UDS:DangerousObject.Multi.Generic (Kaspersky), Trojan.Agent.BDIY (AdAware), GenericAutorunWorm.YR, HackToolPassView.YR (Lavasoft MAS)Behaviour: Trojan, Worm, HackTool, WormAutorun
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: f6ba711fc8973f0957d72eb4909ca514
SHA1: 5810dbd6c075bbb7a8f5d39e1779f272a0d9c5d4
SHA256: b84961f37bc4de2dd268f555a0d20c42518e40830b01450ea278ca3e58db1d72
SSDeep: 24576:ht24uI/UvI338DEu06Os5M0x8tTRBNQ962u68GGUEtsh7N1e:9eQ3sz0dy8DsK68OXe
Size: 1188470 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: Piriform Ltd
Created at: 2013-08-22 16:00:50
Analyzed on: WindowsXP SP3 32-bit
Summary: HackTool. Can be used to investigate, analyze or compromise the system security. Some HackTools are multi-purpose programs, while others may have legitimate uses.
Dynamic Analysis
Payload
Behaviour | Description |
---|---|
WormAutorun | A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the HackTool's file once a user opens a drive's folder in Windows Explorer. |
Process activity
The HackTool creates the following process(es):
CzZdrfStRyx.exe:1692
%original file name%.exe:220
vbc.exe:1748
vbc.exe:1180
The HackTool injects its code into the following process(es):
RegSvcs.exe:416
Mutexes
The following mutexes were created/opened:No objects were found.
File activity
The process RegSvcs.exe:416 makes changes in the file system.
The HackTool creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Application Data\pid.txt (3 bytes)
%Documents and Settings%\%current user%\Application Data\WindowsUpdate.exe (32 bytes)
%System%\wbem\Logs\wbemprox.log (152 bytes)
%Documents and Settings%\%current user%\Application Data\pidloc.txt (57 bytes)
The HackTool deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\holderwb.txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\holdermail.txt (0 bytes)
The process %original file name%.exe:220 makes changes in the file system.
The HackTool creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\88qlotaa5l\YDjWslNLY.XDD (249023 bytes)
%Documents and Settings%\%current user%\88qlotaa5l\OlUKB.EUD (1800 bytes)
%Documents and Settings%\%current user%\88qlotaa5l\ihxztCbuQwWn.NLQ (31 bytes)
%Documents and Settings%\%current user%\88qlotaa5l\CzZdrfStRyx.exe (31505 bytes)
The HackTool deletes the following file(s):
%Documents and Settings%\%current user%\88qlotaa5l\__tmp_rar_sfx_access_check_2148937 (0 bytes)
The process vbc.exe:1748 makes changes in the file system.
The HackTool creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\holderwb.txt (2 bytes)
Registry activity
The process CzZdrfStRyx.exe:1692 makes changes in the system registry.
The HackTool creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C8 5B 41 C0 FF 91 91 BC 77 92 FA BE EE 6A 19 61"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Startup" = "%Documents and Settings%\%current user%\Start Menu\Programs\Startup"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
The process RegSvcs.exe:416 makes changes in the system registry.
The HackTool creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"Guid" = "8aefce96-4618-42ff-a057-3536aa78233e"
[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"EventMessageFile" = "%System%\ESENT.dll"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"CategoryCount" = "16"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"Active" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"Active" = "1"
[HKLM\SOFTWARE\Microsoft\ESENT\Process\RegSvcs\DEBUG]
"Trace Level" = ""
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"ControlFlags" = "1"
"LogSessionName" = "stdout"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"Active" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"Hidden" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"LogSessionName" = "stdout"
"ControlFlags" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "33 DF 3C 68 30 3E A1 06 5B B8 64 E7 E3 27 E8 14"
[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"CategoryMessageFile" = "%System%\ESENT.dll"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"LogSessionName" = "stdout"
[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"TypesSupported" = "7"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"ControlFlags" = "1"
To automatically run itself each time Windows is booted, the HackTool adds the following link to its file to the system registry autorun key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Windows Update" = "%Documents and Settings%\%current user%\Application Data\WindowsUpdate.exe"
The HackTool deletes the following value(s) in system registry:
[HKLM\SOFTWARE\Microsoft\ESENT\Process\RegSvcs\DEBUG]
"Trace Level"
The process %original file name%.exe:220 makes changes in the system registry.
The HackTool creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "22 EB 30 98 69 46 B6 88 EC 9E D0 52 FA 8B AD F3"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Documents and Settings%\%current user%\88qlotaa5l]
"CzZdrfStRyx.exe" = "AutoIt v3 Script"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
The HackTool modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The HackTool modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
"UNCAsIntranet" = "1"
The HackTool modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
The process vbc.exe:1748 makes changes in the system registry.
The HackTool creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1A 2B 59 FA D8 F8 A5 FE 51 86 9E 35 8B 73 83 F0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
The process vbc.exe:1180 makes changes in the system registry.
The HackTool creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "30 21 61 D1 1F 25 F1 75 54 87 54 86 B5 D5 E9 02"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"
Dropped PE files
MD5 | File path |
---|---|
e01ced5c12390ff5256694eda890b33a | c:\Documents and Settings\"%CurrentUserName%"\88qlotaa5l\CzZdrfStRyx.exe |
faa8ea9027ed6b6c875c247e59285270 | c:\Documents and Settings\"%CurrentUserName%"\Application Data\WindowsUpdate.exe |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the HackTool's file once a user opens a drive's folder in Windows Explorer.
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
CzZdrfStRyx.exe:1692
%original file name%.exe:220
vbc.exe:1748
vbc.exe:1180 - Delete the original HackTool file.
- Delete or disinfect the following files created/modified by the HackTool:
%Documents and Settings%\%current user%\Application Data\pid.txt (3 bytes)
%Documents and Settings%\%current user%\Application Data\WindowsUpdate.exe (32 bytes)
%System%\wbem\Logs\wbemprox.log (152 bytes)
%Documents and Settings%\%current user%\Application Data\pidloc.txt (57 bytes)
%Documents and Settings%\%current user%\88qlotaa5l\YDjWslNLY.XDD (249023 bytes)
%Documents and Settings%\%current user%\88qlotaa5l\OlUKB.EUD (1800 bytes)
%Documents and Settings%\%current user%\88qlotaa5l\ihxztCbuQwWn.NLQ (31 bytes)
%Documents and Settings%\%current user%\88qlotaa5l\CzZdrfStRyx.exe (31505 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\holderwb.txt (2 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Windows Update" = "%Documents and Settings%\%current user%\Application Data\WindowsUpdate.exe" - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
- Reboot the computer.
Static Analysis
VersionInfo
No information is available.
No information is available.
PE Sections
Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
---|---|---|---|---|---|
.text | 4096 | 151934 | 152064 | 4.64444 | 92abffc6a56a40e47e60620bc02b652e |
.rdata | 159744 | 20291 | 20480 | 3.69144 | 3bc937cdae1248917ecca2bfbd21ec86 |
.data | 180224 | 136672 | 5120 | 1.76024 | ec6b38244c52a1c8d4b504f9e1522d10 |
.rsrc | 319488 | 13764 | 13824 | 3.14029 | 6aff86817f1888aaf7f45ab2e0e6827c |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Total found: 11
943a95c939056afb263c54d43c2dc686
06b9fdbfdd54a090f023f0f05cbe0985
df3e22ed233b583251e71430dbe8b197
fd635d68dff11feeb71a50711cafdb9c
56db250fa9e5656b9068f2d109b9c8d1
67caeb64f372efabd815f7efd0b8d828
33a0b599d47b05fd03f4a63696abc2ee
ccc5052d6c541dbb0fe13b152f919db4
915fa5fb0e0d96385e8ac15db8ca4f24
54c382daa0ec7baafa85f078b43e6227
f0863b455ad2db7a1774031d9fb5c1c6
Network Activity
URLs
URL | IP |
---|---|
hxxp://whatismyipaddress.com/ | 66.171.248.172 |
smtp.mail.ru | 217.69.139.160 |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
Map
The HackTool connects to the servers at the folowing location(s):