HEUR:Trojan.Win32.Generic (Kaspersky), Trojan.Win32.EncPk.acr.gen.2 (v) (VIPRE), Backdoor.Win32.Shiz.FD, Shiz.YR, GenericInjector.YR, BackdoorCaphaw_QKKBAL.YR (Lavasoft MAS)Behaviour: Trojan, Backdoor
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: 8f0e48a728c6b09a0d2c5e54291d9da1
SHA1: 0aa30d3bb5b43c7c4ba74b948a5096220d7e71f6
SHA256: ddddde4f8b0937c28ccef9f440fce9bc9f2c8bc8efbc13638eb6877db24a3eef
SSDeep: 6144:ENPYV5dhrWjNEZ2m2RO6hct5VVE3bA8wpoBbXWJ4:d1hr6CHuhct5QbdwpoBbmu
Size: 262144 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: BorlandDelphi30, UPolyXv05_v6
Company: SoftSafe
Created at: 2010-08-23 19:40:13
Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The Trojan creates the following process(es):
8f0e48a728c6b09a0d2c5e54291d9da1.exe:2600
The Trojan injects its code into the following process(es):
ctfmon.exe:252
File activity
The process 8f0e48a728c6b09a0d2c5e54291d9da1.exe:2600 makes changes in a file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\AppPatch\lkmnjl.exe (1805 bytes)
%System%\config\software (3028 bytes)
%System%\config\software.LOG (5300 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\1.tmp (0 bytes)
Registry activity
The process 8f0e48a728c6b09a0d2c5e54291d9da1.exe:2600 makes changes in a system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "67 60 FA 31 8B 27 4A 7A 42 8B 58 5B 40 F4 EB FD"
[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\%WinDir%\apppatch\lkmnjl.exe_, \??\%WinDir%\apppatch\lkmnjl.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"d8cc41db" = "ÂÂCêkæÚ`Ã¥D 5õÃâ€PàBTªc &e4¹àâ€Â¸a4d‚\yìqÂÂA}(Äé¼ü4|Âá@â€Â°™,¡¤üHrѼ©€©â€Â´D0}éiXª¸|Èy4¡RYÑúiÂÂèmѩȄIáØð±¼(¤ ádI򯬓dËœ XYâÀeÅ“iü¥AÅ¡Ii¸rÂ¥(¡A\y 9€éñ$ZÃâ€axÙ9The process ctfmon.exe:252 makes changes in a system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
The Trojan disables automatic startup of the application by deleting the following autorun value:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"internat.exe"
Network activity (URLs)
URL | IP |
---|---|
hxxp://50.116.56.144/login.php | |
hxxp://173.230.133.99/login.php (ET CNC Zeus/Spyeye/Palevo Tracker Reported CnC Server (group 3) , Malicious) |
Rootkit activity
The Trojan installs the following user-mode hooks in CRYPT32.dll: CertVerifyCertificateChainPolicy
HttpSendRequestExW
HttpSendRequestExA
InternetReadFileExA
InternetReadFileExW
HttpSendRequestA
HttpSendRequestW
InternetQueryDataAvailable
InternetCloseHandle
InternetReadFile
GetWindowTextA
GetClipboardData
SendInput
GetMessageA
GetMessageW
TranslateMessage
CryptEncrypt
WSASend
recv
gethostbyname
WSARecv
send
CreateFileW
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Scan a system with an anti-rootkit tool.
- Terminate malicious process(es) (How to End a Process With the Task Manager):
8f0e48a728c6b09a0d2c5e54291d9da1.exe:2600
- Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
%WinDir%\AppPatch\lkmnjl.exe (1805 bytes)
%System%\config\software (3028 bytes)
%System%\config\software.LOG (5300 bytes) - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Reboot the computer.