Trojan.Win32.Foxhiex.cdg (Kaspersky), Gen:Trojan.Heur.DNP.Lm0@aC4Qisl (B) (Emsisoft), Gen:Variant.Kazy.488548 (AdAware), GenericAutorunWorm.YR, HackToolPassView.YR (Lavasoft MAS)Behaviour: Trojan, Worm, HackTool, WormAutorun
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: 3cf6abb0498d73caf7b138a082cd7d97
SHA1: b23a44a2441cd4f820443c750f2cd1f438ca3beb
SHA256: c892dd42ad9d008b7c143361164a27b9ed130315e776a98ddfe1ee6fc5f439fc
SSDeep: 12288:7CbhfSKwGYtEM rg76rpr6hMJKvoAUJe08G8ezqe:WlRwGYiJAmaou087e
Size: 606720 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: AirInstaller Inc.
Created at: 2014-11-02 23:45:02
Analyzed on: WindowsXPESX SP3 32-bit
Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Dynamic Analysis
Payload
Behaviour | Description |
---|---|
WormAutorun | A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Trojan's file once a user opens a drive's folder in Windows Explorer. |
Process activity
The Trojan creates the following process(es):
vbc.exe:2568
vbc.exe:2680
%original file name%.exe:3672
The Trojan injects its code into the following process(es):
%original file name%.exe:3928
Mutexes
The following mutexes were created/opened:No objects were found.
File activity
The process vbc.exe:2568 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\holdermail.txt (2 bytes)
The process %original file name%.exe:3672 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Application Data\Microsoft\JiVlrz.exe (4185 bytes)
The process %original file name%.exe:3928 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Application Data\pid.txt (4 bytes)
%Documents and Settings%\%current user%\Application Data\WindowsUpdate.exe (4185 bytes)
%System%\wbem\Logs\wbemprox.log (160 bytes)
%Documents and Settings%\%current user%\Application Data\pidloc.txt (39 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\holdermail.txt (0 bytes)
Registry activity
The process vbc.exe:2568 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "5D B5 8D FF 3C 28 C1 84 7F 38 B4 B4 1B 72 30 1C"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
The process vbc.exe:2680 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9C 21 64 BA F0 FC FE 7B 02 32 16 B6 70 3B AA FF"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"
The process %original file name%.exe:3672 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B8 27 00 2D 61 DB 67 76 AF 49 BD 39 A9 B4 04 2C"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"bSILlzCwXBS" = "%Documents and Settings%\%current user%\Application Data\Microsoft\JiVlrz.exe"
The process %original file name%.exe:3928 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"Guid" = "8aefce96-4618-42ff-a057-3536aa78233e"
[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"EventMessageFile" = "%System%\ESENT.dll"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"
[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"CategoryCount" = "16"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"Active" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"Active" = "1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"ControlFlags" = "1"
"LogSessionName" = "stdout"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"Active" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"Hidden" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"LogSessionName" = "stdout"
"ControlFlags" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "CB 4D C4 73 98 B5 C6 1A 31 1B 83 C3 D0 2D 0D EE"
[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"CategoryMessageFile" = "%System%\ESENT.dll"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"LogSessionName" = "stdout"
[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"TypesSupported" = "7"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"ControlFlags" = "1"
[HKLM\SOFTWARE\Microsoft\ESENT\Process\3cf6abb0498d73caf7b138a082cd7d97\DEBUG]
"Trace Level" = ""
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Windows Update" = "%Documents and Settings%\%current user%\Application Data\WindowsUpdate.exe"
The Trojan deletes the following value(s) in system registry:
[HKLM\SOFTWARE\Microsoft\ESENT\Process\3cf6abb0498d73caf7b138a082cd7d97\DEBUG]
"Trace Level"
Dropped PE files
There are no dropped PE files.
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Trojan's file once a user opens a drive's folder in Windows Explorer.
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
vbc.exe:2568
vbc.exe:2680
%original file name%.exe:3672 - Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
%Documents and Settings%\%current user%\Local Settings\Temp\holdermail.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\JiVlrz.exe (4185 bytes)
%Documents and Settings%\%current user%\Application Data\pid.txt (4 bytes)
%Documents and Settings%\%current user%\Application Data\WindowsUpdate.exe (4185 bytes)
%System%\wbem\Logs\wbemprox.log (160 bytes)
%Documents and Settings%\%current user%\Application Data\pidloc.txt (39 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"bSILlzCwXBS" = "%Documents and Settings%\%current user%\Application Data\Microsoft\JiVlrz.exe"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Windows Update" = "%Documents and Settings%\%current user%\Application Data\WindowsUpdate.exe" - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
- Reboot the computer.
Static Analysis
VersionInfo
Company Name:
Product Name: JiVlrz
Product Version: 2.5.10.54837
Legal Copyright: (c)2014 Jnz68m All Rights Reserved.
Legal Trademarks:
Original Filename: 6239.exe
Internal Name: 6239.exe
File Version: 2.5.10.54837
File Description: JiVlrz
Comments: JiVlrz
Language: English (United States)
Company Name: Product Name: JiVlrzProduct Version: 2.5.10.54837Legal Copyright: (c)2014 Jnz68m All Rights Reserved.Legal Trademarks: Original Filename: 6239.exeInternal Name: 6239.exeFile Version: 2.5.10.54837File Description: JiVlrzComments: JiVlrzLanguage: English (United States)
PE Sections
Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
---|---|---|---|---|---|
.text | 8192 | 581097 | 581120 | 5.53652 | 32abe61571f590f0976597a8144d9ddc |
.rsrc | 589824 | 24402 | 24576 | 3.74719 | 44bba85a286527159f50ad2f2edc0fe9 |
.reloc | 614400 | 12 | 512 | 0.070639 | ab1feb615a5816a4ab35827d3dccc6ee |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Network Activity
URLs
URL | IP |
---|---|
hxxp://whatismyipaddress.com/ | 66.171.248.172 |
smtp.gmail.com | 173.194.76.108 |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
Map
The Trojan connects to the servers at the folowing location(s):