Trojan.Generic.10020557 (BitDefender), not-a-virus:RiskTool.Win32.BitCoinMiner.lrc (Kaspersky), Trojan.Win32.Generic!BT (VIPRE), Trojan.BtcMine.156 (DrWeb), Trojan.Generic.10020557 (B) (Emsisoft), Artemis!87BDBA077896 (McAfee), WS.Reputation.1 (Symantec), BV.Malware (Ikarus), Skodna.BitCoinMiner.DX (AVG), Win32:BitCoinMiner-FA [PUP] (Avast), TROJ_FAKELIB.B (TrendMicro)Behaviour: Trojan, PUP
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: 87bdba077896af4cd51a2bfc3d0c080a
SHA1: 324ec19d5f7960d73b13d43ee063ad16b2fd54cd
SHA256: 2dd9ecfcda919ae220689aa53843dc44ae29857caa205971405b321c5f8ed443
SSDeep: 12288:aat0EAH49n8BuA6iQG8nPn/hb64ulDgFD273sFDmS:1t249AoG8RbdulDgFa7Wv
Size: 581162 bytes
File type: broken
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2013-08-22 16:00:50
Analyzed on: WindowsXP SP3 32-bit
Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The not-a-virus creates the following process(es):
%original file name%.exe:1660
nircmd.exe:1620
nircmd.exe:1084
reg.exe:228
attrib.exe:1956
system.exe:484
The not-a-virus injects its code into the following process(es):No processes have been created.
File activity
The process %original file name%.exe:1660 makes changes in the file system.
The not-a-virus creates and/or writes to the following file(s):
%WinDir%\syso\critical\libcurl-4.dll (245795 bytes)
%WinDir%\syso\critical\zlib1.dll (100864 bytes)
%WinDir%\syso\critical\pthreadGC2.dll (119888 bytes)
%WinDir%\syso\critical\antivirus.bat (129 bytes)
%WinDir%\syso\critical\sys.bat (337 bytes)
%WinDir%\syso\critical\system.exe (187904 bytes)
%WinDir%\syso\critical\nircmd.exe (43520 bytes)
The not-a-virus deletes the following file(s):
%WinDir%\syso\critical\__tmp_rar_sfx_access_check_7045609 (0 bytes)
Registry activity
The process %original file name%.exe:1660 makes changes in the system registry.
The not-a-virus creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "91 2E 68 B1 E6 B8 96 F5 7F 59 CD 25 FA 75 76 A1"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\Windows\syso\critical]
"sys.bat" = "sys"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Ãâ€Ã¾ÃºÑƒÃ¼ÃµÃ½Ñ‚Ñ‹"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\àðñþчøù ÑÂтþû"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{91167d45-103d-11db-8c91-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{d8c0d8da-77bd-11e0-bb02-000c293bc0fd}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{91167d42-103d-11db-8c91-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\àðñþчøù ÑÂтþû"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\Üþø ôþúуüõýты"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{ebcf8d94-66db-11de-b228-806d6172696f}]
"BaseClass" = "Drive"
The not-a-virus modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The not-a-virus modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
"UNCAsIntranet" = "1"
The not-a-virus modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
The process nircmd.exe:1620 makes changes in the system registry.
The not-a-virus creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2A 6D BA D7 F8 1B 0D A4 C5 36 FA BD 5B D1 8E 6A"
The process nircmd.exe:1084 makes changes in the system registry.
The not-a-virus creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E1 94 8E 47 73 15 66 57 08 A4 EA 1F DC 93 2E AA"
The process reg.exe:228 makes changes in the system registry.
The not-a-virus creates and/or sets the following values in system registry:
To automatically run itself each time Windows is booted, the not-a-virus adds the following link to its file to the system registry autorun key:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Update" = "C:\Windows\syso\critical\antivirus.bat"
The process attrib.exe:1956 makes changes in the system registry.
The not-a-virus creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "EF 6B 29 58 34 74 1C 4D 61 8B B9 0B 23 AA BB 6C"
The process system.exe:484 makes changes in the system registry.
The not-a-virus creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "5D 4B F5 FF 26 D0 AF 15 99 EB DB 90 C0 6C 3B E0"
Network activity (URLs)
No activity has been detected.
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
%original file name%.exe:1660
nircmd.exe:1620
nircmd.exe:1084
reg.exe:228
attrib.exe:1956
system.exe:484 - Delete the original not-a-virus file.
- Delete or disinfect the following files created/modified by the not-a-virus:
%WinDir%\syso\critical\libcurl-4.dll (245795 bytes)
%WinDir%\syso\critical\zlib1.dll (100864 bytes)
%WinDir%\syso\critical\pthreadGC2.dll (119888 bytes)
%WinDir%\syso\critical\antivirus.bat (129 bytes)
%WinDir%\syso\critical\sys.bat (337 bytes)
%WinDir%\syso\critical\system.exe (187904 bytes)
%WinDir%\syso\critical\nircmd.exe (43520 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Update" = "C:\Windows\syso\critical\antivirus.bat"