HEUR:Trojan.Win32.Generic (Kaspersky), Worm.Generic.294759 (B) (Emsisoft), Worm.Generic.294759 (AdAware), Trojan.Win32.Sasfis.FD, GenericAutorunWorm.YR (Lavasoft MAS)Behaviour: Trojan, Worm, WormAutorun
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: a1155573bb7398fdf486feae5453ba12
SHA1: 0e46ce8f5eacaf4a6a7147aca1c13ede8b0208e8
SHA256: 61b21fb69fae0c5f23a6d41c08bb5e02e427be0c945b1849d524e831aee54ec6
SSDeep: 3072:M1abGWGT2TK1dbzlF9OVtSZjCw8geIr/QAuCgNVfpxICuQsKUIZn:9bpGtfoVtScw2RCgrzItQB
Size: 173492 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: PackerUPXCompresorGratuitowwwupxsourceforgenet, UPXv0896v102v105v122Delphistub, UPolyXv05_v6
Company: no certificate found
Created at: 1992-06-20 01:22:17
Analyzed on: WindowsXP SP3 32-bit
Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Dynamic Analysis
Payload
| Behaviour | Description |
|---|---|
| WormAutorun | A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Trojan's file once a user opens a drive's folder in Windows Explorer. |
Process activity
The Trojan creates the following process(es):
%original file name%.exe:1096
The Trojan injects its code into the following process(es):
HKF.EXE:800
Mutexes
The following mutexes were created/opened:No objects were found.
File activity
The process %original file name%.exe:1096 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\OAG.EXE (173 bytes)
%Documents and Settings%\HNV.EXE (173 bytes)
C:\filedebug (633 bytes)
C:\System Volume Information\GRTSH.EXE (174 bytes)
C:\totalcmd\OWIKOI.EXE (173 bytes)
%Documents and Settings%\ACZ.EXE (173 bytes)
C:\System Volume Information\ZEHPN.EXE (174 bytes)
C:\totalcmd\VKTNIL.EXE (174 bytes)
%Documents and Settings%\ZFP.EXE (173 bytes)
C:\System Volume Information\OCOJF.EXE (174 bytes)
The process HKF.EXE:800 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\filedebug (80 bytes)
C:\System Volume Information\UGASK.EXE (174 bytes)
Registry activity
The process %original file name%.exe:1096 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "31 07 EA 5D 48 54 8B EC D9 58 24 FF 0A 16 F9 44"
[HKCR\QQQ.file\shell\open\command]
"(Default)" = "%Documents and Settings%\HNV.EXE %1"
[HKCR\txtfile\shell\open\command]
"(Default)" = "C:\totalcmd\VKTNIL.EXE %1"
[HKCR\inffile\shell\open\command]
"(Default)" = "C:\System Volume Information\ZEHPN.EXE %1"
[HKCR\QQQfile\shell\open\command]
"(Default)" = "%Documents and Settings%\ACZ.EXE %1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup]
"workfile" = "QzpcUGVybFxIS0YuRVhF"
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"GRTSH.EXE" = "%Documents and Settings%\ZFP.EXE"
The process HKF.EXE:800 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "AE 06 96 C4 9E 4A C6 39 4E FD 43 BD CE 5E 71 2C"
[HKCR\exefile\shell\open\command]
"(Default)" = "C:\System Volume Information\UGASK.EXE %1 %*"
Dropped PE files
| MD5 | File path |
|---|---|
| a5701a767e684ef3789e63cd92ec6442 | c:\Documents and Settings\ACZ.EXE |
| 25bfde10311ee8d106eed8b23402f790 | c:\Documents and Settings\HNV.EXE |
| 473c522a37a498a481f0c3ea0b571f07 | c:\Documents and Settings\OAG.EXE |
| 043c2d9687c985d17b8f9dc9070d504a | c:\Documents and Settings\ZFP.EXE |
| c62fb84659bd703dd8fb6fe73a4f4fe7 | c:\Perl\HKF.EXE |
| 679b573c798eee4c0b6c01739fe07908 | c:\System Volume Information\GRTSH.EXE |
| e9312e46311bf601d0c692b2eb8986ea | c:\System Volume Information\OCOJF.EXE |
| ba0241f25e639a97dcddc545787834de | c:\System Volume Information\UGASK.EXE |
| fe92098dd79eec6c613e312f6ae4fa59 | c:\System Volume Information\ZEHPN.EXE |
| 64485d6b0ee01da93aa27f71debb8ff9 | c:\totalcmd\OWIKOI.EXE |
| 10843d9d366d6ac131d4abf980d9b853 | c:\totalcmd\VKTNIL.EXE |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Trojan's file once a user opens a drive's folder in Windows Explorer.
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
%original file name%.exe:1096
- Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
%Documents and Settings%\OAG.EXE (173 bytes)
%Documents and Settings%\HNV.EXE (173 bytes)
C:\filedebug (633 bytes)
C:\System Volume Information\GRTSH.EXE (174 bytes)
C:\totalcmd\OWIKOI.EXE (173 bytes)
%Documents and Settings%\ACZ.EXE (173 bytes)
C:\System Volume Information\ZEHPN.EXE (174 bytes)
C:\totalcmd\VKTNIL.EXE (174 bytes)
%Documents and Settings%\ZFP.EXE (173 bytes)
C:\System Volume Information\OCOJF.EXE (174 bytes)
C:\System Volume Information\UGASK.EXE (174 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"GRTSH.EXE" = "%Documents and Settings%\ZFP.EXE" - Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
- Reboot the computer.
Static Analysis
VersionInfo
No information is available.
No information is available.
PE Sections
| Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
|---|---|---|---|---|---|
| UPX0 | 4096 | 282624 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
| UPX1 | 286720 | 159744 | 159744 | 5.48724 | c548a5f876acea2455592813a0ae6bcf |
| .rsrc | 446464 | 4096 | 2560 | 2.04725 | 954ae2d3ba2d2c5b5bc9c8da95e79ac6 |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Network Activity
URLs
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
Map
The Trojan connects to the servers at the folowing location(s):
Strings from Dumps
HKF.EXE_800:
.rsrc
.rsrc
Portions Copyright (c) 1983,99 Borland
Portions Copyright (c) 1983,99 Borland
kernel32.dll
kernel32.dll
MSWHEEL_ROLLMSG
MSWHEEL_ROLLMSG
MSH_WHEELSUPPORT_MSG
MSH_WHEELSUPPORT_MSG
MSH_SCROLL_LINES_MSG
MSH_SCROLL_LINES_MSG
EInvalidOperation
EInvalidOperation
%s[%d]
%s[%d]
%s_%d
%s_%d
EInvalidGraphicOperation
EInvalidGraphicOperation
USER32.DLL
USER32.DLL
comctl32.dll
comctl32.dll
PasswordCharXSC
PasswordCharXSC
OnKeyDown
OnKeyDown
OnKeyPress
OnKeyPress
OnKeyUp
OnKeyUp
OnKeyUpx
OnKeyUpx
TKeyEvent
TKeyEvent
TKeyPressEvent
TKeyPressEvent
crSQLWait
crSQLWait
%s (%s)
%s (%s)
IMM32.DLL
IMM32.DLL
TContainedActionh%C
TContainedActionh%C
AutoHotkeys
AutoHotkeys
:].tJ
:].tJ
ssHotTrack
ssHotTrack
TWindowState
TWindowState
poProportional
poProportional
TWMKey
TWMKey
KeyPreviewxPC
KeyPreviewxPC
WindowState
WindowState
UhG%D
UhG%D
System\CurrentControlSet\Control\Keyboard Layouts\%.8x
System\CurrentControlSet\Control\Keyboard Layouts\%.8x
vcltest3.dll
vcltest3.dll
Password
Password
OnExecute
OnExecute
Port<</pre><pre>ReportLevel</pre><pre>Max Udp pack size=</pre><pre>Initializaton of windows sockets failed</pre><pre>Invalid seek origin = %d</pre><pre>NMsmtp</pre><pre>TNMSMTP</pre><pre>NMSMTP1</pre><pre>NMSMTP1Connect</pre><pre>NMSMTP1SendStart</pre><pre>AUTH LOGIN</pre><pre>PassWord_ThreadU</pre><pre>Kernel32.dll</pre><pre>Software\Microsoft\Windows\CurrentVersion\Setup</pre><pre>qqpass7</pre><pre>Msread.dt</pre><pre>smtp_fuwuqi</pre><pre>kav9x.exe</pre><pre>kavsvc9x.exe</pre><pre>kavsvcui.exe</pre><pre>kav32.exe</pre><pre>smenu.exe</pre><pre>ravmon.exe</pre><pre>passwordguard.exe</pre><pre>vpc32.exe</pre><pre>watcher.exe</pre><pre>autorun.inf</pre><pre>QQQ.file\shell\open\command</pre><pre>SOFTWARE\Microsoft\Windows\CurrentVersion\Run</pre><pre>Notepad.exe</pre><pre>HH.exe</pre><pre>regedit.exe "</pre><pre>c:\filedebug</pre><pre>netapi32.dll</pre><pre>svrapi.dll</pre><pre>FTPF0</pre><pre>Operation would block</pre><pre>Operation now in progress</pre><pre>Operation already in progress</pre><pre>Socket operation on non-socket</pre><pre>Protocol not supported</pre><pre>Socket type not supported</pre><pre>!Operation not supported on socket</pre><pre>Protocol family not supported</pre><pre>/Address family not supported by protocol family</pre><pre>#Incompatible version of WINSOCK.DLL</pre><pre>KWindows</pre><pre>.ScktComp</pre><pre>UrlMon</pre><pre>.StopFireW_Thread</pre><pre>getpass_Thread</pre><pre>Font.Charset</pre><pre>Font.Color</pre><pre>Font.Height</pre><pre>Font.Name</pre><pre>Font.Style</pre><pre>Port</pre><pre>%Copyright ?1996-1998 NetMasters L.L.C</pre><pre>1-888-2-GET-WEB (In USA)</pre><pre>E-mail info@netmastersllc.com</pre><pre>http://www.netmastersllc.com</pre><pre>! Obtain Support and Source Code</pre><pre>,Version: 5.3.0 Build:1055 Date:5/26/99</pre><pre>Submit Bug Report</pre><pre>WinExec</pre><pre>GetCPInfo</pre><pre>RegOpenKeyExA</pre><pre>RegCloseKey</pre><pre>ReportEventA</pre><pre>RegFlushKey</pre><pre>RegCreateKeyExA</pre><pre>SetViewportOrgEx</pre><pre>UnhookWindowsHookEx</pre><pre>SetWindowsHookExA</pre><pre>MsgWaitForMultipleObjects</pre><pre>MapVirtualKeyA</pre><pre>LoadKeyboardLayoutA</pre><pre>GetKeyboardState</pre><pre>GetKeyboardLayoutList</pre><pre>GetKeyboardLayout</pre><pre>GetKeyState</pre><pre>GetKeyNameTextA</pre><pre>EnumWindows</pre><pre>EnumThreadWindows</pre><pre>ActivateKeyboardLayout</pre><pre>GetKeyboardType</pre><pre>.idata</pre><pre>.rdata</pre><pre>P.reloc</pre><pre>P.rsrc</pre><pre>Web }</pre><pre>bu%sA&4u</pre><pre>KERNEL32.DLL</pre><pre>advapi32.dll</pre><pre>gdi32.dll</pre><pre>ole32.dll</pre><pre>oleaut32.dll</pre><pre>user32.dll</pre><pre>wsock32.dll</pre><pre>- Dock zone has no control%List does not allow duplicates ($0%x)</pre><pre>Failed to get data for '%s'/Menu '%s' is already being used by another form</pre><pre>Service failed on %s: %s</pre><pre>shutdown(Service failed in custom message(%d): %s</pre><pre>Service installed successfully/Service "%s" failed to install with error: "%s" Service uninstalled successfully1Service "%s" failed to uninstall with error: "%s"</pre><pre>Unable to insert a line Clipboard does not support Icons</pre><pre>Invalid data type for '%s'</pre><pre>Failed to set data for '%s'</pre><pre>Error creating window class Cannot focus a disabled or invisible window!Control '%s' has no parent window</pre><pre>%String list does not allow duplicates#A component named %s already exists$''%s'' is not a valid component name</pre><pre>A class named %s already exists</pre><pre>Error reading %s%s%s: %s</pre><pre>Ancestor for '%s' not found</pre><pre>Unsupported clipboard format</pre><pre>Cannot assign a %s to a %s</pre><pre>Cannot create file %s</pre><pre>Cannot open file %s</pre><pre>Class %s not found</pre><pre>Resource %s not found</pre><pre>List index out of bounds (%d) List capacity out of bounds (%d)</pre><pre>List count out of bounds (%d) Operation not allowed on sorted string list</pre><pre>External exception %x</pre><pre>Interface not supported</pre><pre>%s (%s, line %d)</pre><pre>Abstract Error?Access violation at address %p in module '%s'. %s of address %p</pre><pre>Win32 Error. Code: %d.</pre><pre>Invalid pointer operation</pre><pre>Invalid class typecast0Access violation at address %p. %s of address %p</pre><pre>Privileged instruction%Exception %s in module %s at %p.</pre><pre>Application Error1Format '%s' invalid or incompatible with argument</pre><pre>No argument for format '%s'</pre><pre>Invalid variant operation"Variant method calls not supported</pre><pre>!'%s' is not a valid integer value</pre><pre>I/O error %d</pre><pre>Integer overflow Invalid floating point operation</pre><b>HKF.EXE_800_rwx_00401000_0006B000:</b><pre>Portions Copyright (c) 1983,99 Borland</pre><pre>kernel32.dll</pre><pre>MSWHEEL_ROLLMSG</pre><pre>MSH_WHEELSUPPORT_MSG</pre><pre>MSH_SCROLL_LINES_MSG</pre><pre>EInvalidOperation</pre><pre>%s[%d]</pre><pre>%s_%d</pre><pre>EInvalidGraphicOperation</pre><pre>USER32.DLL</pre><pre>comctl32.dll</pre><pre>PasswordCharXSC</pre><pre>OnKeyDown</pre><pre>OnKeyPress</pre><pre>OnKeyUp</pre><pre>OnKeyUpx</pre><pre>TKeyEvent</pre><pre>TKeyPressEvent</pre><pre>crSQLWait</pre><pre>%s (%s)</pre><pre>IMM32.DLL</pre><pre>TContainedActionh%C</pre><pre>AutoHotkeys</pre><pre>:].tJ</pre><pre>ssHotTrack</pre><pre>TWindowState</pre><pre>poProportional</pre><pre>TWMKey</pre><pre>KeyPreviewxPC</pre><pre>WindowState</pre><pre>UhG%D</pre><pre>System\CurrentControlSet\Control\Keyboard Layouts\%.8x</pre><pre>vcltest3.dll</pre><pre>Password</pre><pre>OnExecute</pre><pre>Port<</pre><pre>ReportLevel</pre><pre>Max Udp pack size=</pre><pre>Initializaton of windows sockets failed</pre><pre>Invalid seek origin = %d</pre><pre>NMsmtp</pre><pre>TNMSMTP</pre><pre>NMSMTP1</pre><pre>NMSMTP1Connect</pre><pre>NMSMTP1SendStart</pre><pre>AUTH LOGIN</pre><pre>PassWord_ThreadU</pre><pre>Kernel32.dll</pre><pre>Software\Microsoft\Windows\CurrentVersion\Setup</pre><pre>qqpass7</pre><pre>Msread.dt</pre><pre>smtp_fuwuqi</pre><pre>kav9x.exe</pre><pre>kavsvc9x.exe</pre><pre>kavsvcui.exe</pre><pre>kav32.exe</pre><pre>smenu.exe</pre><pre>ravmon.exe</pre><pre>passwordguard.exe</pre><pre>vpc32.exe</pre><pre>watcher.exe</pre><pre>autorun.inf</pre><pre>QQQ.file\shell\open\command</pre><pre>SOFTWARE\Microsoft\Windows\CurrentVersion\Run</pre><pre>Notepad.exe</pre><pre>HH.exe</pre><pre>regedit.exe "</pre><pre>c:\filedebug</pre><pre>netapi32.dll</pre><pre>svrapi.dll</pre><pre>FTPF0</pre><pre>Operation would block</pre><pre>Operation now in progress</pre><pre>Operation already in progress</pre><pre>Socket operation on non-socket</pre><pre>Protocol not supported</pre><pre>Socket type not supported</pre><pre>!Operation not supported on socket</pre><pre>Protocol family not supported</pre><pre>/Address family not supported by protocol family</pre><pre>#Incompatible version of WINSOCK.DLL</pre><pre>KWindows</pre><pre>.ScktComp</pre><pre>UrlMon</pre><pre>.StopFireW_Thread</pre><pre>getpass_Thread</pre><pre>Font.Charset</pre><pre>Font.Color</pre><pre>Font.Height</pre><pre>Font.Name</pre><pre>Font.Style</pre><pre>Port</pre><pre>%Copyright ?1996-1998 NetMasters L.L.C</pre><pre>1-888-2-GET-WEB (In USA)</pre><pre>E-mail info@netmastersllc.com</pre><pre>http://www.netmastersllc.com</pre><pre>! Obtain Support and Source Code</pre><pre>,Version: 5.3.0 Build:1055 Date:5/26/99</pre><pre>Submit Bug Report</pre><pre>WinExec</pre><pre>GetCPInfo</pre><pre>RegOpenKeyExA</pre><pre>RegCloseKey</pre><pre>ReportEventA</pre><pre>RegFlushKey</pre><pre>RegCreateKeyExA</pre><pre>SetViewportOrgEx</pre><pre>UnhookWindowsHookEx</pre><pre>SetWindowsHookExA</pre><pre>MsgWaitForMultipleObjects</pre><pre>MapVirtualKeyA</pre><pre>LoadKeyboardLayoutA</pre><pre>GetKeyboardState</pre><pre>GetKeyboardLayoutList</pre><pre>GetKeyboardLayout</pre><pre>GetKeyState</pre><pre>GetKeyNameTextA</pre><pre>EnumWindows</pre><pre>EnumThreadWindows</pre><pre>ActivateKeyboardLayout</pre><pre>GetKeyboardType</pre><pre>.idata</pre><pre>.rdata</pre><pre>P.reloc</pre><pre>P.rsrc</pre><pre>- Dock zone has no control%List does not allow duplicates ($0%x)</pre><pre>Failed to get data for '%s'/Menu '%s' is already being used by another form</pre><pre>Service failed on %s: %s</pre><pre>shutdown(Service failed in custom message(%d): %s</pre><pre>Service installed successfully/Service "%s" failed to install with error: "%s" Service uninstalled successfully1Service "%s" failed to uninstall with error: "%s"</pre><pre>Unable to insert a line Clipboard does not support Icons</pre><pre>Invalid data type for '%s'</pre><pre>Failed to set data for '%s'</pre><pre>Error creating window class Cannot focus a disabled or invisible window!Control '%s' has no parent window</pre><pre>%String list does not allow duplicates#A component named %s already exists$''%s'' is not a valid component name</pre><pre>A class named %s already exists</pre><pre>Error reading %s%s%s: %s</pre><pre>Ancestor for '%s' not found</pre><pre>Unsupported clipboard format</pre><pre>Cannot assign a %s to a %s</pre><pre>Cannot create file %s</pre><pre>Cannot open file %s</pre><pre>Class %s not found</pre><pre>Resource %s not found</pre><pre>List index out of bounds (%d) List capacity out of bounds (%d)</pre><pre>List count out of bounds (%d) Operation not allowed on sorted string list</pre><pre>External exception %x</pre><pre>Interface not supported</pre><pre>%s (%s, line %d)</pre><pre>Abstract Error?Access violation at address %p in module '%s'. %s of address %p</pre><pre>Win32 Error. Code: %d.</pre><pre>Invalid pointer operation</pre><pre>Invalid class typecast0Access violation at address %p. %s of address %p</pre><pre>Privileged instruction%Exception %s in module %s at %p.</pre><pre>Application Error1Format '%s' invalid or incompatible with argument</pre><pre>No argument for format '%s'</pre><pre>Invalid variant operation"Variant method calls not supported</pre><pre>!'%s' is not a valid integer value</pre><pre>I/O error %d</pre><pre>Integer overflow Invalid floating point operation</pre></pre>