Skip to main content

Trojan.Win32.Swrort_123b636b78


Trojan.Win32.Pasta.nsq (Kaspersky), Trojan.Win32.Generic!BT (VIPRE), Backdoor.Win32.Turkojan!IK (Emsisoft), Trojan.Win32.Bumat.FD, Trojan.Win32.Swrort.4.FD, TrojanSwrort.YR (Lavasoft MAS)Behaviour: Trojan, Backdoor

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

MD5: 123b636b7861377da8d7acef0f01281b

SHA1: 0e0391b6986f670cfb297be7d2a384b2009f1e46

SHA256: 19d9b6e1671b7572f6713cdbea704c46e6c075452b4d6ec966e67f58fa8ea0fb

SSDeep: 12288:ZqTObLwuBbVzcWTydBbg4hLRC5o8GYRvdS28IAzDrbrPRIF3x/jZ3pe9RJyyh8FJ:IT0ZV3TynbJaogu28IurbrPcF3poR6

Size: 1080844 bytes

File type: EXE

Platform: WIN32

Entropy: Not Packed

PEID: BorlandCDLL, ACProtect141, UPolyXv05_v6, BorlandCforWin321999

Company: no certificate found

Created at: 2010-06-13 18:00:56

Analyzed on: WindowsXP SP3 32-bit

Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Dynamic Analysis

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

md.exe:2600

The Trojan injects its code into the following process(es):

%original file name%.exe:1496
ctfmon.exe:244

File activity

The process md.exe:2600 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%WinDir%\Drv12\svchost.exe (2500 bytes)
%WinDir%\RLT6987\services.exe (6988 bytes)

The process %original file name%.exe:1496 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\tmpt.exe (275736 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\md.exe (52744 bytes)
%WinDir%\ctfmon.exe (5442 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\md.exe (0 bytes)

Registry activity

The process md.exe:2600 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "6B 99 1B A2 24 0D 2A F5 55 68 8F 47 63 8B A4 C1"

Adds a rule to the firewall Windows which allows any network activity:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\%WinDir%\Drv12]
"svchost.exe" = "%WinDir%\Drv12\svchost.exe:*:Enabled:msnmsg"

The process %original file name%.exe:1496 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp]
"md.exe" = "md"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f3-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp]
"tmpt.exe" = "tmpt"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%WinDir%]
"ctfmon.exe" = "ctfmon"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f2-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A8 33 7D E7 41 0B D6 25 06 9F AD B2 65 C5 6F EC"

[HKCU\Software\Microsoft\Internet Explorer\Main]
"Start Page" = "http://gooogle.atwebpages.com/"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{773a730e-74fb-11e2-b597-000c293bdf2f}]
"BaseClass" = "Drive"

[HKCU\S-1-5-21-1177238915-436374069-1957994488-1003\Software\Microsoft\Internet Explorer\Main]
"Start Page" = "http://gooogle.atwebpages.com/"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f5-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

Adds a rule to the firewall Windows which allows any network activity:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\%WinDir%]
"ctfmon.exe" = "%WinDir%\ctfmon.exe:*:Enabled:UI"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing proxy to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UI" = "%WinDir%\ctfmon.exe"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The process ctfmon.exe:244 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "6D B4 06 64 96 06 CD CF 94 46 7F 4B E5 FD 54 FD"

Network activity (URLs)

No activity has been detected.

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

Removals

Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.

Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    md.exe:2600

  2. Delete the original Trojan file.
  3. Delete or disinfect the following files created/modified by the Trojan:

    %WinDir%\Drv12\svchost.exe (2500 bytes)
    %WinDir%\RLT6987\services.exe (6988 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\tmpt.exe (275736 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\md.exe (52744 bytes)
    %WinDir%\ctfmon.exe (5442 bytes)

  4. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "UI" = "%WinDir%\ctfmon.exe"

  5. Reboot the computer.
*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Static Analysis

Network Activity

Map

Strings from Dumps