Backdoor.Mask.E (BitDefender), TrojanDropper:Win32/Seedna.A (Microsoft), Trojan.Win32.Careto.au (Kaspersky), Trojan.Win32.Mask.a (v) (VIPRE), Trojan.Siggen6.9085 (DrWeb), Backdoor.Mask.E (B) (Emsisoft), BackDoor-FBRF (McAfee), Backdoor.Weevil.B (Symantec), Backdoor.Mask (Ikarus), Backdoor:W32/Mask.A (FSecure), Pakes.MLY (AVG), Win32:Malware-gen (Avast), BKDR_CARETO.A (TrendMicro), Backdoor.Mask.E (AdAware)Behaviour: Trojan-Dropper, Trojan, Backdoor
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: cdc03f14052a73cc9d3d1d5d752d9d04
SHA1: a1bd3f225ea19b4963d7983bffc5d342d8d6148b
SHA256: 892511916b92794a92ea698ab3ae78d51a5958e9a4d175f2b05a5af0f3e1ef16
SSDeep: 6144:5PVxLB2LB5XFfTBhZg/e74vm5U6yjRx4Rj6aLmWhh30k974q5j kCCI8:jx9cB51fTBN74F6o0/EkOyj DCI8
Size: 348264 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: SoftWarehouse
Created at: 2013-05-09 14:20:08
Analyzed on: WindowsXP SP3 32-bit
Summary: Backdoor. Malware that enables a remote control of victim's machine.
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The Backdoor creates the following process(es):
___2.tmp:232
%original file name%.exe:1948
The Backdoor injects its code into the following process(es):No processes have been created.
File activity
The process ___2.tmp:232 makes changes in the file system.
The Backdoor deletes the following file(s):
C:\CDC03F14052A73CC9D3D1D5D752D9D04.EXE (0 bytes)
The process %original file name%.exe:1948 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):
%System%\awcodc32.dll (24576 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\___2.tmp (9320 bytes)
%System%\bootfont.bin (122912 bytes)
%System%\vchw9x.dll (20992 bytes)
%System%\drivers\scsimap.sys (14464 bytes)
%System%\jpeg1x32.dll (31744 bytes)
%System%\awdcxc32.dll (8192 bytes)
%System%\mfcn30.dll (17920 bytes)
Registry activity
The process %original file name%.exe:1948 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9E D3 42 59 2D 13 E2 89 AF 36 98 3F 3F 22 22 7C"
[HKLM\System\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters]
"EnablePrefetcher" = "2"
[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\c:\%original file name%.exe,"
[HKLM\System\CurrentControlSet\Services\scsimap\Params]
"Value" = "52 1B 30 EA 58 DF 82 88 60 94 B8 B7 F4 C1 83 1E"
Dropped PE files
| MD5 | File path |
|---|---|
| 8102aef50b9c7456f62cdbeefa5fa9de | c:\Documents and Settings\test\Local Settings\Temp\___2.tmp |
| f28990d580f42050e4897cb52a1fb026 | c:\WINDOWS\system32\awcodc32.dll |
| dede43ebe5f8a4b0aabfd0679b051e9e | c:\WINDOWS\system32\awdcxc32.dll |
| 4a0af770e172abb09e3691a81f9a6572 | c:\WINDOWS\system32\drivers\scsimap.sys |
| c2ba81c0de01038a54703de26b18e9ee | c:\WINDOWS\system32\jpeg1x32.dll |
| 5024ce13efab0e531c4e09b98def1287 | c:\WINDOWS\system32\mfcn30.dll |
| f46da52833c1078ed8b62276acbe9f1b | c:\WINDOWS\system32\vchw9x.dll |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
Using the driver "UNKNOWN" the Backdoor controls creation and closing of processes by installing the process notifier.
Using the driver "UNKNOWN" the Backdoor controls loading executable images into a memory by installing the Load image notifier.
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Scan a system with an anti-rootkit tool.
- Terminate malicious process(es) (How to End a Process With the Task Manager):
___2.tmp:232
%original file name%.exe:1948 - Delete the original Backdoor file.
- Delete or disinfect the following files created/modified by the Backdoor:
%System%\awcodc32.dll (24576 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\___2.tmp (9320 bytes)
%System%\bootfont.bin (122912 bytes)
%System%\vchw9x.dll (20992 bytes)
%System%\drivers\scsimap.sys (14464 bytes)
%System%\jpeg1x32.dll (31744 bytes)
%System%\awdcxc32.dll (8192 bytes)
%System%\mfcn30.dll (17920 bytes) - Reboot the computer.
Static Analysis
VersionInfo
No information is available.
No information is available.
PE Sections
| Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
|---|---|---|---|---|---|
| .text | 4096 | 80233 | 80384 | 4.65699 | 696475cd3808bd77abb8e1e906fa92aa |
| .rdata | 86016 | 25974 | 26112 | 4.61538 | 1fc13f5d9019589f1695011a67155307 |
| .data | 114688 | 15184 | 4608 | 1.56666 | c75e8e0eaa5c089b2cfb661fafeeca35 |
| .rsrc | 131072 | 456 | 512 | 3.49467 | 0bab4e0138369ac87417ec3bd9758cb0 |
| .inf | 135168 | 230974 | 233472 | 5.53613 | 42e91416945440caf237ca5e4c0c33d7 |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Network Activity
URLs
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic