Gen.Variant.Kazy.311402_3059beda9d – Adaware

Gen:Variant.Kazy.311402 (BitDefender), Trojan.Win32.Generic.pak!cobra (VIPRE), Gen:Variant.Kazy.311402 (B) (Emsisoft), RDN/Qhost-Gen!y (McAfee), Gen:Variant.Kazy.311402 (FSecure), Dropper.Small.USI (AVG), Win32:Malware-gen (Avast), Gen:Variant.Kazy.311402 (AdAware)Behaviour: Trojan

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

MD5: 3059beda9d52aa1d56be4531b121ade7

SHA1: d9f0a5fb8ea61581ecdab896e705cb147907ae2a

SHA256: 725636f8156891c8eb38b1922381630e80cd3e3e0f1520ff97aba10263944a5f

SSDeep: 384:9IolQltVS0lbumJ21Lf4ZGDf00Tu8T0npzkneEi0x7rjSvChkNGC mCzYcHe m:9jlAtVaJS0TqpREp7CvCaNGzzYcHe m

Size: 33280 bytes

File type: EXE

Platform: WIN32

Entropy: Not Packed

PEID: MicrosoftVisualC, NETexecutable, UPolyXv05_v6

Company: no certificate found

Created at: 2012-01-19 23:18:30

Analyzed on: WindowsXP SP3 32-bit

Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Dynamic Analysis

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

mscorsvw.exe:1912

The Trojan injects its code into the following process(es):

%original file name%.exe:1520

File activity

The process %original file name%.exe:1520 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

%System%\drivers\ms.doc (1 bytes)
%System%\drivers\winlogon.exe (33 bytes)
%System%\drivers\etc\hosts (1 bytes)

The Trojan deletes the following file(s):

%System%\drivers\ms.doc (0 bytes)

Registry activity

The process mscorsvw.exe:1912 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\State]
"AccumulatedWaitIdleTime" = "1320000"

The process %original file name%.exe:1520 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"Guid" = "8aefce96-4618-42ff-a057-3536aa78233e"

[HKLM\SOFTWARE\Microsoft\ESENT\Process\3059beda9d52aa1d56be4531b121ade7\DEBUG]
"Trace Level" = ""

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"EventMessageFile" = "%System%\ESENT.dll"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"EnableLUA" = "0"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"CategoryCount" = "16"
"TypesSupported" = "7"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"ConsentPromptBehaviorAdmin" = "0"
"ValidateAdminCodeSignatures" = "0"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"ControlFlags" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"Active" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"ControlFlags" = "1"
"LogSessionName" = "stdout"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"EnableInstallerDetection" = "0"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"EnableUIADesktopToggle" = "0"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"LogSessionName" = "stdout"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"FilterAdministratorToken" = "0"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B0 6E 9E 83 F4 A7 DE 69 BF BC 4A D5 E1 88 FE DD"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"CategoryMessageFile" = "%System%\ESENT.dll"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"LogSessionName" = "stdout"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"EnableSecureUIAPaths" = "0"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"ControlFlags" = "1"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"windows Live Messenger" = "C:\Windows\System32\drivers\winlogon.exe"

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\ESENT\Process\3059beda9d52aa1d56be4531b121ade7\DEBUG]
"Trace Level"

Dropped PE files

There are no dropped PE files.

HOSTS file anomalies

The Trojan modifies "%System%\drivers\etc\hosts" file which is used to translate DNS entries to IP addresses. The modified file is 1036 bytes in size. The following strings are added to the hosts file listed below:

96.125.162.84	www.viabcp.com

Rootkit activity

No anomalies have been detected.

Propagation

Removals

Remove it with Ad-Aware

Click (here) to download and install Ad-Aware Free Antivirus.
Update the definition files.
Run a full scan of your computer.

Manual removal*

Terminate malicious process(es) (How to End a Process With the Task Manager):
mscorsvw.exe:1912
Delete the original Trojan file.
Delete or disinfect the following files created/modified by the Trojan:
%System%\drivers\ms.doc (1 bytes)
%System%\drivers\winlogon.exe (33 bytes)
%System%\drivers\etc\hosts (1 bytes)
Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"windows Live Messenger" = "C:\Windows\System32\drivers\winlogon.exe"
Restore the original content of the HOSTS file (%System%\drivers\etc\hosts): 127.0.0.1 localhost
Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Static Analysis

VersionInfo

Company Name:
Product Name: Integracion
Product Version: 1.0.0.0
Legal Copyright: Copyright (c) 2011
Legal Trademarks:
Original Filename: video.exe
Internal Name: video.exe
File Version: 1.0.0.0
File Description: Integracion
Comments:
Language: English (United Kingdom)

Company Name: Product Name: IntegracionProduct Version: 1.0.0.0Legal Copyright: Copyright (c) 2011Legal Trademarks: Original Filename: video.exeInternal Name: video.exeFile Version: 1.0.0.0File Description: IntegracionComments: Language: English (United Kingdom)

PE Sections

Name	Virtual Address	Virtual Size	Raw Size	Entropy	Section MD5
.text	8192	17476	17920	3.87333	181c50061ddd1c10e3bd1da47304dff6
.sdata	32768	96	512	0.958512	2d7e1b55dd59c6fd768965ea24fd03cd
.rsrc	40960	12920	13312	3.51263	e35cfaf69b18a95d4515afd584a6e3e9
.reloc	57344	12	512	0.056519	1d8002c2d964ef4c414564d004a446c9

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Network Activity

URLs

URL	IP
hxxp://hotelaziz.com/hotelreservation/install.txt
hxxp://www.hotelaziz.com/hotelreservation/install.txt	192.185.108.190

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET /hotelreservation/install.txt HTTP/1.1

Host: VVV.hotelaziz.com

HTTP/1.1 200 OK

Server: nginx/1.6.0

Date: Sat, 24 May 2014 05:52:17 GMT

Content-Type: text/plain

Content-Length: 1036

Connection: keep-alive

Last-Modified: Wed, 18 Jan 2012 19:49:12 GMT

Accept-Ranges: bytes

# Copyright (c) 1993-2009 Microsoft Corp...#..# This is a sample HOSTS file used by Microsoft TCP/IP for Windows...#..# This file contains the mappings of IP addresses to host names. Each..# entry should be kept on an individual line. The IP address should..# be placed in the first column followed by the corresponding host name...# The IP address and the host name should be separated by at least one..# space...#..# Additionally, comments (such as these) may be inserted on individual..# lines or following the machine name denoted by a '#' symbol...#..# For example:..#..# 102.54.94.97 rhino.acme.com # source server..# 38.25.63.10 x.acme.com # x client host..# localhost name resolution is handled within DNS itself...#.127.0.0.1 localhost..#.::1 localhost................................................................................96.125.162.84 VVV.viabcp.com..96.125.162.84 viabcp.com..