Gen:Variant.Kazy.311402 (BitDefender), Trojan.Win32.Generic.pak!cobra (VIPRE), Gen:Variant.Kazy.311402 (B) (Emsisoft), RDN/Qhost-Gen!y (McAfee), Gen:Variant.Kazy.311402 (FSecure), Dropper.Small.USI (AVG), Win32:Malware-gen (Avast), Gen:Variant.Kazy.311402 (AdAware)Behaviour: Trojan
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: 3059beda9d52aa1d56be4531b121ade7
SHA1: d9f0a5fb8ea61581ecdab896e705cb147907ae2a
SHA256: 725636f8156891c8eb38b1922381630e80cd3e3e0f1520ff97aba10263944a5f
SSDeep: 384:9IolQltVS0lbumJ21Lf4ZGDf00Tu8T0npzkneEi0x7rjSvChkNGC mCzYcHe m:9jlAtVaJS0TqpREp7CvCaNGzzYcHe m
Size: 33280 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: MicrosoftVisualC, NETexecutable, UPolyXv05_v6
Company: no certificate found
Created at: 2012-01-19 23:18:30
Analyzed on: WindowsXP SP3 32-bit
Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The Trojan creates the following process(es):
mscorsvw.exe:1912
The Trojan injects its code into the following process(es):
%original file name%.exe:1520
File activity
The process %original file name%.exe:1520 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%System%\drivers\ms.doc (1 bytes)
%System%\drivers\winlogon.exe (33 bytes)
%System%\drivers\etc\hosts (1 bytes)
The Trojan deletes the following file(s):
%System%\drivers\ms.doc (0 bytes)
Registry activity
The process mscorsvw.exe:1912 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\State]
"AccumulatedWaitIdleTime" = "1320000"
The process %original file name%.exe:1520 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"Guid" = "8aefce96-4618-42ff-a057-3536aa78233e"
[HKLM\SOFTWARE\Microsoft\ESENT\Process\3059beda9d52aa1d56be4531b121ade7\DEBUG]
"Trace Level" = ""
[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"EventMessageFile" = "%System%\ESENT.dll"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"EnableLUA" = "0"
[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"CategoryCount" = "16"
"TypesSupported" = "7"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"ConsentPromptBehaviorAdmin" = "0"
"ValidateAdminCodeSignatures" = "0"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"ControlFlags" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"Active" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"Active" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"ControlFlags" = "1"
"LogSessionName" = "stdout"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"EnableInstallerDetection" = "0"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"EnableUIADesktopToggle" = "0"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"LogSessionName" = "stdout"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"FilterAdministratorToken" = "0"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"Active" = "1"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B0 6E 9E 83 F4 A7 DE 69 BF BC 4A D5 E1 88 FE DD"
[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"CategoryMessageFile" = "%System%\ESENT.dll"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"LogSessionName" = "stdout"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"EnableSecureUIAPaths" = "0"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"ControlFlags" = "1"
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"windows Live Messenger" = "C:\Windows\System32\drivers\winlogon.exe"
The Trojan deletes the following value(s) in system registry:
[HKLM\SOFTWARE\Microsoft\ESENT\Process\3059beda9d52aa1d56be4531b121ade7\DEBUG]
"Trace Level"
Dropped PE files
There are no dropped PE files.
HOSTS file anomalies
The Trojan modifies "%System%\drivers\etc\hosts" file which is used to translate DNS entries to IP addresses. The modified file is 1036 bytes in size. The following strings are added to the hosts file listed below:
96.125.162.84 | www.viabcp.com |
Rootkit activity
No anomalies have been detected.
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
mscorsvw.exe:1912
- Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
%System%\drivers\ms.doc (1 bytes)
%System%\drivers\winlogon.exe (33 bytes)
%System%\drivers\etc\hosts (1 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"windows Live Messenger" = "C:\Windows\System32\drivers\winlogon.exe" - Restore the original content of the HOSTS file (%System%\drivers\etc\hosts): 127.0.0.1 localhost
- Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Reboot the computer.
Static Analysis
VersionInfo
Company Name:
Product Name: Integracion
Product Version: 1.0.0.0
Legal Copyright: Copyright (c) 2011
Legal Trademarks:
Original Filename: video.exe
Internal Name: video.exe
File Version: 1.0.0.0
File Description: Integracion
Comments:
Language: English (United Kingdom)
Company Name: Product Name: IntegracionProduct Version: 1.0.0.0Legal Copyright: Copyright (c) 2011Legal Trademarks: Original Filename: video.exeInternal Name: video.exeFile Version: 1.0.0.0File Description: IntegracionComments: Language: English (United Kingdom)
PE Sections
Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
---|---|---|---|---|---|
.text | 8192 | 17476 | 17920 | 3.87333 | 181c50061ddd1c10e3bd1da47304dff6 |
.sdata | 32768 | 96 | 512 | 0.958512 | 2d7e1b55dd59c6fd768965ea24fd03cd |
.rsrc | 40960 | 12920 | 13312 | 3.51263 | e35cfaf69b18a95d4515afd584a6e3e9 |
.reloc | 57344 | 12 | 512 | 0.056519 | 1d8002c2d964ef4c414564d004a446c9 |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Network Activity
URLs
URL | IP |
---|---|
hxxp://hotelaziz.com/hotelreservation/install.txt | |
hxxp://www.hotelaziz.com/hotelreservation/install.txt | 192.185.108.190 |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
GET /hotelreservation/install.txt HTTP/1.1
Host: VVV.hotelaziz.com
HTTP/1.1 200 OK
Server: nginx/1.6.0
Date: Sat, 24 May 2014 05:52:17 GMT
Content-Type: text/plain
Content-Length: 1036
Connection: keep-alive
Last-Modified: Wed, 18 Jan 2012 19:49:12 GMT
Accept-Ranges: bytes
# Copyright (c) 1993-2009 Microsoft Corp...#..# This is a sample HOSTS file used by Microsoft TCP/IP for Windows...#..# This file contains the mappings of IP addresses to host names. Each..# entry should be kept on an individual line. The IP address should..# be placed in the first column followed by the corresponding host name...# The IP address and the host name should be separated by at least one..# space...#..# Additionally, comments (such as these) may be inserted on individual..# lines or following the machine name denoted by a '#' symbol...#..# For example:..#..# 102.54.94.97 rhino.acme.com # source server..# 38.25.63.10 x.acme.com # x client host..# localhost name resolution is handled within DNS itself...#.127.0.0.1 localhost..#.::1 localhost................................................................................96.125.162.84 VVV.viabcp.com..96.125.162.84 viabcp.com..
GET /hotelreservation/install.txt HTTP/1.1
Host: VVV.hotelaziz.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: nginx/1.6.0
Date: Sat, 24 May 2014 05:52:17 GMT
Content-Type: text/plain
Content-Length: 1036
Connection: keep-alive
Last-Modified: Wed, 18 Jan 2012 19:49:12 GMT
Accept-Ranges: bytes
# Copyright (c) 1993-2009 Microsoft Corp...#..# This is a sample HOSTS file used by Microsoft TCP/IP for Windows...#..# This file contains the mappings of IP addresses to host names. Each..# entry should be kept on an individual line. The IP address should..# be placed in the first column followed by the corresponding host name...# The IP address and the host name should be separated by at least one..# space...#..# Additionally, comments (such as these) may be inserted on individual..# lines or following the machine name denoted by a '#' symbol...#..# For example:..#..# 102.54.94.97 rhino.acme.com # source server..# 38.25.63.10 x.acme.com # x client host..# localhost name resolution is handled within DNS itself...#.127.0.0.1 localhost..#.::1 localhost................................................................................96.125.162.84 VVV.viabcp.com..96.125.162.84 viabcp.com..
Map
The Trojan connects to the servers at the folowing location(s):