Trojan.Win32.Generic!BT (VIPRE), mzpefinder_pcap_file.YR (Lavasoft MAS)Behaviour: Trojan
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: e81429b4f7182be025ab77d8f17a128b
SHA1: 913eae8ca4c42275ac0e73b0f421368c8e254633
SHA256: 408bf3d0934926a841427d4221c3dde81e6b41f9415c6792494457aa1d88fc64
SSDeep: 3072:YhVjK0 AfVCvTXPrNApbmy6QhrIFCXMCFV9n6e3NQmeHyTbbgLL7RGRHtD6 o9vI:EVaAfqPrNsXc/SF6jH0Gy1eJM
Size: 270848 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2014-02-05 20:13:35
Analyzed on: WindowsXP SP3 32-bit
Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The Trojan creates the following process(es):
wuauclt.exe:344
Reader_sl.exe:1064
{56b9847d-84c6-cb43-0f57-43d056b9847d}.exe:1320
{56b9847d-84c6-cb43-0f57-43d056b9847d}.exe:1752
{56b9847d-84c6-cb43-0f57-43d056b9847d}.exe:332
%original file name%.exe:604
%original file name%.exe:440
%original file name%.exe:2020
000565E5.exe:384
000565E5.exe:1248
jusched.exe:1056
The Trojan injects its code into the following process(es):
minerd.exe:212
notepad.exe:1208
000565E5.exe:1756
File activity
The process wuauclt.exe:344 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\SoftwareDistribution\DataStore\Logs\edb.chk (100 bytes)
%WinDir%\SoftwareDistribution\DataStore\Logs\edb.log (3576 bytes)
%WinDir%\SoftwareDistribution\DataStore\DataStore.edb (100 bytes)
The Trojan deletes the following file(s):
%WinDir%\SoftwareDistribution\DataStore\Logs\tmp.edb (0 bytes)
The process %original file name%.exe:2020 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Start Menu\Programs\Startup\{56b9847d-84c6-cb43-0f57-43d056b9847d}.exe (270 bytes)
The process 000565E5.exe:1756 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\minerd.exe (1281 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\pthreadGC2.dll (673 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\libcurl-4.dll (1727 bytes)
The process jusched.exe:1056 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\jusched.log (347 bytes)
Registry activity
The process Reader_sl.exe:1064 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
The process minerd.exe:212 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D0 B3 F4 80 A9 72 BB 7C E4 13 2F BF C7 B0 EE 12"
The process {56b9847d-84c6-cb43-0f57-43d056b9847d}.exe:1320 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F2 93 86 91 8A 2D 72 34 B6 4B CC 46 1C 8E B5 7E"
[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"ID" = "1391624015"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"Name" = "{56b9847d-84c6-cb43-0f57-43d056b9847d}.exe"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Startup" = "%Documents and Settings%\%current user%\Start Menu\Programs\Startup"
The process {56b9847d-84c6-cb43-0f57-43d056b9847d}.exe:1752 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Startup" = "%Documents and Settings%\%current user%\Start Menu\Programs\Startup"
The process {56b9847d-84c6-cb43-0f57-43d056b9847d}.exe:332 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "7F 79 B5 54 E2 64 FE C7 65 8E 7B 3F 8B EE D3 88"
[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"ID" = "1391624015"
"Name" = "{56b9847d-84c6-cb43-0f57-43d056b9847d}.exe"
The process notepad.exe:1208 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "BE A3 9B 50 6B 9F 49 6A 07 DB 9B 91 A5 4D CF E9"
The process %original file name%.exe:604 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Startup" = "%Documents and Settings%\%current user%\Start Menu\Programs\Startup"
The process %original file name%.exe:440 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "BF A1 A6 EF 96 B5 98 0D A5 28 4E C4 BF EC 4A BF"
[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"ID" = "1391624015"
"Name" = "%original file name%.exe"
The process %original file name%.exe:2020 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "39 75 7F 59 5D 2B 4E A5 AA 5C A7 59 B0 4B B0 F7"
[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"ID" = "1391624015"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"Name" = "%original file name%.exe"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Startup" = "%Documents and Settings%\%current user%\Start Menu\Programs\Startup"
The process 000565E5.exe:1248 makes changes in the system registry.
The Trojan deletes the following value(s) in system registry:
The Trojan disables automatic startup of the application by deleting the following autorun value:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"WINSXS32"
Network activity (URLs)
URL | IP |
---|---|
hxxp://www.rekurigo.com/ | 223.197.12.164 |
hxxp://www2.0zz0.com/2014/02/13/22/802311435.png | 72.55.188.211 |
hxxp://www13.0zz0.com/2014/03/01/16/978019914.png | 67.205.96.37 |
ealorumlae.org | 205.209.131.98 |
www.hyardu.org | 46.226.105.252 |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
The Trojan installs the following user-mode hooks in WS2_32.dll:
send
The Trojan installs the following user-mode hooks in ntdll.dll:
DbgUiRemoteBreakin
ZwSetValueKey
NtResumeThread
NtQueryDirectoryFile
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Scan a system with an anti-rootkit tool.
- Terminate malicious process(es) (How to End a Process With the Task Manager):
wuauclt.exe:344
{56b9847d-84c6-cb43-0f57-43d056b9847d}.exe:1320
{56b9847d-84c6-cb43-0f57-43d056b9847d}.exe:1752
{56b9847d-84c6-cb43-0f57-43d056b9847d}.exe:332
%original file name%.exe:604
%original file name%.exe:440
%original file name%.exe:2020
000565E5.exe:384
000565E5.exe:1248 - Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
%WinDir%\SoftwareDistribution\DataStore\Logs\edb.chk (100 bytes)
%WinDir%\SoftwareDistribution\DataStore\Logs\edb.log (3576 bytes)
%WinDir%\SoftwareDistribution\DataStore\DataStore.edb (100 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Startup\{56b9847d-84c6-cb43-0f57-43d056b9847d}.exe (270 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\minerd.exe (1281 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\pthreadGC2.dll (673 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\libcurl-4.dll (1727 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jusched.log (347 bytes) - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Reboot the computer.