HEUR:Trojan.Win32.Generic (Kaspersky), Trojan.Win32.Generic!BT (VIPRE), Trojan.Win32.Jorik!IK (Emsisoft), Trojan.Win32.EyeStye.FD, TrojanEyeStye.YR (Lavasoft MAS)Behaviour: Trojan
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: 9dbaeed57f5829bf9dd4de9426aa98f5
SHA1: 27975e21fe8988d55b6f52e21b319fb2ba0f4754
SHA256: 50936313de443996fb027e3dd0ea7f080467076d50a36750905fb93dc06cbd90
SSDeep: 3072:G94D32hRfNiG78JUYXFZpF3mXuStQoedCFYNL x34FNp:24bOtNiA8WYXFRW Wd6NL643p
Size: 173056 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2002-07-27 08:20:20
Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The Trojan creates the following process(es):
Recycle.Bin.exe:572
File activity
The process Recycle.Bin.exe:572 makes changes in a file system.
The Trojan creates and/or writes to the following file(s):
C:\Recycle.Bin\config.bin (33 bytes)
Registry activity
The process Recycle.Bin.exe:572 makes changes in a system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C9 EE 86 E9 AC 0B C0 90 BB 04 31 13 E4 F1 1E 13"
Network activity (URLs)
No activity has been detected.
Rootkit activity
The Trojan installs the following user-mode hooks in WININET.dll:
HttpSendRequestW
InternetReadFileExA
InternetWriteFile
InternetQueryDataAvailable
InternetReadFile
HttpQueryInfoA
HttpSendRequestA
InternetCloseHandle
HttpAddRequestHeadersA
HttpOpenRequestA
InternetQueryOptionA
The Trojan installs the following user-mode hooks in USER32.dll:
TranslateMessage
The Trojan installs the following user-mode hooks in CRYPT32.dll:
PFXImportCertStore
The Trojan installs the following user-mode hooks in ADVAPI32.dll:
CryptEncrypt
The Trojan installs the following user-mode hooks in WS2_32.dll:
send
The Trojan installs the following user-mode hooks in ntdll.dll:
NtVdmControl
ZwSetInformationFile
NtResumeThread
NtQueryDirectoryFile
NtEnumerateValueKey
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Scan a system with an anti-rootkit tool.
- Terminate malicious process(es) (How to End a Process With the Task Manager):
Recycle.Bin.exe:572
- Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
C:\Recycle.Bin\config.bin (33 bytes)
- Reboot the computer.