIDE] [URL]
Filed To Visit: "%s"
Filed To Visit: "%s"
Successfully Visited: "%s"
Successfully Visited: "%s"
%s #%s
%s #%s
%s %s
%s %s
Running From: "%s"
Running From: "%s"
[%s][%s] - "%s"
[%s][%s] - "%s"
{%s}: %s
{%s}: %s
Successfully Executed Process: "%s"
Successfully Executed Process: "%s"
Failed To Create Process: "%s", Reason: "%d"
Failed To Create Process: "%s", Reason: "%d"
Successfully Downloaded File To: "%s"
Successfully Downloaded File To: "%s"
Downloading File: "%s"
Downloading File: "%s"
hXXp://api.wipmania.com/
hXXp://api.wipmania.com/
JOIN
JOIN
NICK
NICK
PRIVMSG
PRIVMSG
AryaN{%s-%s-x%d}%s
AryaN{%s-%s-x%d}%s
New{%s-%s-x%d}%s
New{%s-%s-x%d}%s
%s "" "%s" :%s
%s "" "%s" :%s
%s %s :[AryaN]: %s
%s %s :[AryaN]: %s
%s %s %s
%s %s %s
Finished Flooding "%s:%d"
Finished Flooding "%s:%d"
Terminated UDP Flood Thread
Terminated UDP Flood Thread
%d%d%d%d%d%d%d%d
%d%d%d%d%d%d%d%d
Flooding: "%s:%d", Delay: "%d(ms)", For "%d" Seconds
Flooding: "%s:%d", Delay: "%d(ms)", For "%d" Seconds
LNK Infected Removable Device: "%s\", Created: "%d" Lnk Files
LNK Infected Removable Device: "%s\", Created: "%d" Lnk Files
AutoRun Infected Removable Device: "%s\"
AutoRun Infected Removable Device: "%s\"
j[YPSSh
j[YPSSh
SSSSh
SSSSh
VSSSh
VSSSh
udp.stop
udp.stop
join
join
199.115.228.8
199.115.228.8
apocsec.net
apocsec.net
MSVCRT.dll
MSVCRT.dll
GetProcessHeap
GetProcessHeap
KERNEL32.dll
KERNEL32.dll
WS2_32.dll
WS2_32.dll
SHLWAPI.dll
SHLWAPI.dll
InternetOpenUrlA
InternetOpenUrlA
WININET.dll
WININET.dll
ole32.dll
ole32.dll
PSAPI.DLL
PSAPI.DLL
ShellExecuteA
ShellExecuteA
SHELL32.dll
SHELL32.dll
RegCloseKey
RegCloseKey
RegCreateKeyExW
RegCreateKeyExW
RegOpenKeyExW
RegOpenKeyExW
RegNotifyChangeKeyValue
RegNotifyChangeKeyValue
ADVAPI32.dll
ADVAPI32.dll
%userprofile%
%userprofile%
%s\removethis_%d%d%d.exe
%s\removethis_%d%d%d.exe
%temp%\oldfile.exe
%temp%\oldfile.exe
Mozilla/5.0 (compatible)
Mozilla/5.0 (compatible)
%s\%d%d%d.exe
%s\%d%d%d.exe
explorer.exe
explorer.exe
Kernel32.dll
Kernel32.dll
%s-deadlock
%s-deadlock
%s\SysWOW64
%s\SysWOW64
advapi32.dll
advapi32.dll
comsupp.dll
comsupp.dll
shell32.dll
shell32.dll
wininet.dll
wininet.dll
shlwapi.dll
shlwapi.dll
dnsapi.dll
dnsapi.dll
user32.dll
user32.dll
ws2_32.dll
ws2_32.dll
psapi.dll
psapi.dll
Ole32.dll
Ole32.dll
kernel32.dll
kernel32.dll
msvcrt.dll
msvcrt.dll
dwm.exe
dwm.exe
alg.exe
alg.exe
csrss.exe
csrss.exe
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
%s-readfile
%s-readfile
cmd.exe
cmd.exe
Software\Microsoft\Windows\CurrentVersion\Run
Software\Microsoft\Windows\CurrentVersion\Run
%temp%\deletethis.exe
%temp%\deletethis.exe
Removable_Drive.exe
Removable_Drive.exe
%s\{%s-%s}
%s\{%s-%s}
/k "%s" Open %s
/k "%s" Open %s
%windir%\System32\cmd.exe
%windir%\System32\cmd.exe
%s\Removable_Drive.exe
%s\Removable_Drive.exe
%s\%s
%s\%s
%s\%s.lnk
%s\%s.lnk
icon=Shell32.dll,7
icon=Shell32.dll,7
shell\open\Command=%s
shell\open\Command=%s
open=%s
open=%s
shell\explore\Command=%s
shell\explore\Command=%s
%s\autorun.inf
%s\autorun.inf
%Documents and Settings%\%current user%\Application Data\apocsec
%Documents and Settings%\%current user%\Application Data\apocsec
%WinDir%\Microsoft.NET\Framework\v3.5\vbc.exe
%WinDir%\Microsoft.NET\Framework\v3.5\vbc.exe