DeepScan:Generic.Malware.SFMYVd.E86739CE (BitDefender), TrojanDropper:Win32/Killav.A (Microsoft), Trojan.Win32.Skillis.arzu (Kaspersky), Trojan.Win32.Generic!BT (VIPRE), Trojan.MulDrop4.61304 (DrWeb), DeepScan:Generic.Malware.SFMYVd.E86739CE (B) (Emsisoft), Artemis!6CE6BA327CD5 (McAfee), Trojan.Win32.Skillis (Ikarus), Generic35.YWR (AVG), Win32:Malware-gen (Avast), TROJ_GEN.R08JC0DL113 (TrendMicro), Trojan.Win32.FlyStudio.FD, GenericEmailWorm.YR, GenericAutorunWorm.YR, GenericInjector.YR (Lavasoft MAS)Behaviour: Trojan-Dropper, Trojan, Worm, EmailWorm, WormAutorun
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: 6ce6ba327cd56b2e2bd76a94e1910a49
SHA1: 3db7a9149feae2e053021045edf3dada29b5b2ab
SHA256: d4172cc661c89f12ed06dc4955684fe2640db19e37394ff9296a2679bec5b5c1
SSDeep: 12288:qMEtaEEdVNd/bKAt5mcMQjnl Uyl PoYkr:q9wJLNd/uAXmcMQjlBylfYu
Size: 724992 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: Armadillov171, MicrosoftVisualC, MicrosoftVisualCv50v60MFC, MicrosoftVisualC50, UPolyXv05_v6
Company: WinterSoft
Created at: 2013-08-20 20:07:35
Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Dynamic Analysis
Payload
| Behaviour | Description |
|---|---|
| EmailWorm | Worm can send e-mails. |
| WormAutorun | A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Trojan's file once a user opens a drive's folder in Windows Explorer. |
Process activity
The Trojan creates the following process(es):
%original file name%.exe:1480
Reader_sl.exe:1064
wuauclt.exe:344
jusched.exe:1056
File activity
The process %original file name%.exe:1480 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%System%\slear.exe (5441 bytes)
The process wuauclt.exe:344 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\SoftwareDistribution\DataStore\Logs\edb.chk (100 bytes)
%WinDir%\SoftwareDistribution\DataStore\Logs\edb.log (3576 bytes)
%WinDir%\SoftwareDistribution\DataStore\DataStore.edb (100 bytes)
The Trojan deletes the following file(s):
%WinDir%\SoftwareDistribution\DataStore\Logs\tmp.edb (0 bytes)
The process jusched.exe:1056 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\jusched.log (347 bytes)
Registry activity
The process %original file name%.exe:1480 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "55 4E 1B DC 5C 34 EC B5 39 93 D4 B6 89 C0 45 8B"
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"slear.exe" = "c:\windows\system32\slear.exe"
The process Reader_sl.exe:1064 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
Network activity (URLs)
No activity has been detected.
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Trojan's file once a user opens a drive's folder in Windows Explorer.
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
%original file name%.exe:1480
wuauclt.exe:344 - Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
%System%\slear.exe (5441 bytes)
%WinDir%\SoftwareDistribution\DataStore\Logs\edb.chk (100 bytes)
%WinDir%\SoftwareDistribution\DataStore\Logs\edb.log (3576 bytes)
%WinDir%\SoftwareDistribution\DataStore\DataStore.edb (100 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jusched.log (347 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"slear.exe" = "c:\windows\system32\slear.exe" - Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.