Trojan.Win32.IRCbot.avx (Kaspersky), mzpefinder_pcap_file.YR, GenericMSNWorm.YR, GenericProxy.YR, GenericAutorunWorm.YR, GenericIRCBot.YR, Blazebot.YR (Lavasoft MAS)Behaviour: Trojan, Worm, WormAutorun, IRCBot, MSNWorm, Trojan-Proxy
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: 1e44492f695c071c30ece328596ca520
SHA1: 34f7df2b0c140a019104cdd4ff9c8ebfaed8d53c
SHA256: 7c1a13ea0e18c372fc26cd76519c6e5c9fe94d9e59762850c60fbf9d3214bbbc
SSDeep: 12288:ehkDgouVA2nxKkorvdRgQriDwOIxmxiZnYQE7PJcE4aNt Um8ukK 1NO6:uRmJkcoQricOIQxiZY1iabQ8V1NO6
Size: 808116 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2012-01-29 23:32:28
Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Dynamic Analysis
Payload
| Behaviour | Description |
|---|---|
| WormAutorun | A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Trojan's file once a user opens a drive's folder in Windows Explorer. |
| IRCBot | A bot can communicate with command and control servers via IRC channel. |
| MSNWorm | A worm can spread its copies through the MSN Messanger. |
| Trojan-Proxy | This program can launch a proxy server (SOCKS4) on a designated TCP port. |
Process activity
The Trojan creates the following process(es):
%original file name%.exe:452
%original file name%.exe:1960
attrib.exe:1776
nircmd.exe:1792
nircmd.exe:1320
Reader_sl.exe:1064
erase_me895082.exe:2024
wuauclt.exe:344
system.exe:1936
za.exe:128
reg.exe:904
erase_me558122.exe:216
jusched.exe:1056
File activity
The process %original file name%.exe:452 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\aut1.tmp (353 bytes)
%Documents and Settings%\%current user%\O20T17.GJ5 (49 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\aut1.tmp (0 bytes)
%Documents and Settings%\%current user%\O20T17.GJ5 (0 bytes)
The process %original file name%.exe:1960 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\lsass.exe (5873 bytes)
The process erase_me895082.exe:2024 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\syso\critical\libcurl-4.dll (1345 bytes)
%WinDir%\syso\critical\zlib1.dll (601 bytes)
%WinDir%\syso\critical\pthreadGC2.dll (2017 bytes)
%WinDir%\syso\critical\antivirus.bat (129 bytes)
%WinDir%\syso\critical\sys.bat (337 bytes)
%WinDir%\syso\critical\system.exe (1289 bytes)
%WinDir%\syso\critical\nircmd.exe (43 bytes)
The Trojan deletes the following file(s):
%WinDir%\syso\critical\__tmp_rar_sfx_access_check_347625 (0 bytes)
The process wuauclt.exe:344 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\SoftwareDistribution\DataStore\Logs\edb.chk (100 bytes)
%WinDir%\SoftwareDistribution\DataStore\Logs\edb.log (3576 bytes)
%WinDir%\SoftwareDistribution\DataStore\DataStore.edb (100 bytes)
The Trojan deletes the following file(s):
%WinDir%\SoftwareDistribution\DataStore\Logs\tmp.edb (0 bytes)
The process za.exe:128 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\G30D78.LA5 (61 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\aut3.tmp (941 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\G30D78.LA5 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\aut3.tmp (0 bytes)
The process erase_me558122.exe:216 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\M33K\za.exe (10881 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\M33K\__tmp_rar_sfx_access_check_344531 (0 bytes)
The process jusched.exe:1056 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\jusched.log (347 bytes)
Registry activity
The process %original file name%.exe:452 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "78 DE BC 95 A6 68 66 43 F0 9D 58 CF 81 D3 32 0B"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
Task Manager is disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableTaskMgr" = "1"
The process %original file name%.exe:1960 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B2 7B DB 9D 57 57 9E AD 9E 4F 69 DD A3 47 B4 88"
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Windows Firewall" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\lsass.exe"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Firewall" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\lsass.exe"
The process attrib.exe:1776 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "AC 6C 33 1E 46 50 53 1F B4 A8 95 E0 5E 77 56 10"
The process nircmd.exe:1792 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1F 6F A0 19 FA 23 22 2A 55 41 E0 F7 B6 F0 A4 3E"
The process nircmd.exe:1320 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "7E A4 CE C1 94 08 4E 9A FC 34 E4 D9 38 7B B1 9D"
The process Reader_sl.exe:1064 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
The process erase_me895082.exe:2024 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2D 42 EA 53 D9 C3 1C 2C 54 BD 9D 5D 48 EB 70 B1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\Windows\syso\critical]
"sys.bat" = "sys"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing proxy to the Intranet Zone:
"ProxyBypass" = "1"
The process system.exe:1936 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "0F 98 E6 7D C9 89 07 BF 45 A1 F9 40 57 1F 36 13"
The process za.exe:128 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "72 F8 C9 7D 48 C5 5A 37 F4 23 F7 9C BD A7 0E D9"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
Task Manager is disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableTaskMgr" = "1"
The process reg.exe:904 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "8E 40 58 F7 63 0F 31 34 DF 14 28 18 B5 80 62 14"
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Update" = "C:\Windows\syso\critical\antivirus.bat"
The process erase_me558122.exe:216 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "8B FD 2F 25 4E 2E 48 8F FB ED AE 7C 16 BE A4 23"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Documents and Settings%\%current user%\M33K]
"za.exe" = "za"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing proxy to the Intranet Zone:
"ProxyBypass" = "1"
Network activity (URLs)
| URL | IP |
|---|---|
| hxxp://directxex.com/uploads/64201707.ms1.exe?dl=1 | 108.162.199.96 |
| hxxp://www.v.dropbox.com/s/axthqblc3my55od/critical.exe?dl=1 | |
| www.dropbox.com | 108.160.166.13 |
| dl.dropboxusercontent.com | 107.21.114.158 |
| mine.pool-x.eu | 178.33.111.19 |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Trojan's file once a user opens a drive's folder in Windows Explorer.A worm can spread its copies through the MSN Messanger.
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
%original file name%.exe:452
%original file name%.exe:1960
attrib.exe:1776
nircmd.exe:1792
nircmd.exe:1320
erase_me895082.exe:2024
wuauclt.exe:344
system.exe:1936
za.exe:128
reg.exe:904
erase_me558122.exe:216 - Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
%Documents and Settings%\%current user%\Local Settings\Temp\aut1.tmp (353 bytes)
%Documents and Settings%\%current user%\O20T17.GJ5 (49 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\lsass.exe (5873 bytes)
%WinDir%\syso\critical\libcurl-4.dll (1345 bytes)
%WinDir%\syso\critical\zlib1.dll (601 bytes)
%WinDir%\syso\critical\pthreadGC2.dll (2017 bytes)
%WinDir%\syso\critical\antivirus.bat (129 bytes)
%WinDir%\syso\critical\sys.bat (337 bytes)
%WinDir%\syso\critical\system.exe (1289 bytes)
%WinDir%\syso\critical\nircmd.exe (43 bytes)
%WinDir%\SoftwareDistribution\DataStore\Logs\edb.chk (100 bytes)
%WinDir%\SoftwareDistribution\DataStore\Logs\edb.log (3576 bytes)
%WinDir%\SoftwareDistribution\DataStore\DataStore.edb (100 bytes)
%Documents and Settings%\%current user%\G30D78.LA5 (61 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\aut3.tmp (941 bytes)
%Documents and Settings%\%current user%\M33K\za.exe (10881 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jusched.log (347 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Windows Firewall" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\lsass.exe"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Firewall" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\lsass.exe"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Update" = "C:\Windows\syso\critical\antivirus.bat" - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
- Reboot the computer.