HEUR:Trojan.Win32.Generic (Kaspersky), Gen:Variant.Barys.706 (B) (Emsisoft), Gen:Variant.Barys.706 (AdAware), Backdoor.Win32.PcClient.FD, GenericInjector.YR (Lavasoft MAS)Behaviour: Trojan, Backdoor
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: 7eb2739b71ba46b746c2b0806b7a525b
SHA1: 9f19efeb06cc578a45f4f91ade003e3976194783
SHA256: 85d2de1a0edb6e2a6337cf4f32b70139a22e10b50c51c418baf4caf7ca964ac2
SSDeep: 12288:8EEjY58fslFE4JxfivsRzm1rV/2r OxVKh6hqxc1/ODg7Apmiq3J6g5nkjhGEWUo:zxXiOxoH BIt61
Size: 833536 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: MicrosoftVisualC, NETexecutable, UPolyXv05_v6
Company: Piriform Ltd
Created at: 2014-04-27 04:40:31
Analyzed on: WindowsXP SP3 32-bit
Summary: Backdoor. Malware that enables a remote control of victim's machine.
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The Backdoor creates the following process(es):
dllhost.exe:1780
wscript.exe:1712
wuauclt.exe:540
rundll32.exe:1576
%original file name%.exe:1232
dumprep.exe:1124
dumprep.exe:1864
The Backdoor injects its code into the following process(es):No processes have been created.
File activity
The process dllhost.exe:1780 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\WERaff9.dir00\appcompat.txt (1895 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\WERaff9.dir00\manifest.txt (7542 bytes)
The process wuauclt.exe:540 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):
%WinDir%\SoftwareDistribution\DataStore\Logs\edb.chk (100 bytes)
%WinDir%\SoftwareDistribution\DataStore\Logs\edb.log (2016 bytes)
%WinDir%\SoftwareDistribution\DataStore\DataStore.edb (100 bytes)
The Backdoor deletes the following file(s):
%WinDir%\SoftwareDistribution\DataStore\Logs\tmp.edb (0 bytes)
The process %original file name%.exe:1232 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\java2.bat (149 bytes)
%WinDir%\Temp\dllhost.exe (7547 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\per.bat (126 bytes)
%System%\drivers\etc\hosts (193 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\java.bat (47 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\rundll32-.txt (5873 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\invs.vbs (78 bytes)
The Backdoor deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\java.bat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\java2.bat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\rundll32-.txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\invs.vbs (0 bytes)
The process dumprep.exe:1124 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\WERaff9.dir00\dllhost.exe.mdmp (87761 bytes)
The process dumprep.exe:1864 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\WERaff9.dir00\dllhost.exe.hdmp (141427 bytes)
Registry activity
The process dllhost.exe:1780 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C0 EC 54 DB A0 48 49 2D 54 5C 39 8A 03 86 3F E2"
The Backdoor deletes the following registry key(s):
[HKLM\SOFTWARE\Microsoft\PCHealth\ErrorReporting\DW]
The Backdoor deletes the following value(s) in system registry:
[HKLM\SOFTWARE\Microsoft\PCHealth\ErrorReporting\DW]
"DWFileTreeRoot"
The process wscript.exe:1712 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "58 9F C5 7B 4B 9B C6 4D E1 A4 A9 3F 39 08 69 31"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp]
"java2.bat" = "java2"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
The Backdoor modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Backdoor modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
"UNCAsIntranet" = "1"
The Backdoor modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
The process rundll32.exe:1576 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "40 4D 04 D9 18 05 2F 26 7E 81 25 0A 38 22 E9 3C"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\Windows\Temp]
"dllhost.exe" = "Visual Basic Command Line Compiler"
[HKLM\System\CurrentControlSet\Control\Session Manager\AppCompatibility]
"AppCompatCache" = "EF BE AD DE 60 00 00 00 00 00 00 00 00 00 00 00"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers\%WinDir%\Temp]
"dllhost.exe" = "EnableNXShowUI"
The process %original file name%.exe:1232 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F9 25 1E 16 89 1A C6 ED E0 80 E0 02 F3 9C EE DB"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Documents and Settings%\%current user%\Local Settings\Temp]
"java.bat" = "java"
The Backdoor modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"
The Backdoor modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
"UNCAsIntranet" = "1"
The Backdoor modifies IE settings for security zones to map all urls to the Intranet Zone:
"IntranetName" = "1"
To automatically run itself each time Windows is booted, the Backdoor adds the following link to its file to the system registry autorun key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"dllhost" = "%Documents and Settings%\%current user%\Local Settings\Temp\dllhost .exe"
The process dumprep.exe:1124 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "45 86 06 A3 61 7E 93 47 9C B7 BD 23 5E 2D 99 A8"
The process dumprep.exe:1864 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C6 E8 87 06 36 49 A5 1F 06 F1 7A 5E 8C 3C 44 7A"
Dropped PE files
MD5 | File path |
---|---|
67f5238229333c061092f5a32e8c2ee1 | c:\WINDOWS\Temp\dllhost.exe |
HOSTS file anomalies
The Backdoor modifies "%System%\drivers\etc\hosts" file which is used to translate DNS entries to IP addresses. The modified file is 193 bytes in size. The following strings are added to the hosts file listed below:
127.0.0.1 | virustotal.com |
127.0.0.1 | vscan.novirusthanks.org |
127.0.0.1 | irusscan.jotti.org |
127.0.0.1 | virscan.org |
127.0.0.1 | www.virus-trap.org |
Rootkit activity
No anomalies have been detected.
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
dllhost.exe:1780
wscript.exe:1712
wuauclt.exe:540
rundll32.exe:1576
%original file name%.exe:1232
dumprep.exe:1124
dumprep.exe:1864 - Delete the original Backdoor file.
- Delete or disinfect the following files created/modified by the Backdoor:
%Documents and Settings%\%current user%\Local Settings\Temp\WERaff9.dir00\appcompat.txt (1895 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\WERaff9.dir00\manifest.txt (7542 bytes)
%WinDir%\SoftwareDistribution\DataStore\Logs\edb.chk (100 bytes)
%WinDir%\SoftwareDistribution\DataStore\Logs\edb.log (2016 bytes)
%WinDir%\SoftwareDistribution\DataStore\DataStore.edb (100 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\java2.bat (149 bytes)
%WinDir%\Temp\dllhost.exe (7547 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\per.bat (126 bytes)
%System%\drivers\etc\hosts (193 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\java.bat (47 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\rundll32-.txt (5873 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\invs.vbs (78 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\WERaff9.dir00\dllhost.exe.mdmp (87761 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\WERaff9.dir00\dllhost.exe.hdmp (141427 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"dllhost" = "%Documents and Settings%\%current user%\Local Settings\Temp\dllhost .exe" - Restore the original content of the HOSTS file (%System%\drivers\etc\hosts): 127.0.0.1 localhost
Static Analysis
VersionInfo
Company Name:
Product Name:
Product Version: 2.2.1.3
Legal Copyright: Computer
Legal Trademarks:
Original Filename: setup.exe
Internal Name: setup.exe
File Version: 1.2.3.2
File Description: Computer
Comments:
Language: English (United States)
Company Name: Product Name: Product Version: 2.2.1.3Legal Copyright: ComputerLegal Trademarks: Original Filename: setup.exeInternal Name: setup.exeFile Version: 1.2.3.2File Description: ComputerComments: Language: English (United States)
PE Sections
Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
---|---|---|---|---|---|
.text | 8192 | 831444 | 831488 | 2.87167 | 6caadde0f18640b680478f9b1686dc6b |
.rsrc | 843776 | 844 | 1024 | 2.6726 | 8ec877c5101ed4d33aa7295596f9a85a |
.reloc | 851968 | 12 | 512 | 0.067931 | 9fa96a46efa23f9bef93f1d7d1337b2c |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Network Activity
URLs
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
Map
Strings from Dumps
dllhost.exe_1780:
.idata
.idata
.rdata
.rdata
P.reloc
P.reloc
P.rsrc
P.rsrc
Portions Copyright (c) 1999,2003 Avenger by NhT
Portions Copyright (c) 1999,2003 Avenger by NhT
####@####
####@####
kernel32.dll
kernel32.dll
VBoxService.exe
VBoxService.exe
SbieDll.dll
SbieDll.dll
dbghelp.dll
dbghelp.dll
Software\Microsoft\Windows\CurrentVersion
Software\Microsoft\Windows\CurrentVersion
55274-640-2673064-23950
55274-640-2673064-23950
76487-644-3177037-23510
76487-644-3177037-23510
76487-337-8429955-22614
76487-337-8429955-22614
\\.\Syser
\\.\Syser
\\.\SyserDbgMsg
\\.\SyserDbgMsg
\\.\SyserBoot
\\.\SyserBoot
\\.\SICE
\\.\SICE
\\.\NTICE
\\.\NTICE
ShellExecuteA
ShellExecuteA
shell32.dll
shell32.dll
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
GetWindowsDirectoryA
GetWindowsDirectoryA
SOFTWARE\Microsoft\Windows\CurrentVersion
SOFTWARE\Microsoft\Windows\CurrentVersion
http\shell\open\command
http\shell\open\command
\Internet Explorer\iexplore.exe
\Internet Explorer\iexplore.exe
PSAPI.dll
PSAPI.dll
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
Software\Microsoft\Windows\CurrentVersion\Run
Software\Microsoft\Windows\CurrentVersion\Run
Microsoft\Network\Connections\pbk\rasphone.pbk
Microsoft\Network\Connections\pbk\rasphone.pbk
rasapi32.dll
rasapi32.dll
rnaph.dll
rnaph.dll
RAS Passwords |
RAS Passwords |
uURLHistory
uURLHistory
Password:
Password:
abe2869f-9b47-4cd9-a358-c22904dba7f7
abe2869f-9b47-4cd9-a358-c22904dba7f7
Password
Password
UnitPasswords
UnitPasswords
advapi32.dll
advapi32.dll
WindowsLive:name=*
WindowsLive:name=*
xxxyyyzzz.dat
xxxyyyzzz.dat
\Mozilla Firefox\
\Mozilla Firefox\
mozcrt19.dll
mozcrt19.dll
sqlite3.dll
sqlite3.dll
nspr4.dll
nspr4.dll
plc4.dll
plc4.dll
plds4.dll
plds4.dll
nssutil3.dll
nssutil3.dll
softokn3.dll
softokn3.dll
nss3.dll
nss3.dll
PK11_GetInternalKeySlot
PK11_GetInternalKeySlot
userenv.dll
userenv.dll
\Mozilla\Firefox\
\Mozilla\Firefox\
profiles.ini
profiles.ini
\signons3.txt
\signons3.txt
\signons2.txt
\signons2.txt
\signons1.txt
\signons1.txt
\signons.txt
\signons.txt
(unnamed password)
(unnamed password)
explorer.exe
explorer.exe
_x_X_PASSWORDLIST_X_x_
_x_X_PASSWORDLIST_X_x_
NOIP.abc
NOIP.abc
MSN.abc
MSN.abc
FIREFOX.abc
FIREFOX.abc
IELOGIN.abc
IELOGIN.abc
IEPASS.abc
IEPASS.abc
IEAUTO.abc
IEAUTO.abc
IEWEB.abc
IEWEB.abc
XX--XX--XX.txt
XX--XX--XX.txt
?456789:;<=
?456789:;<=
!"#$%&'()* ,-./0123
!"#$%&'()* ,-./0123
GetProcessHeap
GetProcessHeap
user32.dll
user32.dll
oleaut32.dll
oleaut32.dll
RegOpenKeyExA
RegOpenKeyExA
RegDeleteKeyA
RegDeleteKeyA
RegCreateKeyExA
RegCreateKeyExA
RegCreateKeyA
RegCreateKeyA
RegCloseKey
RegCloseKey
SetWindowsHookExA
SetWindowsHookExA
GetKeyboardState
GetKeyboardState
ole32.dll
ole32.dll
pstorec.dll
pstorec.dll
crypt32.dll
crypt32.dll
8 8$8(8,808
8 8$8(8,808
5_5
5_5
0%0S0X0
0%0S0X0
KWindows
KWindows
KuURLHistory
KuURLHistory
IEpasswords
IEpasswords
####@#### ####@#### ####@#### ####@#### ####@#### ####@#### ####@#### ####@#### ####@#### ####@#### ####@#### ####@#### ####@#### ####@#### ####@#### ####@#### ####@#### ####@#### ####@#### ####@####
####@#### ####@#### ####@#### ####@#### ####@#### ####@#### ####@#### ####@#### ####@#### ####@#### ####@#### ####@#### ####@#### ####@#### ####@#### ####@#### ####@#### ####@#### ####@#### ####@####
####@#### ####@####
####@#### ####@####
####@#### ####@#### ####@#### ####@####
####@#### ####@#### ####@#### ####@####
####@#### ####@#### ####@#### ####@#### ####@#### ####@#### ####@#### ####@#### ####@#### ####@#### ####@#### ####@#### ####@#### ####@#### ####@#### ####@#### ####@#### ####@#### ####@#### ####@#### ####@#### ####@#### ####@#### ####@#### ####@####
####@#### ####@#### ####@#### ####@#### ####@#### ####@#### ####@#### ####@#### ####@#### ####@#### ####@#### ####@#### ####@#### ####@#### ####@#### ####@#### ####@#### ####@#### ####@#### ####@#### ####@#### ####@#### ####@#### ####@#### ####@####
SUdp
SUdp
he.Yq
he.Yq
}n;%U
}n;%U
pr.vI
pr.vI
bUDP
bUDP
%Dtss
%Dtss
}V .IG
}V .IG
.eX8$0
.eX8$0
o%UVKr
o%UVKr
\[.cF
\[.cF
rE|.BA
rE|.BA
xwG%x
xwG%x
@%XX\
@%XX\
'####@####
'####@####
FE.FN
FE.FN
<{.WCU
<{.WCU
X.hhd@X.
X.hhd@X.
y%d|;
y%d|;
r.LjH
r.LjH
.wy/`
.wy/`
.mNk
.mNk
.wd``l
.wd``l
X.qPpR
X.qPpR
X.eGgk'l
X.eGgk'l
eeÒC
eeÒC
d.vK'
d.vK'
_%XCtC
_%XCtC
rundll32.exe_1576:
.text
.text
`.data
`.data
.rsrc
.rsrc
msvcrt.dll
msvcrt.dll
KERNEL32.dll
KERNEL32.dll
NTDLL.DLL
NTDLL.DLL
GDI32.dll
GDI32.dll
USER32.dll
USER32.dll
IMAGEHLP.dll
IMAGEHLP.dll
rundll32.pdb
rundll32.pdb
.....eZXnnnnnnnnnnnn3
.....eZXnnnnnnnnnnnn3
....eDXnnnnnnnnnnnn3
....eDXnnnnnnnnnnnn3
...eDXnnnnnnnnnnnn,
...eDXnnnnnnnnnnnn,
.eDXnnnnnnnnnnnn,
.eDXnnnnnnnnnnnn,
%Xnnnnnnnnnnnnnnn1
%Xnnnnnnnnnnnnnnn1
O3$dS7"%U9
O3$dS7"%U9
.manifest
.manifest
5.1.2600.5512 (xpsp.080413-2105)
5.1.2600.5512 (xpsp.080413-2105)
RUNDLL.EXE
RUNDLL.EXE
Windows
Windows
Operating System
Operating System
5.1.2600.5512
5.1.2600.5512
YThere is not enough memory to run the file %s.
YThere is not enough memory to run the file %s.
Please close other windows and try again.
Please close other windows and try again.
9The file %s or one of its components could not be opened.
9The file %s or one of its components could not be opened.
0The file %s or one of its components cannot run.
0The file %s or one of its components cannot run.
MThe file %s or one of its components requires a different version of Windows.
MThe file %s or one of its components requires a different version of Windows.
UThe file %s or one of its components cannot run in standard or enhanced mode Windows.3Another instance of the file %s is already running./An exception occurred while trying to run "%s"
UThe file %s or one of its components cannot run in standard or enhanced mode Windows.3Another instance of the file %s is already running./An exception occurred while trying to run "%s"
Error in %s
Error in %s
Missing entry:%s
Missing entry:%s
Error loading %s
Error loading %s