Gen:Variant.Sinowal.1 (BitDefender), Trojan.Win32.Fsysna.kzc (Kaspersky), Gen:Variant.Sinowal.1 (B) (Emsisoft), Artemis!9181C2E13726 (McAfee), Gen:Variant.Sinowal.1 (FSecure), Win32/Cryptor (AVG), Gen:Variant.Sinowal.1 (AdAware)Behaviour: Trojan
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: 9181c2e137268c299775215e7ef1f025
SHA1: 4c81f21e831be8f6e5ceb6fb843f696d7f01e522
SHA256: 1a5581dcb6188f0239d3f3d11d4294c7abb555e3ff948caea50921ae3381a7a2
SSDeep: 49152:miCkE7zk7vUTDMTGGE/Qg9jpjz7rPR0lTTp2eu8 kP0GgbsS:WNErUTDRGaQg9jpjfKlTTEs ksk
Size: 2303488 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2010-12-23 13:51:26
Analyzed on: WindowsXP SP3 32-bit
Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The Trojan creates the following process(es):
rundll32.exe:324
%original file name%.exe:1476
ctfmon.exe:536
The Trojan injects its code into the following process(es):No processes have been created.
File activity
The process %original file name%.exe:1476 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Application Data\FlashContainer\bin\bfg64\libblkmaker-0.1-0.dll (22016 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FlashContainer\bin\bfg32\scrypt130511.cl (23825 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FlashContainer\bin\bfg32\zlib1.dll (88576 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FlashContainer\bin\bfg32\libjansson-4.dll (52736 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FlashContainer\bin\bfg32\libcurl-4.dll (228352 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FlashContainer\bin\bfg64\bfgminer-rpc.exe (20480 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FlashContainer\bin\miderd\pthreadGC2.dll (99058 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FlashContainer\bin\bfg32\bfgminer-rpc.exe (33280 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FlashContainer\bin\bfg32\pdcurses.dll (102912 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FlashContainer\bin\bfg32\backtrace.dll (1123328 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FlashContainer\taskhost.exe (55296 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FlashContainer\dll\hookdll.dll (42496 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FlashContainer\dll\hookdll64.dll (41984 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FlashContainer\bin\bfg64\libblkmaker_jansson-0.1-0.dll (22016 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FlashContainer\bin\bfg64\pthreadGC2.dll (87040 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FlashContainer\bin\bfg64\libusb-1.0.dll (76800 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FlashContainer\bin\bfg64\scrypt130511.cl (23825 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FlashContainer\bin\miderd\minerd.exe (735709 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FlashContainer\bin\bfg64\bfgminer.exe (1223680 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FlashContainer\bin\bfg64\pdcurses.dll (92672 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FlashContainer\bin\bfg64\zlib1.dll (98304 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FlashContainer\bin\miderd\zlib1.dll (109568 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FlashContainer\bin\bfg32\pthreadGC2.dll (45056 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FlashContainer\bin\miderd\libcurl-4.dll (633352 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FlashContainer\bin\bfg32\libblkmaker_jansson-0.1-0.dll (13824 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FlashContainer\bin\bfg64\libjansson-4.dll (66048 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FlashContainer\bin\bfg32\bfgminer.exe (846336 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FlashContainer\bin\bfg32\libusb-1.0.dll (117760 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FlashContainer\bin\bfg32\libblkmaker-0.1-0.dll (13824 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FlashContainer\bin\bfg64\libcurl-4.dll (238080 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FlashContainer\bin\bfg64\backtrace.dll (1123328 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FlashContainer\rundll32.exe (166912 bytes)
Registry activity
The process rundll32.exe:324 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1A 16 2C FB 4A 4B 1C B4 B5 8A 9C 01 91 22 0B 67"
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Windows Host Process" = "%Documents and Settings%\%current user%\Local Settings\Application Data\FlashContainer\rundll32.exe"
The process %original file name%.exe:1476 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A6 6D 69 C4 27 B2 F3 76 8D AC A9 EE F4 28 AA AB"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"
The process ctfmon.exe:536 makes changes in the system registry.
The Trojan deletes the following value(s) in system registry:
The Trojan disables automatic startup of the application by deleting the following autorun value:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"internat.exe"
Network activity (URLs)
No activity has been detected.
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
rundll32.exe:324
%original file name%.exe:1476 - Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
%Documents and Settings%\%current user%\Local Settings\Application Data\FlashContainer\bin\bfg64\libblkmaker-0.1-0.dll (22016 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FlashContainer\bin\bfg32\scrypt130511.cl (23825 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FlashContainer\bin\bfg32\zlib1.dll (88576 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FlashContainer\bin\bfg32\libjansson-4.dll (52736 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FlashContainer\bin\bfg32\libcurl-4.dll (228352 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FlashContainer\bin\bfg64\bfgminer-rpc.exe (20480 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FlashContainer\bin\miderd\pthreadGC2.dll (99058 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FlashContainer\bin\bfg32\bfgminer-rpc.exe (33280 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FlashContainer\bin\bfg32\pdcurses.dll (102912 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FlashContainer\bin\bfg32\backtrace.dll (1123328 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FlashContainer\taskhost.exe (55296 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FlashContainer\dll\hookdll.dll (42496 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FlashContainer\dll\hookdll64.dll (41984 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FlashContainer\bin\bfg64\libblkmaker_jansson-0.1-0.dll (22016 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FlashContainer\bin\bfg64\pthreadGC2.dll (87040 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FlashContainer\bin\bfg64\libusb-1.0.dll (76800 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FlashContainer\bin\bfg64\scrypt130511.cl (23825 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FlashContainer\bin\miderd\minerd.exe (735709 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FlashContainer\bin\bfg64\bfgminer.exe (1223680 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FlashContainer\bin\bfg64\pdcurses.dll (92672 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FlashContainer\bin\bfg64\zlib1.dll (98304 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FlashContainer\bin\miderd\zlib1.dll (109568 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FlashContainer\bin\bfg32\pthreadGC2.dll (45056 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FlashContainer\bin\miderd\libcurl-4.dll (633352 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FlashContainer\bin\bfg32\libblkmaker_jansson-0.1-0.dll (13824 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FlashContainer\bin\bfg64\libjansson-4.dll (66048 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FlashContainer\bin\bfg32\bfgminer.exe (846336 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FlashContainer\bin\bfg32\libusb-1.0.dll (117760 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FlashContainer\bin\bfg32\libblkmaker-0.1-0.dll (13824 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FlashContainer\bin\bfg64\libcurl-4.dll (238080 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FlashContainer\bin\bfg64\backtrace.dll (1123328 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FlashContainer\rundll32.exe (166912 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Windows Host Process" = "%Documents and Settings%\%current user%\Local Settings\Application Data\FlashContainer\rundll32.exe"