Susp_Dropper (Kaspersky), Trojan.Win32.Generic!SB.0 (VIPRE), Backdoor.Win32.Shiz!IK (Emsisoft), Backdoor.Win32.Shiz.FD, Shiz.YR, GenericInjector.YR, BackdoorCaphaw_QKKBAL.YR, BankerGeneric.YR (Lavasoft MAS)Behaviour: Banker, Trojan, Backdoor
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: 171279fab5510a3668c2090114c539c0
SHA1: 5dd0b3e7b0071c164972de521ffe7f9d017f991c
SHA256: b82e15150317911f941dbaca9c17b7b5f298cb1d9831c5ce5f6913450ff56388
SSDeep: 3072:UcHxzcOaRSqHjWExEbTywK9fkCuEsO2vND3lcj0Nn8CIaXxmVpQ4xM1jD:BHSSq6uuO9fIEyNDyjR/awp3xM1P
Size: 208896 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: AirInstaller
Created at: 2004-12-03 02:32:14
Summary: Banker. Steals data relating to online banking systems, e-payment systems and credit card systems.
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The Trojan creates the following process(es):
171279fab5510a3668c2090114c539c0.exe:2632
The Trojan injects its code into the following process(es):
ctfmon.exe:252
File activity
The process 171279fab5510a3668c2090114c539c0.exe:2632 makes changes in a file system.
The Trojan creates and/or writes to the following file(s):
%System%\config\software (3028 bytes)
%System%\config\software.LOG (5300 bytes)
%WinDir%\AppPatch\ibigpox.exe (1697 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\1.tmp (0 bytes)
Registry activity
The process 171279fab5510a3668c2090114c539c0.exe:2632 makes changes in a system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "34 9C B2 3E 1A 47 C9 FF B5 17 90 C2 1A 31 71 34"
[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\%WinDir%\apppatch\ibigpox.exe_, \??\%WinDir%\apppatch\ibigpox.exe"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"d8cc41db" = "ÂÂCêkæÚ`Ã¥D 5õÃâ€PÃ¥KP£yp.)Üàâ€Â¸a4d‚\yìqÂÂA}(Äé¼ü4|Âá@â€Â°™,¡¤üHrѼ©€©â€Â´D0}éiXª¸|Èy4¡RYÑúiÂÂèmÑ©È„IáØð±¼(¤ ádI򯬓dËœ XYâÀeÅ“iü¥AÅ¡Ii¸rÂ¥(¡A\y 9€éñ$ZÃâ€axÙ9The process ctfmon.exe:252 makes changes in a system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
Network activity (URLs)
| URL | IP |
|---|---|
| hxxp://198.74.50.135/login.php | |
| hxxp://109.74.196.143/login.php (ET CNC Zeus/Spyeye/Palevo Tracker Reported CnC Server (group 1) , Malicious) |
Rootkit activity
The Trojan installs the following user-mode hooks in USER32.dll: GetClipboardData
SetThreadDesktop
GetMessageA
GetMessageW
TranslateMessage
RtlGetNativeSystemInformation
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Scan a system with an anti-rootkit tool.
- Terminate malicious process(es) (How to End a Process With the Task Manager):
171279fab5510a3668c2090114c539c0.exe:2632
- Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
%System%\config\software (3028 bytes)
%System%\config\software.LOG (5300 bytes)
%WinDir%\AppPatch\ibigpox.exe (1697 bytes) - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Reboot the computer.