Gen:Variant.Graftor.Elzob.24486 (BitDefender), Backdoor:Win32/Tenpeq.gen!A (Microsoft), HEUR:Backdoor.Win32.Generic (Kaspersky), BehavesLike.Win32.Malware.ahc (mx-v) (VIPRE), Trojan.DownLoad3.25716 (DrWeb), Gen:Variant.Graftor.Elzob.24486 (B) (Emsisoft), RDN/Generic BackDoor!rm (McAfee), Backdoor.Trojan (Symantec), Trojan-GameThief.Win32.Nilage (Ikarus), SHeur4.BMPG (AVG), Win32:Malware-gen (Avast), TROJ_GEN.R021C0DG313 (TrendMicro), Backdoor.Win32.Farfli.FD (Lavasoft MAS)Behaviour: Trojan, Backdoor
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: a907e9174ca3dd20b5e36bd342063ebd
SHA1: e5a9a79249aa69d903a97172cfb8367b8722f609
SHA256: ac5d66948294f0d59cf58add49ad3aa7b408a3bf29f021494ab9b842093f59c2
SSDeep: 768:YUaIC34ICgREiB3RRwlF1/j75FHqP5R3PPOgzJuE5zkTzmNNnHJupSJWAE:X9 TB3rwh/5FyWg1ulvmnJ nAE
Size: 67584 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: PECompactV2X, PECompactv20, UPolyXv05_v6
Company: Softonic
Created at: 1992-06-20 01:22:17
Analyzed on: WindowsXP SP3 32-bit
Summary: Backdoor. Malware that enables a remote control of victim's machine.
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The Backdoor creates the following process(es):
ping.exe:1712
%original file name%.exe:1760
The Backdoor injects its code into the following process(es):No processes have been created.
File activity
The process %original file name%.exe:1760 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):
%System%\mpeg4c32.dll (102400 bytes)
%System%\tcpipport.sys (13328 bytes)
Registry activity
The process ping.exe:1712 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "24 63 38 5D 41 F7 74 AA 24 A2 E4 58 61 02 6B 8E"
The process %original file name%.exe:1760 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "AB FE 4F F2 8C 9B DE 74 DC 0B AF 1D 3D C3 9A B3"
[HKLM\System\CurrentControlSet\Services\BITS]
"WOW64" = "1"
[HKLM\System\CurrentControlSet\Services\BITS\Parameters]
"ServiceDll" = "%System%\mpeg4c32.dll"
[HKLM\SOFTWARE\QQ\QQNETPET]
"NetPetName" = "x1"
"MasterDNSE" = "204.13.69.52"
"MasterPort" = "1515"
Network activity (URLs)
No activity has been detected.
HOSTS file anomalies
No changes have been detected.
Rootkit activity
drvobj Tcpip:
MJ_DEVICE_CONTROL
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Scan a system with an anti-rootkit tool.
- Terminate malicious process(es) (How to End a Process With the Task Manager):
ping.exe:1712
%original file name%.exe:1760 - Delete the original Backdoor file.
- Delete or disinfect the following files created/modified by the Backdoor:
%System%\mpeg4c32.dll (102400 bytes)
%System%\tcpipport.sys (13328 bytes)