Trojan.Win32.Generic!BT (VIPRE), GenericInjector.YR, BackdoorCaphaw_QKKBAL.YR (Lavasoft MAS)Behaviour: Trojan, Backdoor
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: c2a43445066a2ed7ac2211d5e38b4047
SHA1: f8f00ac22872dc3a8af00d5eecdf6be4b0314eec
SHA256: 1f4e1d31778c37c3807fcfb7515e803a3609943bd8a51a34b77519d2e77fe52e
SSDeep: 6144:Tu6oli/W29vKVwLkxMZfYGRTlR6ufRhbKz:R/W29vKGLwMKG93Jw
Size: 283136 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: AirInstaller
Created at: 2014-03-20 20:42:13
Analyzed on: WindowsXP SP3 32-bit
Summary: Backdoor. Malware that enables a remote control of victim's machine.
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The Backdoor creates the following process(es):
tmp589c9bb6.exe:1008
%original file name%.exe:1960
ykubn.exe:196
ykubn.exe:212
The Backdoor injects its code into the following process(es):No processes have been created.
File activity
The process tmp589c9bb6.exe:1008 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Application Data\Lakao\ykubn.exe (259 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\tmp520737e7.bat (189 bytes)
The Backdoor deletes the following file(s):
%Documents and Settings%\%current user%\Application Data\Lakao\ykubn.exe (0 bytes)
%Documents and Settings%\%current user%\Application Data\Lakao (0 bytes)
The process %original file name%.exe:1960 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Application Data\Lakao\ykubn.exe (283 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\tmp8eafc4db.bat (177 bytes)
Registry activity
The process tmp589c9bb6.exe:1008 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "99 6B 77 8A 7E 33 3E FA D6 00 ED B1 C3 DA 0B 95"
[HKCU\Software\Microsoft\Pula]
"Myysto" = "95 C2 3A 68 66 FD B6 AA 87 04 0A 14 75 1C B6 00"
"Umzaowg" = "35 D6 08 60 0B 98 E5 1F 17 9B A3 79 40 E6 B7 DC"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"WarnonBadCertRecving" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"EnableSPDY3_0" = "0"
The Backdoor modifies IE settings for security zones to map all web-nodes that bypassing proxy to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"
The Backdoor modifies IE settings for security zones to map all urls to the Intranet Zone:
"IntranetName" = "1"
The Backdoor modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
"UNCAsIntranet" = "1"
The Backdoor deletes the following value(s) in system registry:
The Backdoor disables automatic startup of the application by deleting the following autorun value:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"{9E3E114F-ABBF-D144-5A4A-418346001DD6}"
The process %original file name%.exe:1960 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "5A D3 D9 2D 41 86 64 E2 39 C6 F1 D9 84 88 2C 23"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
The process ykubn.exe:196 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "30 2C D8 82 0D BE C8 44 28 B6 74 DF F9 40 E7 EE"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
The process ykubn.exe:212 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "0F EA 30 5E 2D 18 E9 E7 B8 9B 25 55 EA FC 7D 33"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
Network activity (URLs)
| URL | IP |
|---|---|
| hxxp://a26.d.akamai.net/msdownload/update/v3/static/trustedr/en/authrootseq.txt | |
| hxxp://a26.d.akamai.net/msdownload/update/v3/static/trustedr/en/authrootstl.cab | |
| hxxp://www.google.com/webhp | 74.125.226.241 |
| hxxp://www.google.ca/webhp?gfe_rd=cr&ei=6doyU-3hMY_O8ge0y4DABA | 74.125.226.248 |
| www.download.windowsupdate.com | 23.62.239.11 |
| seooptimisaion2traffic.com | 184.64.59.68 |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
The Backdoor installs the following user-mode hooks in WININET.dll:
HttpSendRequestExA
HttpSendRequestW
InternetReadFileExA
InternetWriteFile
InternetWriteFileExA
InternetQueryDataAvailable
HttpOpenRequestW
InternetConnectW
HttpSendRequestExW
InternetReadFile
HttpQueryInfoA
HttpSendRequestA
InternetCloseHandle
InternetConnectA
HttpOpenRequestA
The Backdoor installs the following user-mode hooks in CRYPT32.dll:
PFXImportCertStore
The Backdoor installs the following user-mode hooks in USER32.dll:
GetClipboardData
TranslateMessage
The Backdoor installs the following user-mode hooks in WS2_32.dll:
WSASend
WSARecv
send
closesocket
The Backdoor installs the following user-mode hooks in kernel32.dll:
GetFileAttributesExW
The Backdoor installs the following user-mode hooks in ntdll.dll:
NtCreateThread
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Scan a system with an anti-rootkit tool.
- Terminate malicious process(es) (How to End a Process With the Task Manager):
tmp589c9bb6.exe:1008
%original file name%.exe:1960
ykubn.exe:196
ykubn.exe:212 - Delete the original Backdoor file.
- Delete or disinfect the following files created/modified by the Backdoor:
%Documents and Settings%\%current user%\Application Data\Lakao\ykubn.exe (259 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\tmp520737e7.bat (189 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\tmp8eafc4db.bat (177 bytes) - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Reboot the computer.