Trojan.NSIS.StartPage.FD (Lavasoft MAS)Behaviour: Trojan
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: 2414a4c523e354583db56ebc4af196b0
SHA1: 730884c3e55659bb4aa135373a2a6333fac99f0c
SHA256: f82439ae1c5fe2f524d80d92767856f0a610b70a0798d7048973833169062bd8
SSDeep: 6144:oPB6WgJSeBZyt8H ilr E06 xvKUptV5LJ2XD kwkavGfK:YrgJSe2cRF EWyEv5LJAD Qa fK
Size: 266646 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2009-06-07 00:42:05
Analyzed on: WindowsXP SP3 32-bit
Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The Trojan creates the following process(es):
TQAWM.exe:584
ipconfig.exe:4012
%original file name%.exe:2620
I_FreeCodecs.exe:2708
The Trojan injects its code into the following process(es):
ntvdm.exe:3024
File activity
The process TQAWM.exe:584 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\NetworkService\IETldCache\index.dat (16 bytes)
%System%\config\systemprofile\iexplore.exe (5 bytes)
%System%\drivers\etc\hosts (1 bytes)
The process ntvdm.exe:3024 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings% (4 bytes)
%WinDir%\Tasks\DLQIHDEQC.job (4 bytes)
%Documents and Settings%\NetworkService\IETldCache\index.dat (2756 bytes)
%WinDir%\Prefetch\TQAWM.EXE-18003656.pf (36 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp (4 bytes)
%Documents and Settings%\%current user%\Local Settings (4 bytes)
%WinDir%\WinSxS (12 bytes)
%Documents and Settings%\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\index.dat (4 bytes)
%Documents and Settings%\NetworkService\Local Settings\History\History.IE5\index.dat (4 bytes)
%WinDir%\AppPatch (4 bytes)
%WinDir%\Temp\scs3.tmp (33872 bytes)
%Documents and Settings%\NetworkService\LOCAL SETTINGS (4 bytes)
%System%\wbem\Repository\FS (4 bytes)
%WinDir% (536 bytes)
C:\$Directory (7360 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsv2.tmp (1425 bytes)
D:\ (4 bytes)
%System%\config\systemprofile (4 bytes)
%WinDir%\Temp\Perflib_Perfdata_1e0.dat (4 bytes)
%Program Files% (4 bytes)
%Documents and Settings%\All Users\DOCUMENTS (4 bytes)
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\test.pml (10540 bytes)
%Documents and Settings%\NETWORKSERVICE (4 bytes)
%Program Files%\Wireshark (96 bytes)
%System%\config (4 bytes)
%System%\wbem (96 bytes)
%System%\drivers (480 bytes)
%Documents and Settings%\NetworkService\Local Settings\Temporary Internet Files\Content.IE5 (4 bytes)
%WinDir%\Temp\scs4.tmp (10145 bytes)
%Documents and Settings%\%current user% (4 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\index.dat (4 bytes)
%Documents and Settings%\NetworkService\Cookies\index.dat (4 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (4 bytes)
The Trojan deletes the following file(s):
%WinDir%\Temp\scs4.tmp (0 bytes)
%WinDir%\Temp\scs3.tmp (0 bytes)
The process %original file name%.exe:2620 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\I_FreeCodecs.exe (8560 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsv2.tmp (6450 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsg1.tmp (0 bytes)
The process I_FreeCodecs.exe:2708 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\Tasks\DLQIHDEQC.job (358 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%System%\TQAWM.exe (706 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\~unins5078.bat (49 bytes)
Registry activity
The process TQAWM.exe:584 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKU\.DEFAULT\Software\Microsoft\Internet Explorer\IETld]
"IETldDllVersionLow" = "393300864"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\ietld]
"CacheLimit" = "8192"
[HKU\.DEFAULT\Software\Microsoft\Internet Explorer\IETld]
"StaleIETldCache" = "1"
[HKU\.DEFAULT\Software\Microsoft\Windows\ShellNoRoam\MUICache\%System%]
"ipconfig.exe" = "IP Configuration Utility"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\ietld]
"CacheOptions" = "9"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%System%\config\systemprofile\Application Data"
"Personal" = ""
"Cache" = "%Documents and Settings%\NetworkService\Local Settings\Temporary Internet Files"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\A]
"BaseClass" = "Drive"
[HKU\.DEFAULT\Software\Microsoft\Windows\ShellNoRoam\MUICache\%System%\config\systemprofile]
"iexplore.exe" = "iexplore"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 01 00 00 00 09 00 00 00 00 00 00 00"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\ietld]
"CachePath" = "%USERPROFILE%\IETldCache"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = ""
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\D]
"BaseClass" = "Drive"
[HKU\.DEFAULT\Software\Microsoft\Internet Explorer\IETld]
"IETldVersionHigh" = "1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKU\.DEFAULT\Software\Microsoft\Internet Explorer\IETld]
"IETldDllVersionHigh" = "524288"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\NetworkService\Local Settings\History"
[HKU\.DEFAULT\Software\Microsoft\Internet Explorer\IETld]
"IETldVersionLow" = "8"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D3 BF 61 7A 17 D6 C4 5B 0D 53 42 98 5B 63 75 A1"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\ietld]
"CachePrefix" = "ietld:"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\F]
"BaseClass" = "Drive"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\NetworkService\Cookies"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\C]
"BaseClass" = "Drive"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\ietld]
"CacheRepair" = "0"
[HKU\.DEFAULT\Software\Microsoft\Internet Explorer\BrowserEmulation]
"TLDUpdates" = "1"
[HKU\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
"ParseAutoexec" = "1"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
Proxy settings are disabled:
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing proxy to the Intranet Zone:
"ProxyBypass" = "1"
The Trojan deletes the following value(s) in system registry:
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"
"AutoConfigURL"
"ProxyServer"
The process ipconfig.exe:4012 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "BA 9E B3 AE 45 BA 3B 3E DD 9C A4 25 D1 95 F8 39"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"Guid" = "8aefce96-4618-42ff-a057-3536aa78233e"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"Active" = "1"
[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"CategoryMessageFile" = "%System%\ESENT.dll"
"EventMessageFile" = "%System%\ESENT.dll"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"Active" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"Active" = "1"
"ControlFlags" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"LogSessionName" = "stdout"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"LogSessionName" = "stdout"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"ControlFlags" = "1"
[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"CategoryCount" = "16"
"TypesSupported" = "7"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"LogSessionName" = "stdout"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"ControlFlags" = "1"
The process %original file name%.exe:2620 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{773a730e-74fb-11e2-b597-000c293bdf2f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f3-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f5-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f2-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"
The process I_FreeCodecs.exe:2708 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "3D 5E 2F 95 54 99 7E 49 56 37 AC 94 47 F2 26 78"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKCU\Software\pfxyyoknu]
"PAPRPHG" = "96 95 24 54 B4 07 99 56 47 8E 51 1F AB 77 80 43"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\pfxyyoknu]
"PAPRPHG" = "96 95 24 54 B4 07 99 56 47 8E 51 1F AB 77 80 43"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 40 00 00 00 01 00 00 00 00 00 00 00"
[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\I_FreeCodecs.exe,"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing proxy to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
"IntranetName" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
Network activity (URLs)
| URL | IP |
|---|---|
| hxxp://imagehut4.cn/update/utu.dat (ET CNC Zeus/Spyeye/Palevo Tracker Reported CnC Server (group 10) , Malicious) | 65.19.157.228 |
HOSTS file anomalies
The Trojan modifies "%System%\drivers\etc\hosts" file which is used to translate DNS entries to IP addresses. The modified file is 1003 bytes in size. The following strings are added to the hosts file listed below:
| 127.0.0.1 | thepiratebay.org |
| 127.0.0.1 | www.thepiratebay.org |
| 127.0.0.1 | mininova.org |
| 127.0.0.1 | www.mininova.org |
| 127.0.0.1 | forum.mininova.org |
| 127.0.0.1 | blog.mininova.org |
| 127.0.0.1 | suprbay.org |
| 127.0.0.1 | www.suprbay.org |
Rootkit activity
No anomalies have been detected.
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
TQAWM.exe:584
ipconfig.exe:4012
%original file name%.exe:2620
I_FreeCodecs.exe:2708 - Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
%Documents and Settings%\NetworkService\IETldCache\index.dat (16 bytes)
%System%\config\systemprofile\iexplore.exe (5 bytes)
%System%\drivers\etc\hosts (1 bytes)
%WinDir%\Tasks\DLQIHDEQC.job (4 bytes)
%WinDir%\Prefetch\TQAWM.EXE-18003656.pf (36 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp (4 bytes)
%WinDir%\WinSxS (12 bytes)
%Documents and Settings%\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\index.dat (4 bytes)
%Documents and Settings%\NetworkService\Local Settings\History\History.IE5\index.dat (4 bytes)
%WinDir%\AppPatch (4 bytes)
%WinDir%\Temp\scs3.tmp (33872 bytes)
%Documents and Settings%\NetworkService\LOCAL SETTINGS (4 bytes)
%System%\wbem\Repository\FS (4 bytes)
C:\$Directory (7360 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsv2.tmp (1425 bytes)
D:\ (4 bytes)
%WinDir%\Temp\Perflib_Perfdata_1e0.dat (4 bytes)
%Program Files% (4 bytes)
%Documents and Settings%\All Users\DOCUMENTS (4 bytes)
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\test.pml (10540 bytes)
%Documents and Settings%\NETWORKSERVICE (4 bytes)
%Program Files%\Wireshark (96 bytes)
%WinDir%\Temp\scs4.tmp (10145 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\index.dat (4 bytes)
%Documents and Settings%\NetworkService\Cookies\index.dat (4 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\I_FreeCodecs.exe (8560 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%System%\TQAWM.exe (706 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\~unins5078.bat (49 bytes) - Restore the original content of the HOSTS file (%System%\drivers\etc\hosts): 127.0.0.1 localhost
- Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Reboot the computer.