HEUR:Trojan.Win32.Generic (Kaspersky), Trojan.Win32.Generic!BT (VIPRE), Backdoor.Win32.Farfli.FD, Trojan.Win32.Swrort.3.FD, Worm.Win32.AutoIt.FD, WormAutoItGen.YR, GenericInjector.YR (Lavasoft MAS)Behaviour: Trojan, Backdoor, Worm
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: 63c295e1e055628d861a3f466baede4c
SHA1: 88d726d3d0aca2f2665540293f9c164835efd49f
SHA256: 6ea7a8686ef61989481fe7534b4b0ac2350cbdeddd85b7a26e9f99b8150169aa
SSDeep: 12288:fhkDgYuVA2nxKkozvdRgQriDwOIQmxiZnYQE7PJcD4alldLIDBSQP0B9Hc:lBmJk8oQricOIvxiZY15albk3W6
Size: 872169 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2012-01-29 23:32:28
Analyzed on: WindowsXP SP3 32-bit
Summary: Worm. A program that is primarily replicating on networks or removable drives.
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The Worm creates the following process(es):
%original file name%.exe:668
dwwin.exe:2968
ctfmon.exe:252
The Worm injects its code into the following process(es):
%original file name%.exe:2684
File activity
The process %original file name%.exe:2684 makes changes in the file system.
The Worm creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\HostUpdate.exe (6841 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\f52_appcompat.txt (7056 bytes)
%System%\dwwin.exe (1836 bytes)
The process %original file name%.exe:668 makes changes in the file system.
The Worm creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Application Data\Microsoft\Windows\9PD50o.cfg (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\InstallDir\scvost.exe (6841 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jaa1.tmp (11010 bytes)
The process dwwin.exe:2968 makes changes in the file system.
The Worm creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\72018.dmp (85671 bytes)
Registry activity
The process %original file name%.exe:2684 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "31 34 0C 19 A6 4E 48 49 9C 3B 82 66 A8 8E 5A 34"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f3-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{773a730e-74fb-11e2-b597-000c293bdf2f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f2-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f5-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"
To automatically run itself each time Windows is booted, the Worm adds the following link to its file to the system registry autorun key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Microsoft" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\HostUpdate.exe"
The Worm deletes the following registry key(s):
[HKLM\SOFTWARE\Microsoft\PCHealth\ErrorReporting\DW]
The Worm deletes the following value(s) in system registry:
[HKLM\SOFTWARE\Microsoft\PCHealth\ErrorReporting\DW]
"DWFileTreeRoot"
The process %original file name%.exe:668 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "64 1B 4F F4 4B 34 CA EC 24 31 43 D9 CF 81 C0 41"
The process ctfmon.exe:252 makes changes in the system registry.
The Worm deletes the following value(s) in system registry:
The Worm disables automatic startup of the application by deleting the following autorun value:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"internat.exe"
Network activity (URLs)
No activity has been detected.
HOSTS file anomalies
The Worm modifies "%System%\drivers\etc\hosts" file which is used to translate DNS entries to IP addresses. The modified file is 734 bytes in size. The following strings are added to the hosts file listed below:
| 127.0.0.1 | jL.chura.pl |
Rootkit activity
The Worm installs the following user-mode hooks in ntdll.dll:
NtQueryInformationProcess
ZwOpenFile
NtCreateProcessEx
NtCreateProcess
ZwCreateFile
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Scan a system with an anti-rootkit tool.
- Terminate malicious process(es) (How to End a Process With the Task Manager):
%original file name%.exe:668
dwwin.exe:2968 - Delete the original Worm file.
- Delete or disinfect the following files created/modified by the Worm:
%Documents and Settings%\%current user%\Local Settings\Temp\HostUpdate.exe (6841 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\f52_appcompat.txt (7056 bytes)
%System%\dwwin.exe (1836 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Windows\9PD50o.cfg (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\InstallDir\scvost.exe (6841 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jaa1.tmp (11010 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\72018.dmp (85671 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Microsoft" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\HostUpdate.exe" - Restore the original content of the HOSTS file (%System%\drivers\etc\hosts): 127.0.0.1 localhost
- Reboot the computer.