Trojan.Generic.15104972 (AdAware), Trojan.Win32.Delphi.FD, Trojan.Win32.Sasfis.FD, VirTool.Win32.DelfInject.FD, GenericEmailWorm.YR (Lavasoft MAS)Behaviour: Trojan, Worm, EmailWorm, VirTool
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: 4ffa97f5972cbf28ec4d90806d7cb119
SHA1: 76f9edc21e8c3bce2404fd0a2ad9f30ff6f214d1
SHA256: 7d4970e6fe1455a3dabcc4446df9e578444ebb99f1ea23ae2bfe8c8f6f4732eb
SSDeep: 98304:oHxYuAE3lETDFakzAwMmKLV0ijyoYC6vPMoiMxzqqpo4K:oHWjymDFRMaTTvPmYzo4K
Size: 3721984 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2015-07-14 20:04:59
Analyzed on: WindowsXP SP3 32-bit
Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Dynamic Analysis
Payload
Behaviour | Description |
---|---|
EmailWorm | Worm can send e-mails. |
Process activity
The Trojan creates the following process(es):No processes have been created.The Trojan injects its code into the following process(es):
%original file name%.exe:1756
Mutexes
The following mutexes were created/opened:No objects were found.
File activity
The process %original file name%.exe:1756 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KDEFCHYB\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPAZ49AZ\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\desktop.ini (159 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@ip.qq[1].txt (138 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S1QRG12V\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (400 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CXQRWTMJ\desktop.ini (67 bytes)
C:\data.ini (51 bytes)
Registry activity
The process %original file name%.exe:1756 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1B 00 00 00 01 00 00 00 00 00 00 00"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "58 F0 15 DD 26 F9 60 F2 C9 B9 3D 5C E2 80 1E EA"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The Trojan disables automatic startup of the application by deleting the following autorun value:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
><><><><><><><><><><><><><><><><><><><><><><><><><><><><><
<<<>>>
<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><
<<<>>>
<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><
<<<>>>
<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><
<<<>>>
<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><
<<<>>>
<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><
<<<>>>
<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><
<<<>>>
<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><
<<<>>>
<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><
<<<>>>
<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><
<<<>>>
<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><
<<<>>>
<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><
<<<>>>
<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><
<<<>>>
<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><
<<<>>>
<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><
<<<>>>
<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><
<<<>>>
&&&&&&_I.UsgQ&language&unit&aqi&key
&&&&&&&&&&&&&&&&&&&&&&&&&&&A&B&C&D&E&F&G&H&I&J&K&L&M&N&O&P&Q&R&S&T&U&V&W&X&&&&&&&P&VpM&&&RVK&Sw0&&:IJYTECu2m&UEB8KJE&&LCGbV&W&DKIEW4&GVWV&&Y&&<::oka3ndjfi1r>&&<_ _ioe_i_g_c_d_h_f_nin_k_j_m_tfo_ucmb><:v a-a.a0a h-i>&&&b&&c&&d.I&HyEZ6&eP7.e2ek7-e6eJ9mM&KU8&g&i&A&k&l&F1l-K2l3l4l5lZF&q
&&&&b&c&d&g&i&l&v&e&j&q&r&s&t&&x&u&z&w&y&&B&&&&&&&&&&&:<:>&&&&&A&B&C&D&E&F&G&H&I&J&K&L&M&N&O&P&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&A&B&C&D&E&F&G&H&I&J&K&L&M&N&O&P&Q&R&S&T&U&V&W&X&&&&&<_>&UM:L&&&&CCcRVgbhbGSlbl&Iv&D&_<4acrwqugjejdjgjfjgvtokjn>&k&dsQ&b&h&K&&F&q&&niCr3&PJ1HsOsQ5WsRsTsSs&t&&Q5&j53&u&TTM1Q&w&&
&&&&&&&&U&X&e&&t&ukuju&h&&&&u&_&&a&e&g&c&&&&&&&&&&&H&G&&&B&A&&&&F&E&&&D&C&&&&M&N&&O&P&&&Q&R&&&S&T&&&U&V&:&&W&X&&&Y&Z&&&&&&&_&&a&b&c&d&&F&&&&s&axN0&&J&S5&m.mmp&wI&Y&TM&&u&V&y&j&&&&&&&&&&&:<:>&&&&&A&B&C&D&E&F&G&H&&t&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&:&&&&&&&&&&&&&&&&&&&:2<.e.f.i><.><.>&&&&&&&w&<.exzdo><.exz>&&&&&Error&&&&&&&&&&Error