VirTool:Win32/CeeInject (Microsoft), Trojan.Win32.Neurevt.kb (Kaspersky), Trojan.DownLoader9.22851 (DrWeb), Artemis!C0D2E08C3F0D (McAfee), WS.Reputation.1 (Symantec), Inject2.GPM (AVG), Win32:Crypt-QEA [Trj] (Avast), Trojan.Win32.Swrort.3.FD, Worm.Win32.AutoIt.FD, mzpefinder_pcap_file.YR, Sinowal.YR, WormAutoItGen.YR (Lavasoft MAS)Behaviour: Trojan, Worm, VirTool
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: c0d2e08c3f0d964858b8a9788aa6732e
SHA1: fd8749ed0eedb4ca07803565881a706c8869bd01
SHA256: 917627c7e3dec25d7eb80020c98804c8ff993922da9f0076200a8d4b6927a7ef
SSDeep: 6144:MTKdP784r0r2H/FQ4IoRKbxvXfHixWjovW1:phrJHK4L6/ixU
Size: 226617 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2013-11-13 16:02:03
Summary: Worm. A program that is primarily replicating on networks or removable drives.
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The Worm creates the following process(es):
ogtxcdlddjv.exe:476
%original file name%.exe:1796
%original file name%.exe:276
schtasks.exe:1860
schtasks.exe:1676
The Worm injects its code into the following process(es):
javaupd.exe:1772
idletask.exe:1924
File activity
The process ogtxcdlddjv.exe:476 makes changes in the file system.
The Worm creates and/or writes to the following file(s):
%Documents and Settings%\All Users\Start Menu\Programs\Startup\javaupd.exe (16158 bytes)
%Program Files%\Java\jre7\javaupd.exe (16158 bytes)
The process %original file name%.exe:276 makes changes in the file system.
The Worm deletes the following file(s):
%Program Files%\Common Files\blacksilver0\00092d6d.txt (0 bytes)
The process javaupd.exe:1772 makes changes in the file system.
The Worm creates and/or writes to the following file(s):
%Documents and Settings%\All Users\Start Menu\Programs\Startup\javaupd.exe (16158 bytes)
%Program Files%\Common Files\mpir.dll (3929 bytes)
%Program Files%\Common Files\idletask.exe (3193 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\aut4.tmp (5817 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\aut3.tmp (1857 bytes)
%Program Files%\Common Files\msvcp100.dll (4257 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\aut1.tmp (1857 bytes)
%Program Files%\Common Files\msvcr100.dll (7385 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\aut2.tmp (1625 bytes)
The Worm deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\aut1.tmp (0 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Startup\javaupd.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\aut4.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\aut2.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\aut3.tmp (0 bytes)
Registry activity
The process ogtxcdlddjv.exe:476 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "BE CF 44 E0 BF 0B 3D DF F6 2D CD 25 89 0C EA 5E"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%System%]
"schtasks.exe" = "Schedule Tasks"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Startup" = "%Documents and Settings%\All Users\Start Menu\Programs\Startup"
The Worm modifies IE settings for security zones to map all web-nodes that bypassing proxy to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"
To automatically run itself each time Windows is booted, the Worm adds the following link to its file to the system registry autorun key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"JavaUpdate" = "%Program Files%\Java\jre7\javaupd.exe"
[HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"JavaUpdate" = "%Program Files%\Java\jre7\javaupd.exe"
The Worm modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Worm modifies IE settings for security zones to map all urls to the Intranet Zone:
"IntranetName" = "1"
To automatically run itself each time Windows is booted, the Worm adds the following link to its file to the system registry autorun key:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"JavaUpdate" = "%Program Files%\Java\jre7\javaupd.exe"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"JavaUpdate" = "%Program Files%\Java\jre7\javaupd.exe"
The process %original file name%.exe:1796 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D1 D1 71 03 E3 FC EA FF F0 97 A4 16 63 6D 76 26"
The process %original file name%.exe:276 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "6E E8 F1 DD 20 56 5C 68 68 88 F1 6A 37 1D 05 A8"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Startup" = "%Documents and Settings%\%current user%\Start Menu\Programs\Startup"
[HKCU\Software\Classes\CLSID\{34C55D5D-8177-174D-8C39-0B7D84E4700B}\11440374\CG1]
"BID" = "20 00 08 00 0F 00 0B 00 DD 07 00 00 14 00 88 FF"
[HKCU\Software\Win7zip]
"Uuid" = "34 C5 5D 5D 81 77 17 4D 8C 39 0B 7D 84 E4 70 0B"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Classes\CLSID\{34C55D5D-8177-174D-8C39-0B7D84E4700B}\11440374\CG1]
"HAL" = "05 EE 00 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vfwhhydlr.exe]
"DisableExceptionChainValidation" = ""
The process javaupd.exe:1772 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Classes\CLSID\{34C55D5D-8177-174D-8C39-0B7D84E4700B}\11440374\CW1]
"1772" = "88 00 00 00 C8 01 00 00 31 06 38 01 22 01 0A 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
"Startup" = "%Documents and Settings%\%current user%\Start Menu\Programs\Startup"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Program Files%\Common Files]
"idletask.exe" = "idletask"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
"Common Startup" = "%Documents and Settings%\All Users\Start Menu\Programs\Startup"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "63 0A 68 56 02 8E CE 8E F9 82 F5 70 3D D9 BD 3F"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
The Worm modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
To automatically run itself each time Windows is booted, the Worm adds the following link to its file to the system registry autorun key:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"JavaUpdate" = "%Program Files%\Java\jre7\javaupd.exe"
[HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"JavaUpdate" = "%Program Files%\Java\jre7\javaupd.exe"
The Worm modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Worm modifies IE settings for security zones to map all web-nodes that bypassing proxy to the Intranet Zone:
"ProxyBypass" = "1"
To automatically run itself each time Windows is booted, the Worm adds the following link to its file to the system registry autorun key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"JavaUpdate" = "%Program Files%\Java\jre7\javaupd.exe"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"JavaUpdate" = "%Program Files%\Java\jre7\javaupd.exe"
The process schtasks.exe:1860 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FC F2 C9 EB B3 A0 63 EF 4F C0 B1 D4 79 76 E2 47"
The process schtasks.exe:1676 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "31 A4 76 D6 AA 1D BB 4D 09 79 9E E0 AB 17 C5 DD"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Startup" = "%Documents and Settings%\%current user%\Start Menu\Programs\Startup"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
The process idletask.exe:1924 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FC BA 7C 39 70 48 41 2F A7 5E D8 57 34 B4 CD 71"
[HKCU\Software\Classes\CLSID\{34C55D5D-8177-174D-8C39-0B7D84E4700B}\11440374\CW1]
"1924" = "88 00 00 00 80 01 00 00 31 06 18 00 12 01 0A 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Startup" = "%Documents and Settings%\%current user%\Start Menu\Programs\Startup"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
Network activity (URLs)
| URL | IP |
|---|---|
| hxxp://dayzstreaming.co.uk/gato/order.php | 37.221.170.194 |
| hxxp://dayzstreaming.co.uk/javaupd.exe (Malicious) | |
| update.microsoft.com | 65.55.163.222 |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
The Worm installs the following user-mode hooks in dnsapi.dll:
DnsQuery_W
The Worm installs the following user-mode hooks in WS2_32.dll:
gethostbyname
getaddrinfo
GetAddrInfoW
The Worm installs the following user-mode hooks in ntdll.dll:
KiFastSystemCall
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Scan a system with an anti-rootkit tool.
- Terminate malicious process(es) (How to End a Process With the Task Manager):
ogtxcdlddjv.exe:476
%original file name%.exe:1796
%original file name%.exe:276
schtasks.exe:1860
schtasks.exe:1676 - Delete the original Worm file.
- Delete or disinfect the following files created/modified by the Worm:
%Documents and Settings%\All Users\Start Menu\Programs\Startup\javaupd.exe (16158 bytes)
%Program Files%\Java\jre7\javaupd.exe (16158 bytes)
%Program Files%\Common Files\mpir.dll (3929 bytes)
%Program Files%\Common Files\idletask.exe (3193 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\aut4.tmp (5817 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\aut3.tmp (1857 bytes)
%Program Files%\Common Files\msvcp100.dll (4257 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\aut1.tmp (1857 bytes)
%Program Files%\Common Files\msvcr100.dll (7385 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\aut2.tmp (1625 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"JavaUpdate" = "%Program Files%\Java\jre7\javaupd.exe"
[HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"JavaUpdate" = "%Program Files%\Java\jre7\javaupd.exe"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"JavaUpdate" = "%Program Files%\Java\jre7\javaupd.exe"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"JavaUpdate" = "%Program Files%\Java\jre7\javaupd.exe" - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Reboot the computer.