HEUR:Trojan.Win32.Generic (Kaspersky), Trojan.Win32.Generic!BT (VIPRE), Trojan.Win32.Inject!IK (Emsisoft), Backdoor.Win32.Farfli.FD, Trojan.Win32.Rimecud.FD, GenericAutorunWorm.YR, BackdoorFarfli.YR, mzpefinder_pcap_file.YR (Lavasoft MAS)Behaviour: Trojan, Backdoor, Worm, WormAutorun
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: 46807bc3336b66f922baff1f1330bd26
SHA1: f43d7af9b375a1e38d2cdb99f5eeee91c987d141
SHA256: 4174333c282d26c060a942a55a22dc949b4badbb1f5ab46da008330ab3805048
SSDeep: 1536:GmGiLLpraV/kZD4KTbmsPqB0GZBUMbGlVNbngqKsO95 tx/gVjnKiuDHpDOXHj9a:Gun9Q0rMbSgqKR95 tx/AjnkDJ6XZ7
Size: 187392 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: Armadillov171, MicrosoftVisualC, MicrosoftVisualCv50v60MFC, MicrosoftVisualC50, UPolyXv05_v6
Company: no certificate found
Created at: 2010-06-14 06:24:16
Summary: Backdoor. Malware that enables a remote control of victim's machine.
Dynamic Analysis
Payload
| Behaviour | Description |
|---|---|
| WormAutorun | A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Backdoor's file once a user opens a drive's folder in Windows Explorer. |
Process activity
The Backdoor creates the following process(es):The Backdoor injects its code into the following process(es):
247994.exe:1064
File activity
Registry activity
The process 247994.exe:1064 makes changes in a system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9F 67 69 77 24 12 C3 7C D0 BF 98 7B B2 D2 13 FB"
To automatically run itself each time Windows is booted, the Backdoor adds the following link to its file to the system registry autorun key:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"weby" = "%System%\joloceg.exe"
Network activity (URLs)
| URL | IP |
|---|---|
| hxxp://loca.betrule.com/c9000.exe | 188.138.89.106 |
| www.treibholzundmeer.de | 188.138.89.106 |
Rootkit activity
No anomalies have been detected.
Propagation
A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Backdoor's file once a user opens a drive's folder in Windows Explorer.
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate the original Backdoor's process (How to End a Process With the Task Manager).
- Delete the original Backdoor file.
- Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"weby" = "%System%\joloceg.exe" - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
- Reboot the computer.