HEUR:Trojan.Win32.Generic (Kaspersky), Trojan.Generic.11461385 (B) (Emsisoft), Trojan.Generic.11461385 (AdAware), Backdoor.Win32.Shiz.FD, Shiz.YR, GenericInjector.YR, BackdoorCaphaw_QKKBAL.YR (Lavasoft MAS)Behaviour: Trojan, Backdoor
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: 02dcde2215bbb41e1dfcf062a3664699
SHA1: 6562f8dbdc8c7800eb20e2f32b977675179ede0c
SHA256: b684ba105e579897a05690a6569a21b8f598d8a5e387a73537b95d5c2ba0e4bc
SSDeep: 6144:zI1v9PfKoXjllMoVpfZLijwDAhtCx6o3yG4/xFk:z4vFfVzv2qZitZFk
Size: 274768 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: BorlandDelphi30, UPolyXv05_v6
Company: VideoPerformer
Created at: 2003-07-15 04:38:10
Analyzed on: WindowsXP SP3 32-bit
Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The Trojan creates the following process(es):
%original file name%.exe:1292
The Trojan injects its code into the following process(es):
winlogon.exe:676
Explorer.EXE:932
Mutexes
The following mutexes were created/opened:No objects were found.
File activity
The process %original file name%.exe:1292 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%System%\config\software (3012 bytes)
%System%\config\SOFTWARE.LOG (4771 bytes)
%WinDir%\AppPatch\ncdjdiu.exe (1973 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\1.tmp (0 bytes)
Registry activity
The process %original file name%.exe:1292 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1F 4E 53 E5 74 B0 17 1E 23 B0 1C 90 AF 45 14 A6"
[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\%WinDir%\apppatch\ncdjdiu.exe_, \??\%WinDir%\apppatch\ncdjdiu.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"a8a67a25" = "pEĂ