Skip to main content

Trojan.GenericKD.2157264_e7a3330b78


Trojan.Win32.IRCbot.fhk (Kaspersky), Trojan.Win32.Injector (A) (Emsisoft), Trojan.GenericKD.2157264 (AdAware), GenericAutorunWorm.YR, GenericInjector.YR, GenericIRCBot.YR (Lavasoft MAS)Behaviour: Trojan, Worm, WormAutorun, IRCBot

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

MD5: e7a3330b78419cb72f8a3b05281cfcd1

SHA1: cdfc94b3cbcfb8a23f2fd74ed03ce5e6e135ed13

SHA256: 3024b852d3e472edf4fe27b510f03645374ed1b7cdc525393d25bb8847176e47

SSDeep: 12288:ytb20Qc3lT7af41ePBRYuQLKpqeUhbTv5OFgNuPPpHSgaJTaqg6A:ytb20pkaCqT5TBWgNQ7aNaqg6A

Size: 904704 bytes

File type: EXE

Platform: WIN32

Entropy: Not Packed

PEID: UPolyXv05_v6

Company: PublicationBrowserApps

Created at: 2015-02-10 04:24:56

Analyzed on: WindowsXP SP3 32-bit

Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Dynamic Analysis

Payload

Behaviour Description
WormAutorunA worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Trojan's file once a user opens a drive's folder in Windows Explorer.
IRCBotA bot can communicate with command and control servers via IRC channel.


Process activity

The Trojan creates the following process(es):

vbc.exe:1664
rundll32.exe:1804
%original file name%.exe:1288

The Trojan injects its code into the following process(es):

Explorer.EXE:1572

Mutexes

The following mutexes were created/opened:No objects were found.

File activity

The process %original file name%.exe:1288 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\r2.oc (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\s.c (39 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\r.oc (532 bytes)
%Documents and Settings%\%current user%\Application Data\svchost (6841 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\aut3.tmp (1764 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\aut1.tmp (400 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\aut2.tmp (1 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\aut1.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\aut2.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\aut3.tmp (0 bytes)

Registry activity

The process vbc.exe:1664 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "68 8B 54 F4 ED 81 14 74 CA 88 58 3C 8C 3E 48 B9"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"apocsec" = "%Documents and Settings%\%current user%\Application Data\apocsec"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"apocsec" = "%Documents and Settings%\%current user%\Application Data\apocsec"

The process rundll32.exe:1804 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A7 94 58 26 4A B9 4C 6B 4A 66 E9 71 60 41 C6 0D"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Program Files%\Windows NT\Accessories]
"WORDPAD.EXE" = "WordPad"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%System%]
"shimgvw.dll" = "Windows Picture and Fax Viewer"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Program Files%\Windows Media Player]
"wmplayer.exe" = "Windows Media Player"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%System%]
"NOTEPAD.EXE" = "Notepad"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Program Files%\VMware\VMware Tools]
"VMwareHostOpen.exe" = "Default Host Application"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%System%]
"mspaint.exe" = "Paint"

The process %original file name%.exe:1288 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B8 9F 7F 89 25 BF 68 8E 99 89 60 64 A5 D0 33 07"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%System%]
"shell32.dll" = "Windows Shell Common Dll"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"svchost.exe" = "c:\%original file name%.exe"

Dropped PE files

MD5 File path
c1d7a29bf0f5af1a2e6744160b0c0ce8c:\Documents and Settings\"%CurrentUserName%"\Application Data\apocsec

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Trojan's file once a user opens a drive's folder in Windows Explorer.

Removals

Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.

Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    vbc.exe:1664
    rundll32.exe:1804
    %original file name%.exe:1288

  2. Delete the original Trojan file.
  3. Delete or disinfect the following files created/modified by the Trojan:

    %Documents and Settings%\%current user%\Local Settings\Temp\r2.oc (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\s.c (39 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\r.oc (532 bytes)
    %Documents and Settings%\%current user%\Application Data\svchost (6841 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\aut3.tmp (1764 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\aut1.tmp (400 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\aut2.tmp (1 bytes)

  4. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "apocsec" = "%Documents and Settings%\%current user%\Application Data\apocsec"

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "apocsec" = "%Documents and Settings%\%current user%\Application Data\apocsec"

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "svchost.exe" = "c:\%original file name%.exe"

  5. Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
  6. Reboot the computer.
*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Static Analysis

VersionInfo

Company Name:
Product Name:
Product Version:
Legal Copyright:
Legal Trademarks:
Original Filename:
Internal Name:
File Version:
File Description:
Comments:
Language: English (United States)

Company Name: Product Name: Product Version: Legal Copyright: Legal Trademarks: Original Filename: Internal Name: File Version: File Description: Comments: Language: English (United States)

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text40965707035708804.63051f437a6545e938612764dbb0a314376fc
.rdata5775361833621838083.99959827ffd24759e8e420890ecf164be989e
.data76185640276250881.38816e0a519f8e3a35fae0d9c2cfd5a4bacfc
.rsrc80281681356814084.881418ed059a3c2c7487fc5d78da9daed933c
.reloc88473642100424963.635850bc98f8631ef0bde830a7f83bb06ff08

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Network Activity

URLs

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

Map

The Trojan connects to the servers at the folowing location(s):

Strings from Dumps

rundll32.exe_1804:

.text

.text

`.data

`.data

.rsrc

.rsrc

msvcrt.dll

msvcrt.dll

KERNEL32.dll

KERNEL32.dll

NTDLL.DLL

NTDLL.DLL

GDI32.dll

GDI32.dll

USER32.dll

USER32.dll

IMAGEHLP.dll

IMAGEHLP.dll

rundll32.pdb

rundll32.pdb

.....eZXnnnnnnnnnnnn3

.....eZXnnnnnnnnnnnn3

....eDXnnnnnnnnnnnn3

....eDXnnnnnnnnnnnn3

...eDXnnnnnnnnnnnn,

...eDXnnnnnnnnnnnn,

.eDXnnnnnnnnnnnn,

.eDXnnnnnnnnnnnn,

%Xnnnnnnnnnnnnnnn1

%Xnnnnnnnnnnnnnnn1

O3$dS7"%U9

O3$dS7"%U9

.manifest

.manifest

5.1.2600.5512 (xpsp.080413-2105)

5.1.2600.5512 (xpsp.080413-2105)

RUNDLL.EXE

RUNDLL.EXE

Windows

Windows

Operating System

Operating System

5.1.2600.5512

5.1.2600.5512

YThere is not enough memory to run the file %s.

YThere is not enough memory to run the file %s.

Please close other windows and try again.

Please close other windows and try again.

9The file %s or one of its components could not be opened.

9The file %s or one of its components could not be opened.

0The file %s or one of its components cannot run.

0The file %s or one of its components cannot run.

MThe file %s or one of its components requires a different version of Windows.

MThe file %s or one of its components requires a different version of Windows.

UThe file %s or one of its components cannot run in standard or enhanced mode Windows.3Another instance of the file %s is already running./An exception occurred while trying to run "%s"

UThe file %s or one of its components cannot run in standard or enhanced mode Windows.3Another instance of the file %s is already running./An exception occurred while trying to run "%s"

Error in %s

Error in %s

Missing entry:%s

Missing entry:%s

Error loading %s

Error loading %s

Explorer.EXE_1572_rwx_00FF0000_0000E000:

.data

.data

.idata

.idata

.rsrc

.rsrc

@.reloc

@.reloc

Successfully Killed And Removed Malicious File: "%s"

Successfully Killed And Removed Malicious File: "%s"

Usage: %s IP PORT DELAY LENGTH

Usage: %s IP PORT DELAY LENGTH

Failed To Start Thread: "%d"

Failed To Start Thread: "%d"

Failed: "%d"

Failed: "%d"

Failed: Mis Parameter, Usage: %s [SHOW/HIDE] [URL]

Failed: Mis Parameter, Usage: %s [SHOW/HIDE] [URL]

Filed To Visit: "%s"

Filed To Visit: "%s"

Successfully Visited: "%s"

Successfully Visited: "%s"

%s #%s

%s #%s

%s %s

%s %s

Running From: "%s"

Running From: "%s"

[%s][%s] - "%s"

[%s][%s] - "%s"

{%s}: %s

{%s}: %s

Successfully Executed Process: "%s"

Successfully Executed Process: "%s"

Failed To Create Process: "%s", Reason: "%d"

Failed To Create Process: "%s", Reason: "%d"

Successfully Downloaded File To: "%s"

Successfully Downloaded File To: "%s"

Downloading File: "%s"

Downloading File: "%s"

hXXp://api.wipmania.com/

hXXp://api.wipmania.com/

JOIN

JOIN

NICK

NICK

PRIVMSG

PRIVMSG

AryaN{%s-%s-x%d}%s

AryaN{%s-%s-x%d}%s

New{%s-%s-x%d}%s

New{%s-%s-x%d}%s

%s "" "%s" :%s

%s "" "%s" :%s

%s %s :[AryaN]: %s

%s %s :[AryaN]: %s

%s %s %s

%s %s %s

Finished Flooding "%s:%d"

Finished Flooding "%s:%d"

Terminated UDP Flood Thread

Terminated UDP Flood Thread

%d%d%d%d%d%d%d%d

%d%d%d%d%d%d%d%d

Flooding: "%s:%d", Delay: "%d(ms)", For "%d" Seconds

Flooding: "%s:%d", Delay: "%d(ms)", For "%d" Seconds

LNK Infected Removable Device: "%s\", Created: "%d" Lnk Files

LNK Infected Removable Device: "%s\", Created: "%d" Lnk Files

AutoRun Infected Removable Device: "%s\"

AutoRun Infected Removable Device: "%s\"

j[YPSSh

j[YPSSh

SSSSh

SSSSh

VSSSh

VSSSh

udp.stop

udp.stop

join

join

199.115.228.8

199.115.228.8

apocsec.net

apocsec.net

MSVCRT.dll

MSVCRT.dll

GetProcessHeap

GetProcessHeap

KERNEL32.dll

KERNEL32.dll

WS2_32.dll

WS2_32.dll

SHLWAPI.dll

SHLWAPI.dll

InternetOpenUrlA

InternetOpenUrlA

WININET.dll

WININET.dll

ole32.dll

ole32.dll

PSAPI.DLL

PSAPI.DLL

ShellExecuteA

ShellExecuteA

SHELL32.dll

SHELL32.dll

RegCloseKey

RegCloseKey

RegCreateKeyExW

RegCreateKeyExW

RegOpenKeyExW

RegOpenKeyExW

RegNotifyChangeKeyValue

RegNotifyChangeKeyValue

ADVAPI32.dll

ADVAPI32.dll

%userprofile%

%userprofile%

%s\removethis_%d%d%d.exe

%s\removethis_%d%d%d.exe

%temp%\oldfile.exe

%temp%\oldfile.exe

Mozilla/5.0 (compatible)

Mozilla/5.0 (compatible)

%s\%d%d%d.exe

%s\%d%d%d.exe

explorer.exe

explorer.exe

Kernel32.dll

Kernel32.dll

%s-deadlock

%s-deadlock

%s\SysWOW64

%s\SysWOW64

advapi32.dll

advapi32.dll

comsupp.dll

comsupp.dll

shell32.dll

shell32.dll

wininet.dll

wininet.dll

shlwapi.dll

shlwapi.dll

dnsapi.dll

dnsapi.dll

user32.dll

user32.dll

ws2_32.dll

ws2_32.dll

psapi.dll

psapi.dll

Ole32.dll

Ole32.dll

kernel32.dll

kernel32.dll

msvcrt.dll

msvcrt.dll

dwm.exe

dwm.exe

alg.exe

alg.exe

csrss.exe

csrss.exe

SOFTWARE\Microsoft\Windows\CurrentVersion\Run

SOFTWARE\Microsoft\Windows\CurrentVersion\Run

%s-readfile

%s-readfile

cmd.exe

cmd.exe

Software\Microsoft\Windows\CurrentVersion\Run

Software\Microsoft\Windows\CurrentVersion\Run

%temp%\deletethis.exe

%temp%\deletethis.exe

Removable_Drive.exe

Removable_Drive.exe

%s\{%s-%s}

%s\{%s-%s}

/k "%s" Open %s

/k "%s" Open %s

%windir%\System32\cmd.exe

%windir%\System32\cmd.exe

%s\Removable_Drive.exe

%s\Removable_Drive.exe

%s\%s

%s\%s

%s\%s.lnk

%s\%s.lnk

icon=Shell32.dll,7

icon=Shell32.dll,7

shell\open\Command=%s

shell\open\Command=%s

open=%s

open=%s

shell\explore\Command=%s

shell\explore\Command=%s

%s\autorun.inf

%s\autorun.inf

%Documents and Settings%\%current user%\Application Data\apocsec

%Documents and Settings%\%current user%\Application Data\apocsec

%WinDir%\Microsoft.NET\Framework\v3.5\vbc.exe

%WinDir%\Microsoft.NET\Framework\v3.5\vbc.exe