HEUR:Trojan.Win32.Generic (Kaspersky), Trojan.Win32.Generic!BT (VIPRE), Backdoor.Win32.Gbot!IK (Emsisoft), Backdoor.Win32.Cycbot.FD, Trojan.Win32.Alureon.FD, Trojan.Win32.Swrort.3.FD, BackdoorCycbot.YR (Lavasoft MAS)Behaviour: Trojan, Backdoor
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: 858f4a9c458bb690053461cf5ec6cb44
SHA1: 8932f6daa22c7e3494efaa417b4b2493e1f24d76
SHA256: aaf3799f077ad4d5a861f4593c98c5b0b44d47b4ef0e66fd3fc2ec1a4c875cb7
SSDeep: 6144:hxMcJ6Zvldlv2AGKxdzbWPnmxctZawqrOb Xn9k y/mRFyuk/0:TMsOvldlvtGK3zbWPm2QrpX9JA8F7
Size: 302592 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2005-11-27 12:50:29
Summary: Backdoor. Malware that enables a remote control of victim's machine.
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The Backdoor creates the following process(es):
858f4a9c458bb69:292
858f4a9c458bb690053461cf5ec6cb44.exe:2244
msiexec.exe:3832
The Backdoor injects its code into the following process(es):
858f4a9c458bb690053461cf5ec6cb44.exe:2376
1.tmp:2060
File activity
The process 858f4a9c458bb690053461cf5ec6cb44.exe:2376 makes changes in a file system.
The Backdoor creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%System%\config\software.LOG (5028 bytes)
%System%\config\software (1696 bytes)
%Program Files%\LP\F2F4\C29.exe (296082 bytes)
%Program Files%\LP\F2F4\1.tmp (12988 bytes)
%Documents and Settings%\%current user%\Application Data\443B0\0B72.43B (3946 bytes)
Registry activity
The process 858f4a9c458bb69:292 makes changes in a system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "6C BF 24 F3 B9 25 31 9F 36 1D 1D 50 02 4C EC 64"
The process 858f4a9c458bb690053461cf5ec6cb44.exe:2244 makes changes in a system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B1 1E 92 06 52 E8 DE 7F D3 73 63 76 BF 86 18 60"
The process 858f4a9c458bb690053461cf5ec6cb44.exe:2376 makes changes in a system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "26 2A E6 AD 8D 66 C4 9C 5C C5 BE DC 2D 92 99 0A"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer" = "http=127.0.0.1:62667"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 40 00 00 00 03 00 00 00 14 00 00 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"DefaultConnectionSettings" = "46 00 00 00 03 00 00 00 03 00 00 00 14 00 00 00"
To automatically run itself each time Windows is booted, the Backdoor adds the following link to its file to the system registry autorun key:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"C29.exe" = "%Program Files%\LP\F2F4\C29.exe"
Automatic startup of the following service is disabled:
[HKLM\System\CurrentControlSet\Services\wscsvc]
"Start" = "3"
The Backdoor deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"
The process 1.tmp:2060 makes changes in a system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "06 CC B5 EC FD 83 82 CE 7F CA E5 15 2C 0C 98 27"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKCU\Software\WinRAR]
"HWID" = "7B 34 46 41 39 41 41 43 38 2D 38 43 30 38 2D 34"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
The process msiexec.exe:3832 makes changes in a system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "06 37 41 50 0C 5C FF 94 2B 27 2A 9F FF D1 B4 A1"
Network activity (URLs)
| URL | IP |
|---|---|
| hxxp://alleducationalsoftware.com/creditcard2.png?sv=250&tq=gJ4WK/SUh5zAhRMw9YLJkMSTUivqg4acxZJVK+/bxWq1SfkIYWhh | 98.136.241.156 |
| hxxp://767113.parkingcrew.net/logo.png?sv=789&tq=gL5HtzoYwLzEpUb5fU3HxcWxAPw6EsazybMRtyFZ0umG8Ar0SsSA/gSoSEU= | |
| hxxp://e6845.ce.akamaiedge.net/pca3-g2.crl | |
| hxxp://e6845.ce.akamaiedge.net/CSC3-2009.crl | |
| hxxp://z3b2ykpa.firoli-sys.com/logo.png?sv=544&tq=gKZEtzoYwLzEvUb5dQzRsrCqBfMkTca3l74EgC5OjrPGpgfib1XFp5zpRPksUt+A/gSoSEU= | 208.87.35.103 |
| hxxp://e6845.ce.akamaiedge.net/pca3.crl | |
| hxxp://e6845.ce.akamaiedge.net/CSC3-2009-2.crl | |
| crl.verisign.com | 23.60.133.163 |
| f27f9k1.hoststorageforyou.com | 62.116.143.17 |
| csc3-2009-2-crl.verisign.com | 23.60.133.163 |
| csc3-2009-crl.verisign.com | 23.60.133.163 |
| transersdataforme.com | 192.155.89.148 |
Rootkit activity
No anomalies have been detected.
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
858f4a9c458bb69:292
858f4a9c458bb690053461cf5ec6cb44.exe:2244 - Delete the original Backdoor file.
- Delete or disinfect the following files created/modified by the Backdoor:
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%System%\config\software.LOG (5028 bytes)
%Program Files%\LP\F2F4\C29.exe (296082 bytes)
%Program Files%\LP\F2F4\1.tmp (12988 bytes)
%Documents and Settings%\%current user%\Application Data\443B0\0B72.43B (3946 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"C29.exe" = "%Program Files%\LP\F2F4\C29.exe" - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Reboot the computer.