HEUR:Trojan.Win32.Generic (Kaspersky), Trojan.Delf.Inject.Z (B) (Emsisoft), Trojan.Delf.Inject.Z (AdAware), Trojan.Win32.IEDummy.FD, GenericAutorunWorm.YR (Lavasoft MAS)Behaviour: Trojan, Worm, WormAutorun
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: 7120d98d23064732c7e129616e7cdb43
SHA1: 28cfe42ce602742fffc6c9c790cc6a359bbcfc7c
SHA256: 9265ca927ea16594647f1c95e60832961ffe42b87869db207158f20117065517
SSDeep: 12288:Ngn/7/q6c7nANGe9WhzBXhGRTo7n7Cme5JDwItYc1FIt4kF58Pi4ma5X3XwzQ8:M/7GU59Whtx To77Je5JccEHxa5As8
Size: 565248 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: BorlandDelphi30, UPolyXv05_v6
Company: Apps installer
Created at: 1992-06-20 01:22:17
Analyzed on: WindowsXP SP3 32-bit
Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Dynamic Analysis
Payload
| Behaviour | Description |
|---|---|
| WormAutorun | A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Trojan's file once a user opens a drive's folder in Windows Explorer. |
Process activity
The Trojan creates the following process(es):
iexplore.exe:308
%original file name%.exe:464
%original file name%.exe:828
The Trojan injects its code into the following process(es):
iexplore.exe:508
Explorer.EXE:1572
File activity
The process iexplore.exe:508 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%System%\drivers\etc\hosts.sam (734 bytes)
The Trojan deletes the following file(s):
%System%\drivers\etc\hosts (0 bytes)
The process %original file name%.exe:828 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\techload.dll (3361 bytes)
%WinDir%\wmiapsrv.exe (3361 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\~tm1.tmp.bat (76 bytes)
The Trojan deletes the following file(s):
C:\techload.dll (0 bytes)
Registry activity
The process iexplore.exe:308 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "3B DE 01 A3 54 35 84 BB 34 88 49 D2 05 44 E9 B8"
The process iexplore.exe:508 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1A 00 00 00 01 00 00 00 00 00 00 00"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "11 64 95 FF 92 84 A1 8D 26 D6 F9 0B A5 04 A4 92"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process %original file name%.exe:464 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "59 45 93 82 03 C4 16 E2 44 FD 6C 87 95 F5 72 9B"
The process %original file name%.exe:828 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "6B 7F 0E A6 D0 66 B6 3E 61 A7 77 2C E1 2F C1 90"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\Intel Physical Address Extention 1.1]
"StubPath" = "%WinDir%\wmiapsrv.exe"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion]
"Intel Physical Address Extention 1.1" = "²¨¬¤µ¶·³ë ½ ¹Œ«± ©å•Â¼¶¬¦¤©å„¡¡· ¶¶å€½± «±¬ª«åôëô¹"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%WinDir%]
"wmiapsrv.exe" = "wmiapsrv"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp]
"~tm1.tmp.bat" = "~tm1.tmp"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Intel Physical Address Extention 1.1" = "%WinDir%\wmiapsrv.exe"
Dropped PE files
| MD5 | File path |
|---|---|
| 5b3df586d03acdcbf5e3750d02e2e330 | c:\WINDOWS\system32\fxsocm32.dll |
| 4d42ccd2a4f98a2bfe74462de06bd688 | c:\WINDOWS\system32\trnsprov32.dll |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Trojan's file once a user opens a drive's folder in Windows Explorer.
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
iexplore.exe:308
%original file name%.exe:464
%original file name%.exe:828 - Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
%System%\drivers\etc\hosts.sam (734 bytes)
C:\techload.dll (3361 bytes)
%WinDir%\wmiapsrv.exe (3361 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\~tm1.tmp.bat (76 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Intel Physical Address Extention 1.1" = "%WinDir%\wmiapsrv.exe" - Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
- Reboot the computer.
Static Analysis
VersionInfo
No information is available.
No information is available.
PE Sections
| Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
|---|---|---|---|---|---|
| CODE | 4096 | 14960 | 15360 | 4.41844 | 602737e3121581d8c13fd99caa26a2a0 |
| DATA | 20480 | 204 | 512 | 1.6113 | 4d0ec5ff770d7012b57140d03816bb14 |
| BSS | 24576 | 3193 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
| .idata | 28672 | 1036 | 1536 | 2.26761 | 8070507d1a2ec771e82a530a59b192b6 |
| .tls | 32768 | 8 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
| .rdata | 36864 | 24 | 512 | 0.136854 | 5788643ead451a381866b8d922ec21b6 |
| .reloc | 40960 | 1228 | 1536 | 4.07207 | ab07b3b31ac4f864a2513a620870d068 |
| .rsrc | 45056 | 372600 | 372736 | 5.54481 | e4a996f203014f677f62b936d8e8e7d3 |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Network Activity
URLs
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
Map
The Trojan connects to the servers at the folowing location(s):
Strings from Dumps
iexplore.exe_508:
%?9-*09,*19}*09
%?9-*09,*19}*09
.text
.text
`.data
`.data
.rsrc
.rsrc
msvcrt.dll
msvcrt.dll
KERNEL32.dll
KERNEL32.dll
NTDLL.DLL
NTDLL.DLL
USER32.dll
USER32.dll
SHLWAPI.dll
SHLWAPI.dll
SHDOCVW.dll
SHDOCVW.dll
Software\Microsoft\Windows\CurrentVersion\Explorer\BrowseNewProcess
Software\Microsoft\Windows\CurrentVersion\Explorer\BrowseNewProcess
IE-X-X
IE-X-X
rsabase.dll
rsabase.dll
System\CurrentControlSet\Control\Windows
System\CurrentControlSet\Control\Windows
dw15 -x -s %u
dw15 -x -s %u
watson.microsoft.com
watson.microsoft.com
IEWatsonURL
IEWatsonURL
%s -h %u
%s -h %u
iedw.exe
iedw.exe
Iexplore.XPExceptionFilter
Iexplore.XPExceptionFilter
jscript.DLL
jscript.DLL
mshtml.dll
mshtml.dll
mlang.dll
mlang.dll
urlmon.dll
urlmon.dll
wininet.dll
wininet.dll
shdocvw.DLL
shdocvw.DLL
browseui.DLL
browseui.DLL
comctl32.DLL
comctl32.DLL
IEXPLORE.EXE
IEXPLORE.EXE
iexplore.pdb
iexplore.pdb
ADVAPI32.dll
ADVAPI32.dll
MsgWaitForMultipleObjects
MsgWaitForMultipleObjects
IExplorer.EXE
IExplorer.EXE
IIIIIB(II<.Fg
IIIIIB(II<.Fg
7?_____ZZSSH%
7?_____ZZSSH%
)z.UUUUUUUU
)z.UUUUUUUU
,....Qym
,....Qym
````2```
````2```
{.QLQIIIKGKGKGKGKGKG
{.QLQIIIKGKGKGKGKGKG
;33;33;0
;33;33;0
8888880
8888880
8887080
8887080
browseui.dll
browseui.dll
shdocvw.dll
shdocvw.dll
6.00.2900.5512 (xpsp.080413-2105)
6.00.2900.5512 (xpsp.080413-2105)
Windows
Windows
Operating System
Operating System
6.00.2900.5512
6.00.2900.5512
iexplore.exe_508_rwx_00150000_00001000:
%System%\fxsocm32.dll
%System%\fxsocm32.dll
iexplore.exe_508_rwx_00B30000_0004B000:
Portions Copyright (c) 1983,99 Borland
Portions Copyright (c) 1983,99 Borland
kernel32.dll
kernel32.dll
\\.\Scsi
\\.\Scsi
\\.\SMARTVSD
\\.\SMARTVSD
OuDpffRmwqsgkJmef{s
OuDpffRmwqsgkJmef{s
TMPPool.Cache: Invalid pointer
TMPPool.Cache: Invalid pointer
TMPPool.Obtain: Out of memory
TMPPool.Obtain: Out of memory
174 (blacklisted key)
174 (blacklisted key)
Keys
Keys
Passwords
Passwords
LastKey
LastKey
...NLK
...NLK
Incorrect Password!
Incorrect Password!
Please, contact ASProtect support!
Please, contact ASProtect support!
Windows
Windows
NT 3.%u
NT 3.%u
NT 4.%u
NT 4.%u
\SYSTEM\CurrentControlSet\Control\Windows\
\SYSTEM\CurrentControlSet\Control\Windows\
P6 (Model %d)
P6 (Model %d)
%dx86
%dx86
%d.%d.%d.%d
%d.%d.%d.%d
HELO User.With.Error
HELO User.With.Error
Eip: %x
Eip: %x
Eax: %x
Eax: %x
Ecx: %x
Ecx: %x
Edx: %x
Edx: %x
Ebx: %x
Ebx: %x
Esi: %x
Esi: %x
Edi: %x
Edi: %x
Ebp: %x
Ebp: %x
Esp: %x
Esp: %x
Code = [%d]
Code = [%d]
- [%s]
- [%s]
08:,50*65=(450
08:,50*65=(450
KERNEL32.DLL
KERNEL32.DLL
NTDLL.DLL
NTDLL.DLL
ADVAPI32.DLL
ADVAPI32.DLL
\\.\SICE
\\.\SICE
\\.\NTICE
\\.\NTICE
\\.\SIWVID
\\.\SIWVID
MyKeys
MyKeys
Software\ASProtect\Key
Software\ASProtect\Key
aspr_keys.ini
aspr_keys.ini
WebX
WebX
user32.dll
user32.dll
GetKeyboardType
GetKeyboardType
advapi32.dll
advapi32.dll
RegOpenKeyExA
RegOpenKeyExA
RegCloseKey
RegCloseKey
oleaut32.dll
oleaut32.dll
RegQueryInfoKeyA
RegQueryInfoKeyA
RegEnumKeyExA
RegEnumKeyExA
RegCreateKeyExA
RegCreateKeyExA
GetCPInfo
GetCPInfo
version.dll
version.dll
gdi32.dll
gdi32.dll
ole32.dll
ole32.dll
wsock32.dll
wsock32.dll
5 5$5(5,5
5 5$5(5,5
: :$:(:;;
: :$:(:;;
4#4#5?5\5
4#4#5?5\5
6$6(6,6064686<6@6
6$6(6,6064686<6@6
="=&=*=.=2=6= ?$?(?,?0?4?8?
="=&=*=.=2=6= ?$?(?,?0?4?8?
|kernel32.dll
|kernel32.dll
The procedure entry point %s could not be located in the dynamic link library %s
The procedure entry point %s could not be located in the dynamic link library %s
The ordinal %u could not be located in the dynamic link library %s
The ordinal %u could not be located in the dynamic link library %s
Enter Mode Password:
Enter Mode Password:
Submit Report
Submit Report
iexplore.exe_508_rwx_00CF0000_00002000:
%SWVU
%SWVU
\\.\SICE
\\.\SICE
\\.\NTICE
\\.\NTICE
The procedure %s could not be located in the DLL %s.
The procedure %s could not be located in the DLL %s.
The ordinal %d could not be located in the DLL %s.
The ordinal %d could not be located in the DLL %s.
iexplore.exe_508_rwx_00EF0000_00001000:
73|$(3|$
73|$(3|$
iexplore.exe_508_rwx_13101000_00013000:
kernel32.dll
kernel32.dll
HTTP/1.1
HTTP/1.1
Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 5.1; .NET CLR 1.1.4322)
Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 5.1; .NET CLR 1.1.4322)
00000000
00000000
wininet.dll
wininet.dll
DeleteUrlCacheEntry
DeleteUrlCacheEntry
drivers\etc\hosts.sam
drivers\etc\hosts.sam
http://www.google.com
http://www.google.com
&status=1&version=3.0&build=beta3.0.3&task=notify&servu=1&oid=1&cmd=xray&uptime=
&status=1&version=3.0&build=beta3.0.3&task=notify&servu=1&oid=1&cmd=xray&uptime=
webyatom
webyatom
switch.inf
switch.inf
wmiapsrv.exe
wmiapsrv.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
KWindows
KWindows
%SWVU
%SWVU
5^6.CgR
5^6.CgR
\\.\SICE4Y
\\.\SICE4Y
dur%s
dur%s
iexplore.exe_508_rwx_13115000_00001000:
|kernel32.dll
|kernel32.dll
kernel32.dll
kernel32.dll
advapi32.dll
advapi32.dll
user32.dll
user32.dll
wsock32.dll
wsock32.dll
msvcrt.dll
msvcrt.dll
oleaut32.dll
oleaut32.dll
GetKeyboardType
GetKeyboardType
y9FRÀ
y9FRÀ
Explorer.EXE_1572_rwx_00FF0000_00001000:
%System%\trnsprov32.dll
%System%\trnsprov32.dll
Explorer.EXE_1572_rwx_01EA0000_00001000:
%System%\trnsprov32.dll
%System%\trnsprov32.dll
Explorer.EXE_1572_rwx_01FA1000_0000C000:
autorun.inf
autorun.inf
autorun.bat
autorun.bat
autorun.vbs
autorun.vbs
open=autorun.bat
open=autorun.bat
shellexecute=autorun.bat
shellexecute=autorun.bat
shell\Auto\command=autorun.bat
shell\Auto\command=autorun.bat
shell\explore\Command=autorun.bat
shell\explore\Command=autorun.bat
%~d0\autorun.vbs
%~d0\autorun.vbs
Set objFSO = CreateObject("Scripting.FileSystemObject")
Set objFSO = CreateObject("Scripting.FileSystemObject")
If objFSO.FileExists("
If objFSO.FileExists("
set WshShell = CreateObject("WScript.Shell")
set WshShell = CreateObject("WScript.Shell")
WshShell.Run "
WshShell.Run "
WSCript.Quit
WSCript.Quit
Software\Microsoft\Windows\CurrentVersion\Run
Software\Microsoft\Windows\CurrentVersion\Run
Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL
Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL
wmiapsrv.exe
wmiapsrv.exe
webyatom
webyatom
KWindows
KWindows
%SWVU
%SWVU
\\.\SICE
\\.\SICE
%suldw
%suldw
26/26/26
26/26/26
Explorer.EXE_1572_rwx_01FB1000_00001000:
kernel32.dll
kernel32.dll
Explorer.EXE_1572_rwx_01FD0000_00002000:
%SWVU
%SWVU
\\.\SICE
\\.\SICE
\\.\NTICE
\\.\NTICE
The procedure %s could not be located in the DLL %s.
The procedure %s could not be located in the DLL %s.
The ordinal %d could not be located in the DLL %s.
The ordinal %d could not be located in the DLL %s.