Gen:Heur.JAPIK.6 (BitDefender), TrojanDropper:Win32/Sinmis.B (Microsoft), HEUR:Trojan.Win32.Generic (Kaspersky), Trojan.Win32.Encpk.zqa (v) (VIPRE), Trojan.Packed.2351 (DrWeb), Gen:Heur.JAPIK.6 (B) (Emsisoft), Downloader-CMY.a (McAfee), Trojan-Downloader.Win32.Karagany (Ikarus), Downloader.Generic_r.LY (AVG), Win32:Zbot-NFK [Trj] (Avast), TROJ_IKYTOK.SMI (TrendMicro), Backdoor.Win32.PcClient.FD, Tdl4.YR (Lavasoft MAS)Behaviour: Trojan-Dropper, Trojan-Downloader, Trojan, Backdoor, Packed
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: e86e44e6c774b5ef575adf5eff7dc7c7
SHA1: 679aa34413c4832a9b5379fb330cd263a3e9a62b
SHA256: d3ec31784027f1161307abf2ed6947732786b6f6ae976628d0baa749e2d293c1
SSDeep: 6144:EZA6jAH8m3ObJjP1yufjBqZ eaIbyhh2ehhQ4NG0oG:EbAc8mHyuq pIbyhhQGG0
Size: 342016 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: BorlandDelphi30, UPolyXv05_v6
Company: no certificate found
Created at: 2011-06-13 16:49:44
Analyzed on: WindowsXP SP3 32-bit
Summary: Backdoor. Malware that enables a remote control of victim's machine.
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The Backdoor creates the following process(es):
3f475710.exe:768
%original file name%.exe:336
rundll32.exe:1576
1509445b.exe:1260
The Backdoor injects its code into the following process(es):
spoolsv.exe:1424
rundll32.exe:1700
File activity
The process 3f475710.exe:768 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\1.tmp (673 bytes)
The Backdoor deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\2.tmp (0 bytes)
The process %original file name%.exe:336 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\d8e7b49f.exe (1436 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\1c0386cf.exe (1673 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3f475710.exe (16124 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\1509445b.exe (8671 bytes)
The process spoolsv.exe:1424 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):
%WinDir%\Temp\3.tmp (39 bytes)
The Backdoor deletes the following file(s):
%WinDir%\Temp\3.tmp (0 bytes)
%System%\drivers\etc\hosts (0 bytes)
The process 1509445b.exe:1260 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):
%WinDir%\sqrpcs.dll (118 bytes)
Registry activity
The process 3f475710.exe:768 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B1 90 4C 41 D4 7E 94 4E 54 29 7D 2E 2E F4 D1 58"
[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\4.tmp,"
The process spoolsv.exe:1424 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\System\CurrentControlSet\Services\27989140]
"imagepath" = "\??\%WinDir%\TEMP\3.tmp"
[HKLM\System\CurrentControlSet\Control\Print\Providers\367567872]
"Name" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\2.tmp"
[HKLM\System\CurrentControlSet\Control\Print\Providers]
"Order" = "LanMan Print Services, Internet Print Provider, 367567872"
[HKLM\System\CurrentControlSet\Services\27989140]
"type" = "1"
The Backdoor deletes the following registry key(s):
[HKLM\System\CurrentControlSet\Services\27989140]
[HKLM\System\CurrentControlSet\Services\27989140\Enum]
[HKLM\System\CurrentControlSet\Control\Print\Providers\367567872]
The process rundll32.exe:1700 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "60 2D E3 7C 59 57 5C 0A 8B DF ED 9F 67 48 B6 39"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Wtube]
"Eqegaqojoqoka" = "186"
To automatically run itself each time Windows is booted, the Backdoor adds the following link to its file to the system registry autorun key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Ihoragiqinicim" = "rundll32.exe %WinDir%\sqrpcs.dll,Startup"
The process rundll32.exe:1576 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "7A 0C 87 FF CF 25 8F 7A A0 37 43 0A 2E 2A 06 4D"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Wtube]
"Bveqayeweci" = "43 01 38 03 58 05 51 07 41 09 44 0B 48 0D 41 0F"
The process 1509445b.exe:1260 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "97 65 C7 47 18 7F 85 22 7F EE 77 BD 8D 53 B3 24"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Wtube]
"Bveqayeweci" = "43 01 38 03 58 05 51 07 41 09 44 0B 48 0D 41 0F"
"Ydapup" = "45 01 36 03 3C 05 37 07 3E 09 39 0B 4E 0D 3B 0F"
Network activity (URLs)
| URL | IP |
|---|---|
| 081207de011e.linkbuzz.net | Unresolvable |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
Using the driver "UNKNOWN" the Backdoor controls loading executable images into a memory by installing the Load image notifier.
The Backdoor intercepts DriverStartIO in a miniport driver of a hard drive controller (ATAPI) to handle request to its own files:
StartIo
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Scan a system with an anti-rootkit tool.
- Terminate malicious process(es) (How to End a Process With the Task Manager):
3f475710.exe:768
%original file name%.exe:336
rundll32.exe:1576
1509445b.exe:1260 - Delete the original Backdoor file.
- Delete or disinfect the following files created/modified by the Backdoor:
%Documents and Settings%\%current user%\Local Settings\Temp\1.tmp (673 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\d8e7b49f.exe (1436 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\1c0386cf.exe (1673 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3f475710.exe (16124 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\1509445b.exe (8671 bytes)
%WinDir%\Temp\3.tmp (39 bytes)
%WinDir%\sqrpcs.dll (118 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Ihoragiqinicim" = "rundll32.exe %WinDir%\sqrpcs.dll,Startup" - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Reboot the computer.