Gen:Variant.Kazy.217030 (BitDefender), Trojan.Win32.Generic.pak!cobra (VIPRE), Win32.HLLW.Autoruner.25074 (DrWeb), Gen:Variant.Kazy.217030 (B) (Emsisoft), Gen:Variant.Kazy.217030 (FSecure), MSIL:Agent-ATC [Trj] (Avast), Backdoor.Win32.Fynloski.FD, Trojan.Win32.Iconomon.FD, Trojan.Win32.Sasfis.FD, VirTool.Win32.DelfInject.FD, BackdoorFynloski.YR, GenericDownloader.YR, GenericInjector.YR, TrojanDownloaderAndromeda.YR (Lavasoft MAS)Behaviour: Trojan-Downloader, Trojan, Backdoor, VirTool
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: 88f0b8169c1f4f5cc9d03e98a133f41e
SHA1: a03615ed12321c11f3ad0eb491d73a1feb8703e8
SHA256: 4e07e06d52ecc39c1e5967fdf5327239653e36df2bda7227bda83d77732c1a30
SSDeep: 12288:E4AOQecA7gkGcMfDaN tSZY4RQ19pyNW9agpb6A/958RiumubSSRsnbEdpuBSmxe:EJIF7jGccvtSZY4Rij9Nb60n8bmubLse
Size: 718848 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: MicrosoftVisualC, NETexecutable, UPolyXv05_v6
Company: WinterSoft
Created at: 2013-12-01 15:19:46
Summary: Backdoor. Malware that enables a remote control of victim's machine.
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The Backdoor creates the following process(es):
gyAbDqTrxa.exe:1808
reg.exe:1780
The Backdoor injects its code into the following process(es):
vbc.exe:952
%original file name%.exe:384
File activity
The process %original file name%.exe:384 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\gyAbDqTrxa.exe (33822 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\.exe (3791 bytes)
Registry activity
The process gyAbDqTrxa.exe:1808 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "19 5E 8A EF 7B 32 FD 84 F1 A1 8B 39 F6 7B 6E A7"
[HKCU\Software\DC3_FEXEC]
"12/2/2013 at 3:44:03 PM" = "{118c04c0-7454-11e2-81a8-806d6172696f-2829482533}"
The process vbc.exe:952 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "84 21 E6 74 01 3D D1 CD 1A A2 35 5A FC BB 5B 6D"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
The process reg.exe:1780 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F4 EA 3E 64 E0 23 28 D2 B9 51 06 98 A3 E5 AF AF"
To automatically run itself each time Windows is booted, the Backdoor adds the following link to its file to the system registry autorun key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"MyImgur" = "%Documents and Settings%\%current user%\Local Settings\Temp\.exe"
The process %original file name%.exe:384 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "57 B1 A6 C3 4E EF 49 72 4B E2 64 47 BC 38 56 30"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
The Backdoor modifies IE settings for security zones to map all web-nodes that bypassing proxy to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"
The Backdoor modifies IE settings for security zones to map all urls to the Intranet Zone:
"IntranetName" = "1"
The Backdoor modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
"UNCAsIntranet" = "1"
Network activity (URLs)
URL | IP |
---|---|
hxxp://directxex.com/uploads/628872640.sv.exe | 108.162.198.96 |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
gyAbDqTrxa.exe:1808
reg.exe:1780 - Delete the original Backdoor file.
- Delete or disinfect the following files created/modified by the Backdoor:
%Documents and Settings%\%current user%\Local Settings\Temp\gyAbDqTrxa.exe (33822 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\.exe (3791 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"MyImgur" = "%Documents and Settings%\%current user%\Local Settings\Temp\.exe" - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Reboot the computer.