HEUR:Trojan.Win32.Generic (Kaspersky), Dropped:Generic.Malware.SBdld.A4C9837C (B) (Emsisoft), Dropped:Generic.Malware.SBdld.A4C9837C (AdAware), GenericAutorunWorm.YR, GenericIRCBot.YR (Lavasoft MAS)Behaviour: Trojan, Worm, WormAutorun, IRCBot
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: 0501e04ace86a943d88c27ba58d266e9
SHA1: 151349bb063966743f3c25ade8118d71e53b43b6
SHA256: d145d0352e46b3bc2f2603c3277989d3fb4e262702b11580ebb3884132baf07c
SSDeep: 1536:GlehELCpJDL5KIoIWmJDRJacWnGpnyEctzyP4bGSenrUKz3xVdQZtACGU:Gle8Cj35gmJDRJgnGpn14bMrUQctAA
Size: 108313 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2007-03-31 18:09:36
Analyzed on: WindowsXP SP3 32-bit
Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Dynamic Analysis
Payload
| Behaviour | Description |
|---|---|
| WormAutorun | A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Dropped's file once a user opens a drive's folder in Windows Explorer. |
| IRCBot | A bot can communicate with command and control servers via IRC channel. |
Process activity
The Dropped creates the following process(es):
%original file name%.exe:1588
asofsrvs.exe:652
Zer0xMod.exe:1252
The Dropped injects its code into the following process(es):No processes have been created.
File activity
The process %original file name%.exe:1588 makes changes in the file system.
The Dropped creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\Zer0xMod.exe (1568 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\stub_2014-04-02.Bin (1568 bytes)
The Dropped deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nss1.tmp (0 bytes)
The process Zer0xMod.exe:1252 makes changes in the file system.
The Dropped creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Application Data\asofsrvs.exe (35 bytes)
Registry activity
The process %original file name%.exe:1588 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "85 78 69 8E ED 1F 06 3A 57 72 68 1B 2E 1E 35 06"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp]
"Zer0xMod.exe" = "Zer0xMod"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
The Dropped modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Dropped modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
"UNCAsIntranet" = "1"
The Dropped modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
The process asofsrvs.exe:652 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E3 10 1A 2E 4F 8C 4C CA F6 92 05 3F 63 DD DC 7B"
The process Zer0xMod.exe:1252 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1F ED 9A 9D DC 0C 0C 88 DE 4B 55 EA 4A B2 9F EA"
To automatically run itself each time Windows is booted, the Dropped adds the following link to its file to the system registry autorun key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"AsofServices" = "%Documents and Settings%\%current user%\Application Data\asofsrvs.exe"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AsofServices" = "%Documents and Settings%\%current user%\Application Data\asofsrvs.exe"
Dropped PE files
| MD5 | File path |
|---|---|
| 644efdfad3da907eb42b01c24a2a666e | c:\Documents and Settings\"%CurrentUserName%"\Application Data\asofsrvs.exe |
| 644efdfad3da907eb42b01c24a2a666e | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\Zer0xMod.exe |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Dropped's file once a user opens a drive's folder in Windows Explorer.
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
%original file name%.exe:1588
asofsrvs.exe:652
Zer0xMod.exe:1252 - Delete the original Dropped file.
- Delete or disinfect the following files created/modified by the Dropped:
%Documents and Settings%\%current user%\Local Settings\Temp\Zer0xMod.exe (1568 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\stub_2014-04-02.Bin (1568 bytes)
%Documents and Settings%\%current user%\Application Data\asofsrvs.exe (35 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"AsofServices" = "%Documents and Settings%\%current user%\Application Data\asofsrvs.exe"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AsofServices" = "%Documents and Settings%\%current user%\Application Data\asofsrvs.exe" - Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
Static Analysis
VersionInfo
No information is available.
No information is available.
PE Sections
| Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
|---|---|---|---|---|---|
| .text | 4096 | 22938 | 23040 | 4.4974 | b45ccdd15edee1baca8064a4b20635b0 |
| .rdata | 28672 | 4324 | 4608 | 3.49045 | 9a4c5d765a28fb9f7efb6896024d70dd |
| .data | 36864 | 3775508 | 1024 | 3.46438 | 44b4c1a8b7b954d45ab0e80c3c998752 |
| .ndata | 3813376 | 32768 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
| .rsrc | 3846144 | 11632 | 11776 | 3.78431 | d21535eee11c6ca074f82d8e294d919d |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Network Activity
URLs
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
Map
Strings from Dumps
asofsrvs.exe_652:
.text
.text
`.rdata
`.rdata
@.data
@.data
user32.dll
user32.dll
GetWindowsDirectoryA
GetWindowsDirectoryA
KERNEL32.dll
KERNEL32.dll
RegCloseKey
RegCloseKey
RegCreateKeyExA
RegCreateKeyExA
ADVAPI32.dll
ADVAPI32.dll
ShellExecuteA
ShellExecuteA
SHELL32.dll
SHELL32.dll
WS2_32.dll
WS2_32.dll
SHLWAPI.dll
SHLWAPI.dll
URLDownloadToFileA
URLDownloadToFileA
urlmon.dll
urlmon.dll
GetCPInfo
GetCPInfo
%s\%s
%s\%s
del "%s">nul
del "%s">nul
if exist "%s" goto Repeat
if exist "%s" goto Repeat
ping 1.1.1.1 -w 5000 >nul
ping 1.1.1.1 -w 5000 >nul
%s\removeMe%i%i%i%i.bat
%s\removeMe%i%i%i%i.bat
NICK
NICK
JOIN
JOIN
PRIVMSG
PRIVMSG
%s :%s
%s :%s
%s %s :%s
%s %s :%s
%s %s
%s %s
%s %s %s
%s %s %s
%s %s "" "lol" :%s
%s %s "" "lol" :%s
Gtfo! Wr0ng PaSS!
Gtfo! Wr0ng PaSS!
Vup.exe
Vup.exe
Missing Parms: -IP- -Port- -Packets- -Size- -Delay- -TimeOut-
Missing Parms: -IP- -Port- -Packets- -Size- -Delay- -TimeOut-
Missing Parms: -IP- -Port- -Packets- -TimeOut-
Missing Parms: -IP- -Port- -Packets- -TimeOut-
FAiLED 2 ExECuTe! [ A.V DETECTION ].
FAiLED 2 ExECuTe! [ A.V DETECTION ].
DoWnLoaDeD & ExECuTeD!
DoWnLoaDeD & ExECuTeD!
shlwapi.dll
shlwapi.dll
[.ShellClassInfo]
[.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
\Desktop.ini
\Desktop.ini
\autorun.inf
\autorun.inf
icon=%SystemRoot%\system32\SHELL32.dll,4
icon=%SystemRoot%\system32\SHELL32.dll,4
login
login
join
join
asofsrvs.exe
asofsrvs.exe
VanaDiuM iRC BOT v1.3.0.
VanaDiuM iRC BOT v1.3.0.
SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
%Documents and Settings%\%current user%\Application Data\asofsrvs.exe
%Documents and Settings%\%current user%\Application Data\asofsrvs.exe