Trojan.Win32.Patched.md (Kaspersky), Virus.Win32.Ramnit.a!dam (v) (VIPRE), Virus.Win32.Zbot!IK (Emsisoft), Backdoor.Win32.Farfli.FD, Trojan.Win32.EyeStye.FD, TrojanEyeStye.YR (Lavasoft MAS)Behaviour: Trojan, Backdoor, Virus
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: e4aed329e777253b486d829a394f270c
SHA1: 2afd3218d0c2a3b285ab121594dd61e98ca46d1e
SHA256: 710921b6a10a732cc0ec0d7d39e46179ff2d10ba7aed51031ea68a7fd959690b
SSDeep: 6144:yndj8E6S4u09FLx6WvbWdiWX7ht69qsiPNjYjdRFatrGaRdITAWr:yCE6S4Z9JkubIi2s9MVTiaRU9r
Size: 361374 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: Express Install
Created at: 2011-07-01 12:25:08
Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The Trojan creates the following process(es):
e4aed329e777253:2704
02126517951.exe:668
%original file name%.exe:2412
ajvmmkjkbtsibwto.exe:3300
The Trojan injects its code into the following process(es):
ctfmon.exe:252
File activity
The process e4aed329e777253:2704 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\ajvmmkjkbtsibwto.exe (601 bytes)
The process 02126517951.exe:668 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\hdwe2y7.bin\30849139C22EAD4 (5 bytes)
The process %original file name%.exe:2412 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\e4aed329e777253b486d829a394f270cmgr.exe (120 bytes)
The process ajvmmkjkbtsibwto.exe:3300 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\psyykfdm.sys (15 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\psyykfdm.sys (0 bytes)
Registry activity
The process e4aed329e777253:2704 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C1 9A 9E A8 EB 36 72 03 51 C0 FF 00 F1 5A 60 8C"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f3-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{773a730e-74fb-11e2-b597-000c293bdf2f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp]
"ajvmmkjkbtsibwto.exe" = "ajvmmkjkbtsibwto"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f2-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f5-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
"Personal" = "%Documents and Settings%\%current user%\My Documents"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing proxy to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
"IntranetName" = "1"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
"UNCAsIntranet" = "1"
The process 02126517951.exe:668 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F5 8F 2B 0D 96 4F AD EF 28 5E 7C 72 81 F3 D1 2E"
[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"ID" = "1309512308"
"Name" = "02126517951.exe"
The process ctfmon.exe:252 makes changes in the system registry.
The Trojan deletes the following value(s) in system registry:
The Trojan disables automatic startup of the application by deleting the following autorun value:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"internat.exe"
The process %original file name%.exe:2412 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E0 6A CD 0E B0 F6 C6 ED A6 2C D6 23 0D FB 49 97"
[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"ID" = "1309512308"
"Name" = "%original file name%.exe"
The process ajvmmkjkbtsibwto.exe:3300 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "56 16 A5 67 91 B8 85 C6 5F AD B6 66 95 AA E2 C9"
Network activity (URLs)
| URL | IP |
|---|---|
| hxxp://199.2.137.140/nodf4b.php | |
| hxxp://lb1.www.ms.akadns.net/ | |
| haqkwkokaigcdslnrlr.com | 195.22.26.231 |
| aguhlabfubbvek.com | 195.22.26.253 |
| awckeliqcherasntmin.com | 72.14.182.233 |
| sliokrvnkjenhwgpjl.com | 178.79.190.156 |
| uxlyihgvfnqcrfcf.com | 178.79.190.156 |
| jexgpprgph.com | 50.116.32.177 |
| mavjlatqkpuban.com | 50.116.32.177 |
| hxpgffdwbevww.com | 50.116.32.177 |
| prcgijpwvrl.com | 209.99.40.227 |
| adhcssvuayv.com | 195.22.26.231 |
| www.microsoft.com | 1.103.192.54 |
| dgrdrqkpmggukqo.com | Unresolvable |
| rkxukunrgvpkgmc.com | Unresolvable |
| eijahjdmm.com | Unresolvable |
| nirxlosffmarpbp.com | Unresolvable |
| ebddteinurkortapgs.com | Unresolvable |
| sgjwptrfosjeico.com | Unresolvable |
| jfvxpfbgo.com | Unresolvable |
| hfegocufjkndwc.com | Unresolvable |
| oqayununxmqdxo.com | Unresolvable |
| dxovrcmyletmggxf.com | Unresolvable |
| kvoxyhnaggyqrcc.com | Unresolvable |
| sptihuxubpj.com | Unresolvable |
| vmdgwbenh.com | Unresolvable |
| ntnwcxtwgxwecrdxr.com | Unresolvable |
| ojmitlcyjsuyb.com | Unresolvable |
| obcjfjseku.com | Unresolvable |
| rxckgnatt.com | Unresolvable |
| wpaxdlstrs.com | Unresolvable |
| hijkitpq.com | Unresolvable |
| bllkuhftropiwymr.com | Unresolvable |
| dlsvfpmniphnmxnvoeo.com | Unresolvable |
| nwetlnpjovgxmj.com | Unresolvable |
| fdkasoupvgxigejgdfb.com | Unresolvable |
| pbwjbkgdo.com | Unresolvable |
| pdcdcwjwrqsq.com | Unresolvable |
| arhpgoeeasi.com | Unresolvable |
| rsmhdfgpgw.com | Unresolvable |
| fokvmmygnngm.com | Unresolvable |
| wvogkbbapujp.com | Unresolvable |
| fxkapveygtffbkv.com | Unresolvable |
| qxdfhujechixcrgdb.com | Unresolvable |
| drpfrkvdttdkhgpqi.com | Unresolvable |
| iljmekbkcukps.com | Unresolvable |
| xxkoixiiiqpyecxoaka.com | Unresolvable |
| ucwkkgbdxvjexa.com | Unresolvable |
| fkcxdfiv.com | Unresolvable |
| fksudkswknxd.com | Unresolvable |
| xeucibnop.com | Unresolvable |
| byraiyodqfdx.com | Unresolvable |
| hbwpvcnwwcdgfojuixm.com | Unresolvable |
| kgrrxfmyixossjmk.com | Unresolvable |
| kqrkegigdtjxxcrvl.com | Unresolvable |
| kmyxdodog.com | Unresolvable |
| oxjlrgepfnkvdprbr.com | Unresolvable |
| btfkjkqv.com | Unresolvable |
| hhowujyrcvdrwpdvsck.com | Unresolvable |
| ppwnhnvwnvtggifhbv.com | Unresolvable |
| lyghwyciguta.com | Unresolvable |
| edqmjbyjcxyjqnjjodh.com | Unresolvable |
| umiuqmrmvsuiscitx.com | Unresolvable |
| rtcocsaitmadupgl.com | Unresolvable |
| lvmrpvkyo.com | Unresolvable |
| kjjeuhhqiwvfnuvvtkd.com | Unresolvable |
| fsksblipt.com | Unresolvable |
| dpjbclufd.com | Unresolvable |
| nyyhahsslkflyhulcgl.com | Unresolvable |
| laiotlboxklvpcdfhu.com | Unresolvable |
| tuisyirhweflhvqyxh.com | Unresolvable |
| mjuqovvuruldy.com | Unresolvable |
| nwrqebry.com | Unresolvable |
| ixnaxrqn.com | Unresolvable |
| wiyqctbhe.com | Unresolvable |
| ojvpkaohbddmbfac.com | Unresolvable |
| qsrywodlwhorwibvy.com | Unresolvable |
| xsredbpaef.com | Unresolvable |
| yicgycrtyoxaiu.com | Unresolvable |
| amobragjgge.com | Unresolvable |
| pvbmlrybufe.com | Unresolvable |
| ykkcsanct.com | Unresolvable |
| relmyplngdrdxpyv.com | Unresolvable |
| bxnrxuyjcytf.com | Unresolvable |
| ntohnxgjijsgi.com | Unresolvable |
| wxurahlisqbmppqss.com | Unresolvable |
| mmmngmrhvvohfnv.com | Unresolvable |
| uigwsscasowqdiyp.com | Unresolvable |
| xqdrbrjiqwwpahhk.com | Unresolvable |
| rapbmprhwwm.com | Unresolvable |
| hugnnpnymbwnhtuh.com | Unresolvable |
| gwbdgrlikclhthyivym.com | Unresolvable |
| vnskyqlkrdfnnp.com | Unresolvable |
| ocnsfoyrdplmewnyx.com | Unresolvable |
| mcchphgndpadclga.com | Unresolvable |
| gkholyjchymn.com | Unresolvable |
| bklerdwiadlxxbjunwu.com | Unresolvable |
| cqlmxlukplhlfdo.com | Unresolvable |
| dykxkasesippbsjb.com | Unresolvable |
| ykesfabqxbvmns.com | Unresolvable |
| qqsvttcnvsigkh.com | Unresolvable |
| rgcdictp.com | Unresolvable |
| lgeohbboqpngfap.com | Unresolvable |
| qwfxemkbuee.com | Unresolvable |
| xnttkdfunybxgn.com | Unresolvable |
| dypislng.com | Unresolvable |
| uilmabdaxqlaxuj.com | Unresolvable |
| ushfktptgmspn.com | Unresolvable |
| wqfmumga.com | Unresolvable |
| njqvexdhwhutar.com | Unresolvable |
| vgfsnrewuxeaoxoh.com | Unresolvable |
| wwgxwnil.com | Unresolvable |
| lnjrtxcjbiaov.com | Unresolvable |
| qbpcpmcijn.com | Unresolvable |
| kpkyaxyytagbk.com | Unresolvable |
| jxnbdfwh.com | Unresolvable |
| qadjgxayck.com | Unresolvable |
| irfldtfkhgyrpsarcje.com | Unresolvable |
| snpltixygwcpifp.com | Unresolvable |
| vvhvidpeog.com | Unresolvable |
| catvfmsxowehqvfahu.com | Unresolvable |
| tnueoqahys.com | Unresolvable |
| mefqtfwlxrfhguru.com | Unresolvable |
| ticfmjsce.com | Unresolvable |
| dfyxptqjxwtdkjjbiu.com | Unresolvable |
| ilasqwag.com | Unresolvable |
| omsilsdcpdsgpxm.com | Unresolvable |
| kiiwacbehxexixl.com | Unresolvable |
| uxqbewwdunihwscfl.com | Unresolvable |
| hgubujdad.com | Unresolvable |
| expecvmanfaydv.com | Unresolvable |
| fujosogkpsxthf.com | Unresolvable |
| ohpmyviumie.com | Unresolvable |
| ggpmcodfppkjirg.com | Unresolvable |
| pphxfntktjvhgti.com | Unresolvable |
| udvnniovrov.com | Unresolvable |
| yyeyutjgnsfrmswdygl.com | Unresolvable |
| vmhgbribbhm.com | Unresolvable |
| ejjogggfqcmc.com | Unresolvable |
| erfhytwpgitkpgudo.com | Unresolvable |
| bbmfswfgmljwj.com | Unresolvable |
| yqvndqgijbpmx.com | Unresolvable |
| tvxwdutxo.com | Unresolvable |
| oukicfldnvxhrtxvuqr.com | Unresolvable |
| suhfvuljuihmevldp.com | Unresolvable |
| nbvhroptghtmsydrfq.com | Unresolvable |
| mggtqypybfts.com | Unresolvable |
| qanmwnpvpcyqsa.com | Unresolvable |
| iedaagmofvk.com | Unresolvable |
| gjvhfiouvwiqvtewbu.com | Unresolvable |
| jabdfnuridle.com | Unresolvable |
| tfgixgmqhdowexm.com | Unresolvable |
| tfpohsjc.com | Unresolvable |
| egcftpguclkoi.com | Unresolvable |
| dpyeoipbso.com | Unresolvable |
| ynergdikorjg.com | Unresolvable |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
The Trojan installs the following kernel-mode hooks:
ZwCreateKey
ZwOpenKey
The Trojan installs the following user-mode hooks in WININET.dll:
InternetWriteFile
InternetReadFileExA
HttpSendRequestA
HttpSendRequestW
HttpOpenRequestA
HttpAddRequestHeadersA
InternetQueryDataAvailable
InternetCloseHandle
HttpQueryInfoA
InternetReadFile
InternetQueryOptionA
The Trojan installs the following user-mode hooks in USER32.dll:
TranslateMessage
The Trojan installs the following user-mode hooks in CRYPT32.dll:
PFXImportCertStore
The Trojan installs the following user-mode hooks in ADVAPI32.dll:
CryptEncrypt
The Trojan installs the following user-mode hooks in WS2_32.dll:
send
The Trojan installs the following user-mode hooks in ntdll.dll:
ZwVdmControl
ZwSetInformationFile
NtResumeThread
ZwQueryDirectoryFile
ZwEnumerateValueKey
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Scan a system with an anti-rootkit tool.
- Terminate malicious process(es) (How to End a Process With the Task Manager):
e4aed329e777253:2704
02126517951.exe:668
%original file name%.exe:2412
ajvmmkjkbtsibwto.exe:3300 - Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
%Documents and Settings%\%current user%\Local Settings\Temp\ajvmmkjkbtsibwto.exe (601 bytes)
C:\hdwe2y7.bin\30849139C22EAD4 (5 bytes)
C:\e4aed329e777253b486d829a394f270cmgr.exe (120 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\psyykfdm.sys (15 bytes) - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Reboot the computer.