Skip to main content

Trojan.Generic.11461385_02dcde2215


HEUR:Trojan.Win32.Generic (Kaspersky), Trojan.Generic.11461385 (B) (Emsisoft), Trojan.Generic.11461385 (AdAware), Backdoor.Win32.Shiz.FD, Shiz.YR, GenericInjector.YR, BackdoorCaphaw_QKKBAL.YR (Lavasoft MAS)Behaviour: Trojan, Backdoor

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

MD5: 02dcde2215bbb41e1dfcf062a3664699

SHA1: 6562f8dbdc8c7800eb20e2f32b977675179ede0c

SHA256: b684ba105e579897a05690a6569a21b8f598d8a5e387a73537b95d5c2ba0e4bc

SSDeep: 6144:zI1v9PfKoXjllMoVpfZLijwDAhtCx6o3yG4/xFk:z4vFfVzv2qZitZFk

Size: 274768 bytes

File type: EXE

Platform: WIN32

Entropy: Packed

PEID: BorlandDelphi30, UPolyXv05_v6

Company: VideoPerformer

Created at: 2003-07-15 04:38:10

Analyzed on: WindowsXP SP3 32-bit

Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Dynamic Analysis

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

%original file name%.exe:1292

The Trojan injects its code into the following process(es):

winlogon.exe:676
Explorer.EXE:932

Mutexes

The following mutexes were created/opened:No objects were found.

File activity

The process %original file name%.exe:1292 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%System%\config\software (3012 bytes)
%System%\config\SOFTWARE.LOG (4771 bytes)
%WinDir%\AppPatch\ncdjdiu.exe (1973 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\1.tmp (0 bytes)

Registry activity

The process %original file name%.exe:1292 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1F 4E 53 E5 74 B0 17 1E 23 B0 1C 90 AF 45 14 A6"

[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\%WinDir%\apppatch\ncdjdiu.exe_, \??\%WinDir%\apppatch\ncdjdiu.exe"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"a8a67a25" = "pEĂ