Trojan.Win32.Pasta.nsq (Kaspersky), Trojan.Win32.Generic!BT (VIPRE), Backdoor.Win32.Turkojan!IK (Emsisoft), Trojan.Win32.Bumat.FD, Trojan.Win32.Swrort.4.FD, TrojanSwrort.YR (Lavasoft MAS)Behaviour: Trojan, Backdoor
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: 123b636b7861377da8d7acef0f01281b
SHA1: 0e0391b6986f670cfb297be7d2a384b2009f1e46
SHA256: 19d9b6e1671b7572f6713cdbea704c46e6c075452b4d6ec966e67f58fa8ea0fb
SSDeep: 12288:ZqTObLwuBbVzcWTydBbg4hLRC5o8GYRvdS28IAzDrbrPRIF3x/jZ3pe9RJyyh8FJ:IT0ZV3TynbJaogu28IurbrPcF3poR6
Size: 1080844 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: BorlandCDLL, ACProtect141, UPolyXv05_v6, BorlandCforWin321999
Company: no certificate found
Created at: 2010-06-13 18:00:56
Analyzed on: WindowsXP SP3 32-bit
Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The Trojan creates the following process(es):
md.exe:2600
The Trojan injects its code into the following process(es):
%original file name%.exe:1496
ctfmon.exe:244
File activity
The process md.exe:2600 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\Drv12\svchost.exe (2500 bytes)
%WinDir%\RLT6987\services.exe (6988 bytes)
The process %original file name%.exe:1496 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\tmpt.exe (275736 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\md.exe (52744 bytes)
%WinDir%\ctfmon.exe (5442 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\md.exe (0 bytes)
Registry activity
The process md.exe:2600 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "6B 99 1B A2 24 0D 2A F5 55 68 8F 47 63 8B A4 C1"
Adds a rule to the firewall Windows which allows any network activity:
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\%WinDir%\Drv12]
"svchost.exe" = "%WinDir%\Drv12\svchost.exe:*:Enabled:msnmsg"
The process %original file name%.exe:1496 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp]
"md.exe" = "md"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f3-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp]
"tmpt.exe" = "tmpt"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%WinDir%]
"ctfmon.exe" = "ctfmon"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f2-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A8 33 7D E7 41 0B D6 25 06 9F AD B2 65 C5 6F EC"
[HKCU\Software\Microsoft\Internet Explorer\Main]
"Start Page" = "http://gooogle.atwebpages.com/"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{773a730e-74fb-11e2-b597-000c293bdf2f}]
"BaseClass" = "Drive"
[HKCU\S-1-5-21-1177238915-436374069-1957994488-1003\Software\Microsoft\Internet Explorer\Main]
"Start Page" = "http://gooogle.atwebpages.com/"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f5-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
Adds a rule to the firewall Windows which allows any network activity:
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\%WinDir%]
"ctfmon.exe" = "%WinDir%\ctfmon.exe:*:Enabled:UI"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing proxy to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UI" = "%WinDir%\ctfmon.exe"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The process ctfmon.exe:244 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "6D B4 06 64 96 06 CD CF 94 46 7F 4B E5 FD 54 FD"
Network activity (URLs)
No activity has been detected.
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
md.exe:2600
- Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
%WinDir%\Drv12\svchost.exe (2500 bytes)
%WinDir%\RLT6987\services.exe (6988 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\tmpt.exe (275736 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\md.exe (52744 bytes)
%WinDir%\ctfmon.exe (5442 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UI" = "%WinDir%\ctfmon.exe" - Reboot the computer.