Trojan-Dropper.Win32.GoogleTool (Lavasoft MAS)Behaviour: Trojan-Dropper
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: 06ecb99836c510701887b7331db11a46
SHA1: 4f87105550290651731ec742a5a421aa081590e8
SHA256: 3bd45aa56781f132e47247bfa4b5412cf110e8e51eaa013a2628b8e5072b0126
SSDeep: 6144:qrQKBhWR0Jj4VB13kQBYDl7 nS/OT5euTlHG:WQKBhWRfTXYDN nsc7l
Size: 346624 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2013-10-25 05:52:12
Summary: Trojan-Dropper. Trojan program, intended for stealth installation of other malware into user's system.
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The Trojan-Dropper creates the following process(es):
%original file name%.exe:880
GoogleTool.exe:1564
rundll32.exe:844
File activity
The process %original file name%.exe:880 makes changes in the file system.
The Trojan-Dropper creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Templates\Goopdate.dll (44 bytes)
%Documents and Settings%\%current user%\Templates\Noew.SAM (143 bytes)
%Documents and Settings%\%current user%\Templates\GoogleTool.exe (116 bytes)
%Documents and Settings%\%current user%\Start Menu\Windows Message.lnk (668 bytes)
The Trojan-Dropper deletes the following file(s):
%Documents and Settings%\%current user%\Start Menu\Windows Message.lnk (0 bytes)
Registry activity
The process %original file name%.exe:880 makes changes in the system registry.
The Trojan-Dropper creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F6 6C 15 42 47 00 07 BC ED 23 0D EC DB D8 9D 16"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Templates" = "%Documents and Settings%\%current user%\Templates"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"
The process GoogleTool.exe:1564 makes changes in the system registry.
The Trojan-Dropper creates and/or sets the following values in system registry:
To automatically run itself each time Windows is booted, the Trojan-Dropper adds the following link to its file to the system registry autorun key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Microsoft" = "%Documents and Settings%\%current user%\Templates\GoogleTool.exe"
The process rundll32.exe:844 makes changes in the system registry.
The Trojan-Dropper creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "3B DE 0D 9F 6F 88 F8 E6 05 A0 C6 38 87 CC C7 69"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Templates" = "%Documents and Settings%\%current user%\Templates"
Network activity (URLs)
No activity has been detected.
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
%original file name%.exe:880
GoogleTool.exe:1564
rundll32.exe:844 - Delete the original Trojan-Dropper file.
- Delete or disinfect the following files created/modified by the Trojan-Dropper:
%Documents and Settings%\%current user%\Templates\Goopdate.dll (44 bytes)
%Documents and Settings%\%current user%\Templates\Noew.SAM (143 bytes)
%Documents and Settings%\%current user%\Templates\GoogleTool.exe (116 bytes)
%Documents and Settings%\%current user%\Start Menu\Windows Message.lnk (668 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Microsoft" = "%Documents and Settings%\%current user%\Templates\GoogleTool.exe"