Trojan.Win32.Chifrax.a (Kaspersky), Gen:Trojan.Heur.MR.cvZ@aeir6@fO (B) (Emsisoft), Gen:Trojan.Heur.MR.cvZ@aeir6@fO (AdAware), VirusSality.YR, GenericAutorunWorm.YR, GenericInjector.YR (Lavasoft MAS)Behaviour: Trojan, Worm, Virus, WormAutorun
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: bed2e85383207b29fc4184ca85d7ccf1
SHA1: c0bd3354b59a82dba14d0d589103c366fc85c16c
SHA256: 6454b003b0b810d5c3b1b3512c6123a13b4d04d90fbfd197d836d5b06cb410a6
SSDeep: 24576:Q81EdVcVj 1hPnGBP3krdeiVQuavzPPjKz9SGq1fLGk1lJAEAo5:QZ/3PnGtkrdjiPkLQJAX4
Size: 1097287 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2010-12-17 23:24:34
Analyzed on: WindowsXP SP3 32-bit
Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Dynamic Analysis
Payload
Behaviour | Description |
---|---|
WormAutorun | A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Trojan's file once a user opens a drive's folder in Windows Explorer. |
Process activity
The Trojan creates the following process(es):
server.exe:980
%original file name%.exe:644
The Trojan injects its code into the following process(es):No processes have been created.
Mutexes
The following mutexes were created/opened:No objects were found.
File activity
The process server.exe:980 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\system.ini (72 bytes)
The process %original file name%.exe:644 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Program Files%\7bebte13352740412.jpg (2368 bytes)
Registry activity
The process server.exe:980 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Security Center]
"UacDisableNotify" = "1"
[HKCU\Software\Aas]
"a1_0" = "3432392762"
"a1_3" = "369175827"
"a1_4" = "3854877565"
[HKCU\Software\Aas\695404737]
"35845605" = "387"
[HKCU\Software\Aas]
"a1_6" = "1444987664"
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DoNotAllowExceptions" = "0"
[HKCU\Software\Aas]
"a1_2" = "1147964647"
"a3_6" = "59977839"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"EnableLUA" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"GlobalUserOffline" = "0"
[HKCU\Software\Aas\695404737]
"50183847" = "8D047AF7229C9B8962BA0482D99D368E2F27DA435BE2A7386A33EDC80BF5E291731E9D01A5491DAF960D9F12BEF04EC6593B061C5B93136EC6BFEC34C08A20B0C1FA17DCC2BD245ECA59601A83B2A1E4EA6D8C1E0D407E7C34901CE485312CA99533EF94DBD09BAC13BC887C7B5FA8BD183F0B60FDAC439D9A828FBE91ABBD7D"
[HKCU\Software\Aas]
"a3_4" = "11991981"
[HKCU\Software\Aas\695404737]
"43014726" = "0A00687474703A2F2F63696B6D61796564656B70617263612E636F6D2F696D616765732F6C6F676F732E67696600687474703A2F2F6272756365676172726F642E636F6D2F696D616765732F6C6F676F732E67696600687474703A2F2F6362626173696D6576692E636F6D2F696D616765732F6C6F676F732E67696600687474703A2F2F6272616E64616F656D61746F732E636F6D2E62722F696D616765732F6C6F676F692E67696600687474703A2F2F6361676C617274656B6E696B2E636F6D2F6C6F676F732E67696600687474703A2F2F6268617261746973616E676C692E696E2F6C6F676F692E67696600687474703A2F2F636163732E6F72672E62722F6E6F766F736974652F6C6F676F732E67696600687474703A2F2F62757461636D2E676F2E726F2F6C6F676F732E67696600687474703A2F2F626F7961626174656D6C2E6B31322E74722F696D616765732F6C6F676F732E67696600687474703A2F2F636173627967726F75702E636F6D2F696D616765732F6C6F676F732E676966"
[HKCU\Software\Aas]
"a3_2" = "31040235"
"a3_3" = "4933386"
"a3_0" = "17001001"
"a3_1" = "23989832"
"a1_1" = "1313561096"
[HKLM\SOFTWARE\Microsoft\Security Center]
"AntiVirusOverride" = "1"
[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"UpdatesDisableNotify" = "1"
[HKCU\Software\Aas]
"a4_4" = "28676484"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableRegistryTools" = "1"
[HKCU\Software\Aas]
"a1_5" = "1008453933"
[HKLM\SOFTWARE\Microsoft\Security Center]
"FirewallOverride" = "1"
[HKCU\Software\Aas\695404737]
"14338242" = "0"
"7169121" = "121"
"21507363" = "0"
"28676484" = "35"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A8 09 4B AC F7 42 EB 7D B3 06 22 C8 65 83 F7 01"
[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"UacDisableNotify" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"Hidden" = "2"
[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"FirewallOverride" = "1"
[HKLM\SOFTWARE\Microsoft\Security Center]
"FirewallDisableNotify" = "1"
[HKCU\Software\Aas]
"a2_6" = "43012043"
"a2_5" = "35840104"
"a2_4" = "28673033"
"a2_3" = "21510318"
"a2_2" = "14343503"
"a2_1" = "7172588"
"a2_0" = "5517"
[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"FirewallDisableNotify" = "1"
[HKCU\Software\Aas]
"a4_5" = "35845605"
[HKLM\SOFTWARE\Microsoft\Security Center]
"UpdatesDisableNotify" = "1"
[HKCU\Software\Aas]
"a4_6" = "43014726"
"a4_1" = "7169121"
"a4_0" = "0"
"a4_3" = "21507363"
"a4_2" = "14338242"
[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusOverride" = "1"
[HKCU\Software\Aas]
"a3_5" = "52535244"
Adds a rule to the firewall Windows which allows any network activity:
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\%Program Files%]
"server.exe" = "%Program Files%\server.exe:*:Enabled:ipsec"
Firewall notifications are disabled:
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DisableNotifications" = "1"
Antivirus notifications are disabled:
[HKLM\SOFTWARE\Microsoft\Security Center]
"AntiVirusDisableNotify" = "1"
[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusDisableNotify" = "1"
A firewall is disabled:
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = "0"
Task Manager is disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableTaskMgr" = "1"
The process %original file name%.exe:644 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Program Files%]
"server.exe" = "server"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
"IntranetName" = "1"
Dropped PE files
MD5 | File path |
---|---|
6f7579cefe21cfbc49dd04a63b8e9b67 | c:\Program Files\Bifrost\server.exe |
6f7579cefe21cfbc49dd04a63b8e9b67 | c:\Program Files\server.exe |
8dea3996e6b899a61f0c0419a04571cf | c:\%original file name%.exe |
HOSTS file anomalies
The Trojan modifies "%System%\drivers\etc\hosts" file which is used to translate DNS entries to IP addresses. The modified file is 734 bytes in size. The following strings are added to the hosts file listed below:
127.0.0.1 | www.Brenz.pl |
Rootkit activity
The Trojan installs the following user-mode hooks in ntdll.dll:
NtQueryInformationProcess
ZwOpenFile
NtDeviceIoControlFile
NtCreateProcessEx
NtCreateProcess
NtCreateFile
Propagation
A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Trojan's file once a user opens a drive's folder in Windows Explorer.
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Scan a system with an anti-rootkit tool.
- Terminate malicious process(es) (How to End a Process With the Task Manager):
server.exe:980
%original file name%.exe:644 - Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
%WinDir%\system.ini (72 bytes)
%Program Files%\7bebte13352740412.jpg (2368 bytes) - Restore the original content of the HOSTS file (%System%\drivers\etc\hosts): 127.0.0.1 localhost
- Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
- Reboot the computer.
Static Analysis
VersionInfo
No information is available.
No information is available.
PE Sections
Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
---|---|---|---|---|---|
.text | 4096 | 71390 | 71680 | 4.54235 | b26d39d2859847255e0be66216bf13bc |
.rdata | 77824 | 7173 | 7680 | 3.37149 | 900a9e8d169dca2c262fcf9aaeeb4777 |
.data | 86016 | 65324 | 512 | 2.44253 | 67da0eee7a0eeddbb8255b277e6a2b2e |
.CRT | 151552 | 16 | 512 | 0.147711 | f37caedd772bbb624d915f04f60d24a0 |
.rsrc | 155648 | 16384 | 16384 | 2.5708 | 4f2f3f3436481fe4d2bf2c88ff76e6ec |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Network Activity
URLs
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
Map
The Trojan connects to the servers at the folowing location(s):