Skip to main content

DDoS.Win32.Nitol_efa8c342df


Trojan.Microfake.D (BitDefender), Trojan.Win32.MicroFake.ba (Kaspersky), Trojan.Win32.Ramnit.d (v) (VIPRE), DDoS.Rincux.316 (DrWeb), Trojan.Microfake.D (B) (Emsisoft), Trojan-FCKC!EFA8C342DFF5 (McAfee), Backdoor.Trojan (Symantec), Trojan.Win32.ServStart (Ikarus), Generic21.ANLJ (AVG), Win32:Malware-gen (Avast), TROJ_GEN.F0C2C00KF13 (TrendMicro), DDoS.Win32.Nitol.FD, DDoSNitol.YR (Lavasoft MAS)Behaviour: Trojan, Backdoor

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

MD5: efa8c342dff536ddbdd9bb4b93115c9f

SHA1: 8f842aea3409edc7cb6ce430e34d89662e5d9d6a

SHA256: a507d4afb2a6aee2efc4dfaad4828e4f360c4872684fb7ffed547b4774be7558

SSDeep: 1536:Vmeq7WuHEqU0xlayH2mmJ7KKugJz2NKXnvaLk:VdeHEKuyH2vJ7KsyNIag

Size: 71168 bytes

File type: DLL

Platform: WIN32

Entropy: Probably Packed

PEID: UPolyXv05_v6

Company: no certificate found

Created at: 2010-06-08 12:59:36

Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Dynamic Analysis

Payload

No specific payload has been found.

Process activity

The DDoS creates the following process(es):

dwwin.exe:1464
regsvr32.exe:1792
hrl1.tmp:1560

File activity

The process dwwin.exe:1464 makes changes in the file system.


The DDoS creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\Temporary Internet Files\Content.IE5\Q50NKF49\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Temporary Internet Files\Content.IE5\CWK2PQBY\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\History\History.IE5\desktop.ini (159 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Temporary Internet Files\Content.IE5\S96Z4XA3\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Temporary Internet Files\Content.IE5\4L2VW563\desktop.ini (67 bytes)

The process regsvr32.exe:1792 makes changes in the file system.


The DDoS creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\hrl1.tmp (63 bytes)

The process hrl1.tmp:1560 makes changes in the file system.


The DDoS creates and/or writes to the following file(s):

%System%\hydhyi.exe (63 bytes)

Registry activity

The process regsvr32.exe:1792 makes changes in the system registry.


The DDoS creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2A AD C9 E3 AA 25 95 1D A0 82 58 75 4D 3B 55 11"

Network activity (URLs)

URL IP
ytrkkq.comUnresolvable
zsgjyb.comUnresolvable
uirlhu.comUnresolvable
eiyeie.comUnresolvable
gjaiqe.comUnresolvable
okjsuu.comUnresolvable
ttcbzi.comUnresolvable


HOSTS file anomalies

The DDoS modifies "%System%\drivers\etc\hosts" file which is used to translate DNS entries to IP addresses. The modified file is 734 bytes in size. The following strings are added to the hosts file listed below:

127.0.0.1www.Brenz.pl


Rootkit activity

The DDoS installs the following user-mode hooks in ntdll.dll:

NtQueryInformationProcess
ZwOpenFile
NtDeviceIoControlFile
NtCreateProcessEx
NtCreateProcess
NtCreateFile

Propagation

Removals

Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.

Manual removal*

  1. Scan a system with an anti-rootkit tool.
  2. Terminate malicious process(es) (How to End a Process With the Task Manager):

    dwwin.exe:1464
    regsvr32.exe:1792
    hrl1.tmp:1560

  3. Delete the original DDoS file.
  4. Delete or disinfect the following files created/modified by the DDoS:

    %Documents and Settings%\%current user%\Local Settings\Temp\Temporary Internet Files\Content.IE5\Q50NKF49\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\Temporary Internet Files\Content.IE5\CWK2PQBY\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\History\History.IE5\desktop.ini (159 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\Temporary Internet Files\Content.IE5\S96Z4XA3\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\Temporary Internet Files\Content.IE5\4L2VW563\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\hrl1.tmp (63 bytes)
    %System%\hydhyi.exe (63 bytes)

  5. Restore the original content of the HOSTS file (%System%\drivers\etc\hosts): 127.0.0.1 localhost
  6. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  7. Reboot the computer.
*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Static Analysis

Network Activity

Map

Strings from Dumps