Gen:Variant.FAkeAlert.105 (BitDefender), MonitoringTool:Win32/Ardamax (Microsoft), HEUR:Trojan.Win32.Generic (Kaspersky), Trojan.Win32.Ardamax.nbq (v) (VIPRE), Trojan.KeyLogger.21938 (DrWeb), Gen:Variant.FAkeAlert.105 (B) (Emsisoft), Keylog-FAQ!73581B56CAB1 (McAfee), Win32.SuspectCrc (Ikarus), Gen:Variant.FAkeAlert.105 (FSecure), Ardamax.BZV (AVG), Win32:PUP-gen [PUP] (Avast), TROJ_GEN.R08NC0FBL14 (TrendMicro), SpyTool.Win32.Ardamax.FD, GenericEmailWorm.YR (Lavasoft MAS)Behaviour: Trojan, Worm, EmailWorm, Monitor, PUP, SpyTool
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: 73581b56cab1349aa939ebc21e010a7a
SHA1: dff3be1d541a3aeb3d0763b27fef9e20dd4bd49f
SHA256: 3aab9513e34529148678ce55e9456775f74b5afad8e5e785bcf7c836b31a13a6
SSDeep: 49152:2aBdfxP I2kpCPeSNDS1oOY7cm11n3LXH8u8ns:2aVbutDnbXqns
Size: 2069504 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2013-10-10 15:18:52
Analyzed on: WindowsXP SP3 32-bit
Summary: SpyTool. A program used to apply passive protection methods to spyware, such as obfuscation, encryption or polymorphism. The original malicious program is usually encrypted/compressed and stored inside the wrapper.
Dynamic Analysis
Payload
Behaviour | Description |
---|---|
EmailWorm | Worm can send e-mails. |
Process activity
The SpyTool creates the following process(es):
%original file name%.exe:924
The SpyTool injects its code into the following process(es):
VIN.exe:1392
File activity
The process %original file name%.exe:924 makes changes in the file system.
The SpyTool creates and/or writes to the following file(s):
%Documents and Settings%\All Users\Application Data\OWEFRR\VIN.01 (81 bytes)
%Documents and Settings%\All Users\Application Data\OWEFRR\VIN.02 (56 bytes)
%Documents and Settings%\All Users\Application Data\OWEFRR\VIN.00 (1 bytes)
%Documents and Settings%\All Users\Application Data\OWEFRR\VIN.exe (15021 bytes)
Registry activity
The process %original file name%.exe:924 makes changes in the system registry.
The SpyTool creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "65 9A 8D D6 B1 D0 40 D7 92 BE 7D 2B DC 61 01 64"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Documents and Settings%\All Users\Application Data\OWEFRR]
"VIN.exe" = "VIN"
The SpyTool modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The SpyTool modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
"UNCAsIntranet" = "1"
The SpyTool modifies IE settings for security zones to map all web-nodes that bypassing proxy to the Intranet Zone:
"ProxyBypass" = "1"
The process VIN.exe:1392 makes changes in the system registry.
The SpyTool creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9F A5 C8 92 AA 33 39 96 35 E5 9B A5 FD 58 75 9C"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Programs" = "%Documents and Settings%\All Users\Start Menu\Programs"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
To automatically run itself each time Windows is booted, the SpyTool adds the following link to its file to the system registry autorun key:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VIN Start" = "%Documents and Settings%\All Users\Application Data\OWEFRR\VIN.exe"
Network activity (URLs)
No activity has been detected.
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
%original file name%.exe:924
- Delete the original SpyTool file.
- Delete or disinfect the following files created/modified by the SpyTool:
%Documents and Settings%\All Users\Application Data\OWEFRR\VIN.01 (81 bytes)
%Documents and Settings%\All Users\Application Data\OWEFRR\VIN.02 (56 bytes)
%Documents and Settings%\All Users\Application Data\OWEFRR\VIN.00 (1 bytes)
%Documents and Settings%\All Users\Application Data\OWEFRR\VIN.exe (15021 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VIN Start" = "%Documents and Settings%\All Users\Application Data\OWEFRR\VIN.exe" - Reboot the computer.