Trojan.Microfake.D (BitDefender), Trojan.Win32.MicroFake.ba (Kaspersky), Trojan.Win32.Ramnit.d (v) (VIPRE), DDoS.Rincux.316 (DrWeb), Trojan.Microfake.D (B) (Emsisoft), Trojan-FCKC!EFA8C342DFF5 (McAfee), Backdoor.Trojan (Symantec), Trojan.Win32.ServStart (Ikarus), Generic21.ANLJ (AVG), Win32:Malware-gen (Avast), TROJ_GEN.F0C2C00KF13 (TrendMicro), DDoS.Win32.Nitol.FD, DDoSNitol.YR (Lavasoft MAS)Behaviour: Trojan, Backdoor
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: efa8c342dff536ddbdd9bb4b93115c9f
SHA1: 8f842aea3409edc7cb6ce430e34d89662e5d9d6a
SHA256: a507d4afb2a6aee2efc4dfaad4828e4f360c4872684fb7ffed547b4774be7558
SSDeep: 1536:Vmeq7WuHEqU0xlayH2mmJ7KKugJz2NKXnvaLk:VdeHEKuyH2vJ7KsyNIag
Size: 71168 bytes
File type: DLL
Platform: WIN32
Entropy: Probably Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2010-06-08 12:59:36
Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The DDoS creates the following process(es):
dwwin.exe:1464
regsvr32.exe:1792
hrl1.tmp:1560
File activity
The process dwwin.exe:1464 makes changes in the file system.
The DDoS creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\Temporary Internet Files\Content.IE5\Q50NKF49\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Temporary Internet Files\Content.IE5\CWK2PQBY\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\History\History.IE5\desktop.ini (159 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Temporary Internet Files\Content.IE5\S96Z4XA3\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Temporary Internet Files\Content.IE5\4L2VW563\desktop.ini (67 bytes)
The process regsvr32.exe:1792 makes changes in the file system.
The DDoS creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\hrl1.tmp (63 bytes)
The process hrl1.tmp:1560 makes changes in the file system.
The DDoS creates and/or writes to the following file(s):
%System%\hydhyi.exe (63 bytes)
Registry activity
The process regsvr32.exe:1792 makes changes in the system registry.
The DDoS creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2A AD C9 E3 AA 25 95 1D A0 82 58 75 4D 3B 55 11"
Network activity (URLs)
URL | IP |
---|---|
ytrkkq.com | Unresolvable |
zsgjyb.com | Unresolvable |
uirlhu.com | Unresolvable |
eiyeie.com | Unresolvable |
gjaiqe.com | Unresolvable |
okjsuu.com | Unresolvable |
ttcbzi.com | Unresolvable |
HOSTS file anomalies
The DDoS modifies "%System%\drivers\etc\hosts" file which is used to translate DNS entries to IP addresses. The modified file is 734 bytes in size. The following strings are added to the hosts file listed below:
127.0.0.1 | www.Brenz.pl |
Rootkit activity
The DDoS installs the following user-mode hooks in ntdll.dll:
NtQueryInformationProcess
ZwOpenFile
NtDeviceIoControlFile
NtCreateProcessEx
NtCreateProcess
NtCreateFile
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Scan a system with an anti-rootkit tool.
- Terminate malicious process(es) (How to End a Process With the Task Manager):
dwwin.exe:1464
regsvr32.exe:1792
hrl1.tmp:1560 - Delete the original DDoS file.
- Delete or disinfect the following files created/modified by the DDoS:
%Documents and Settings%\%current user%\Local Settings\Temp\Temporary Internet Files\Content.IE5\Q50NKF49\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Temporary Internet Files\Content.IE5\CWK2PQBY\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\History\History.IE5\desktop.ini (159 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Temporary Internet Files\Content.IE5\S96Z4XA3\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Temporary Internet Files\Content.IE5\4L2VW563\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\hrl1.tmp (63 bytes)
%System%\hydhyi.exe (63 bytes) - Restore the original content of the HOSTS file (%System%\drivers\etc\hosts): 127.0.0.1 localhost
- Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Reboot the computer.