HEUR:Trojan.Win32.Generic (Kaspersky), Trojan.NSIS.StartPage.FD (Lavasoft MAS)Behaviour: Trojan
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: 29610c51f484f228459ddc100d5946d4
SHA1: d287951a2350b55c9a2eca320c5493082ac5485f
SHA256: 207edcef0505dabf3e89d578a5a48075f04b06edc714ab6c901240f9373022b4
SSDeep: 24576:fv2G91vtjLSHzeFR/JptuK9EFZEEJupJ5 SCT9sH162Ew7BLUehMcDrI2vVLKI1k:np3vtPoKntuKKev1CBsLNLJM 02dx1
Size: 1428480 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: MicrosoftVisualC, NETexecutable, UPolyXv05_v6
Company: no certificate found
Created at: 2015-05-04 22:18:21
Analyzed on: WindowsXP SP3 32-bit
Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The Trojan creates the following process(es):
d6zkSXv2h4AYN7BR.exe:1048
The Trojan injects its code into the following process(es):
%original file name%.exe:244
Mutexes
The following mutexes were created/opened:No objects were found.
File activity
The process %original file name%.exe:244 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\d6zkSXv2h4AYN7BR.exe (3737 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\wDeyrXy4QzQG4ele (8 bytes)
%Documents and Settings%\%current user%\Application Data\Reader\jdwI0UhRtqkN.exe (8657 bytes)
%System%\drivers\etc\hosts (832 bytes)
The process d6zkSXv2h4AYN7BR.exe:1048 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsu2.tmp (5312 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsp3.tmp\modern-header.bmp (9 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsp3.tmp\modern-wizard.bmp (5520 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsp3.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu1.tmp (0 bytes)
Registry activity
The process %original file name%.exe:244 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FC A8 D9 1C 51 92 94 F2 C4 13 D6 EA 45 AE AD 92"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Documents and Settings%\%current user%\Local Settings\Temp]
"d6zkSXv2h4AYN7BR.exe" = "d6zkSXv2h4AYN7BR"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
"Personal" = "%Documents and Settings%\%current user%\My Documents"
The Trojan adds the reference to itself to be executed when a user logs on:
[HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Shell" = "%Documents and Settings%\%current user%\Application Data\Reader\jdwI0UhRtqkN.exe,explorer.exe"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
"IntranetName" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
The process d6zkSXv2h4AYN7BR.exe:1048 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "EE FF A2 84 0F BC A1 F7 B0 61 62 B5 18 7A 32 4F"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
Dropped PE files
| MD5 | File path |
|---|---|
| 82c19fdc6bb7c16167a0dc72a27e573b | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\d6zkSXv2h4AYN7BR.exe |
HOSTS file anomalies
The Trojan modifies "%System%\drivers\etc\hosts" file which is used to translate DNS entries to IP addresses. The modified file is 1566 bytes in size. The following strings are added to the hosts file listed below:
| 127.0.0.1 | virustotal.com |
| 127.0.0.1 | razorscanner.com |
| 127.0.0.1 | scan.majyx.net |
| 127.0.0.1 | nodistribute.com |
| 127.0.0.1 | virusscan.jotti.org |
| 127.0.0.1 | anubis.iseclab.org |
| 127.0.0.1 | novirusthanks.org |
| 127.0.0.1 | virscan.org |
| 127.0.0.1 | metascan.org |
| 127.0.0.1 | metascan-online.com |
| 127.0.0.1 | virus-trap.org |
| 127.0.0.1 | viruschief.com |
| 127.0.0.1 | xcscanner.com |
| 127.0.0.1 | malwr.com |
| 127.0.0.1 | www.virustotal.com |
| 127.0.0.1 | www.xcscanner.com |
| 127.0.0.1 | www.razorscanner.com |
| 127.0.0.1 | www.scan.majyx.net |
| 127.0.0.1 | www.nodistribute.com |
| 127.0.0.1 | www.virusscan.jotti.org |
| 127.0.0.1 | www.viruschief.com |
| 127.0.0.1 | www.metascan-online.com |
| 127.0.0.1 | www.virus-trap.org |
| 127.0.0.1 | www.metascan.org |
| 127.0.0.1 | www.virscan.org |
| 127.0.0.1 | www.anubis.iseclab.org |
| 127.0.0.1 | www.novirusthanks.org |
| 127.0.0.1 | www.malwr.com |
Rootkit activity
No anomalies have been detected.
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
d6zkSXv2h4AYN7BR.exe:1048
- Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
%Documents and Settings%\%current user%\Local Settings\Temp\d6zkSXv2h4AYN7BR.exe (3737 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\wDeyrXy4QzQG4ele (8 bytes)
%Documents and Settings%\%current user%\Application Data\Reader\jdwI0UhRtqkN.exe (8657 bytes)
%System%\drivers\etc\hosts (832 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu2.tmp (5312 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsp3.tmp\modern-header.bmp (9 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsp3.tmp\modern-wizard.bmp (5520 bytes) - Remove the references to the Trojan by modifying the following registry value(s) (How to Work with System Registry):
[HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Shell" = "%Documents and Settings%\%current user%\Application Data\Reader\jdwI0UhRtqkN.exe,explorer.exe" - Restore the original content of the HOSTS file (%System%\drivers\etc\hosts): 127.0.0.1 localhost
- Reboot the computer.
Static Analysis
VersionInfo
Company Name: Lingoes Project
Product Name: Lingoes Translator
Product Version: 2.9.2
Legal Copyright: Copyright(c) 2006-2014 Lingoes Project
Legal Trademarks:
Original Filename:
Internal Name:
File Version: Lingoes 2.9.2
File Description: Lingoes Dictionary and Text Translation Tool
Comments: This installation was built with Inno Setup.
Language: Language Neutral
Company Name: Lingoes ProjectProduct Name: Lingoes Translator Product Version: 2.9.2 Legal Copyright: Copyright(c) 2006-2014 Lingoes Project Legal Trademarks: Original Filename: Internal Name: File Version: Lingoes 2.9.2 File Description: Lingoes Dictionary and Text Translation ToolComments: This installation was built with Inno Setup.Language: Language Neutral
PE Sections
| Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
|---|---|---|---|---|---|
| .text | 8192 | 1406548 | 1406976 | 5.51593 | 975e16902df54728f854db08c416f750 |
| .sdata | 1417216 | 488 | 512 | 4.61007 | 18ca3d01a266d20f59b96bfd48fa8dfe |
| .rsrc | 1425408 | 19352 | 19456 | 5.39607 | 873ca193c192b9a24068abaef197c7ae |
| .reloc | 1449984 | 12 | 512 | 0.070639 | 025af6c8339298a013cdf33bed3e4088 |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Network Activity
URLs
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
Map
The Trojan connects to the servers at the folowing location(s):
Strings from Dumps
d6zkSXv2h4AYN7BR.exe_1048:
.text
.text
`.rdata
`.rdata
@.data
@.data
.ndata
.ndata
.rsrc
.rsrc
uDSSh
uDSSh
.DEFAULT\Control Panel\International
.DEFAULT\Control Panel\International
Software\Microsoft\Windows\CurrentVersion
Software\Microsoft\Windows\CurrentVersion
GetWindowsDirectoryA
GetWindowsDirectoryA
KERNEL32.dll
KERNEL32.dll
ExitWindowsEx
ExitWindowsEx
USER32.dll
USER32.dll
GDI32.dll
GDI32.dll
SHFileOperationA
SHFileOperationA
ShellExecuteA
ShellExecuteA
SHELL32.dll
SHELL32.dll
RegEnumKeyA
RegEnumKeyA
RegCreateKeyExA
RegCreateKeyExA
RegCloseKey
RegCloseKey
RegDeleteKeyA
RegDeleteKeyA
RegOpenKeyExA
RegOpenKeyExA
ADVAPI32.dll
ADVAPI32.dll
COMCTL32.dll
COMCTL32.dll
ole32.dll
ole32.dll
VERSION.dll
VERSION.dll
verifying installer: %d%%
verifying installer: %d%%
unpacking data: %d%%
unpacking data: %d%%
... %d%%
... %d%%
hXXp://nsis.sf.net/NSIS_Error
hXXp://nsis.sf.net/NSIS_Error
~nsu.tmp
~nsu.tmp
%u.%u%s%s
%u.%u%s%s
RegDeleteKeyExA
RegDeleteKeyExA
%s=%s
%s=%s
*?|/":
*?|/":
ME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsp3.tmp\modern-wizard.bmp
ME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsp3.tmp\modern-wizard.bmp
:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsp3.tmp
:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsp3.tmp
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsp3.tmp
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsp3.tmp
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsp3.tmp\modern-wizard.bmp
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsp3.tmp\modern-wizard.bmp
AutoRun.exe
AutoRun.exe
AutoRun.Properties
AutoRun.Properties
System.Configuration
System.Configuration
System.Windows.Forms
System.Windows.Forms
System.Resources
System.Resources
System.Globalization
System.Globalization
.ctor
.ctor
System.ComponentModel
System.ComponentModel
Microsoft.Win32
Microsoft.Win32
RegistryKey
RegistryKey
m_regKeyrunAtStartUp
m_regKeyrunAtStartUp
System.Reflection
System.Reflection
System.Runtime.InteropServices
System.Runtime.InteropServices
System.Diagnostics
System.Diagnostics
System.Runtime.CompilerServices
System.Runtime.CompilerServices
System.CodeDom.Compiler
System.CodeDom.Compiler
.cctor
.cctor
System.Drawing
System.Drawing
OpenSubKey
OpenSubKey
System.Security.Principal
System.Security.Principal
WindowsIdentity
WindowsIdentity
WindowsPrincipal
WindowsPrincipal
WindowsBuiltInRole
WindowsBuiltInRole
System.Threading
System.Threading
AutoRun.FormDev.resources
AutoRun.FormDev.resources
AutoRun.Properties.Resources.resources
AutoRun.Properties.Resources.resources
3System.Resources.Tools.StronglyTypedResourceBuilder
3System.Resources.Tools.StronglyTypedResourceBuilder
2.0.0.0
2.0.0.0
KMicrosoft.VisualStudio.Editors.SettingsDesigner.SettingsSingleFileGenerator
KMicrosoft.VisualStudio.Editors.SettingsDesigner.SettingsSingleFileGenerator
8.0.0.0
8.0.0.0
5.0.0.0
5.0.0.0
$9158fd3e-cb41-44d0-8774-52fdc42a3219
$9158fd3e-cb41-44d0-8774-52fdc42a3219
LangOver.com
LangOver.com
C:\MAIN_ODED\_DEVELOP\_NET\LangOver\AutoRun\obj\Debug\AutoRun.pdb
C:\MAIN_ODED\_DEVELOP\_NET\LangOver\AutoRun\obj\Debug\AutoRun.pdb
_CorExeMain
_CorExeMain
mscoree.dll
mscoree.dll
`.rsrc
`.rsrc
@.reloc
@.reloc
qUfL bH%fL'cI&hN(kN)kN)kM)kM)kN)kN)kM)kM)kN)kN)kM)x^=
qUfL bH%fL'cI&hN(kN)kN)kM)kM)kN)kN)kM)kM)kN)kN)kM)x^=
nsp3.tmp
nsp3.tmp
"%Documents and Settings%\%current user%\Local Settings\Temp\d6zkSXv2h4AYN7BR.exe"
"%Documents and Settings%\%current user%\Local Settings\Temp\d6zkSXv2h4AYN7BR.exe"
%Program Files%\LangOver
%Program Files%\LangOver
%Documents and Settings%\%current user%\Local Settings\Temp
%Documents and Settings%\%current user%\Local Settings\Temp
d6zkSXv2h4AYN7BR.exe
d6zkSXv2h4AYN7BR.exe
CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsu1.tmp
CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsu1.tmp
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
%Documents and Settings%\%current user%\Local Settings\Temp\d6zkSXv2h4AYN7BR.exe
%Documents and Settings%\%current user%\Local Settings\Temp\d6zkSXv2h4AYN7BR.exe
1342833587
1342833587
1245500
1245500
1048774
1048774
1245448
1245448
1114330
1114330
1245396
1245396
1048842
1048842
Nullsoft Install System v2.46
Nullsoft Install System v2.46
AutoRun.Properties.Resources
AutoRun.Properties.Resources
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
\LangOver.exe
\LangOver.exe
LangOver is not configure to run at startup, to change it run the LangOver.exe
LangOver is not configure to run at startup, to change it run the LangOver.exe
LangOver is Already run at startup, to change it run LangOver.exe and use its menu
LangOver is Already run at startup, to change it run LangOver.exe and use its menu