Trojan-Dropper.Win32.Mudrop.qrw (Kaspersky), Trojan.Win32.Encpk.zqa (v) (VIPRE), Trojan-Downloader.Win32.Karagany!IK (Emsisoft), Backdoor.Win32.PcClient.FD, Tdl4.YR (Lavasoft MAS)Behaviour: Trojan-Dropper, Trojan-Downloader, Trojan, Backdoor
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: 7f982a6ff9b2b415996b0de841c0467a
SHA1: 7eb3f0e0ef291e088eee863c29530e48b2c8f7e1
SHA256: d06be3de20c8e89789ff08c7cbb43c3895eefd8487a5f3093f2e403f7eaf3d5d
SSDeep: 6144: n3k5ZmCwYoKIxwG9iXe0mZagAN Fc7QRbROsJltYJzL35hVoh/InUoFSi2UhlT6: 3SRjoKIxwG9iXO5ugMs3A35fJND6Av
Size: 369152 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: BorlandDelphi30, UPolyXv05_v6
Company: no certificate found
Created at: 2011-07-30 16:10:12
Summary: Backdoor. Malware that enables a remote control of victim's machine.
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The Backdoor creates the following process(es):
Reader_sl.exe:1064
wuauclt.exe:344
jusched.exe:1056
9bfe054b.exe:208
rundll32.exe:220
3f1227d7.exe:1848
63bfcc0f.exe:488
7f982a6ff9b2b415996b0de841c0467a.exe:1480
The Backdoor injects its code into the following process(es):
spoolsv.exe:1436
rundll32.exe:1100
File activity
The process wuauclt.exe:344 makes changes in a file system.
The Backdoor creates and/or writes to the following file(s):
%WinDir%\SoftwareDistribution\DataStore\Logs\edb.chk (100 bytes)
%WinDir%\SoftwareDistribution\DataStore\Logs\edb.log (3576 bytes)
%WinDir%\SoftwareDistribution\DataStore\DataStore.edb (100 bytes)
The Backdoor deletes the following file(s):
%WinDir%\SoftwareDistribution\DataStore\Logs\tmp.edb (0 bytes)
The process jusched.exe:1056 makes changes in a file system.
The Backdoor creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\jusched.log (347 bytes)
The process 9bfe054b.exe:208 makes changes in a file system.
The Backdoor creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\1.tmp (1281 bytes)
The Backdoor deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\2.tmp (0 bytes)
The process spoolsv.exe:1436 makes changes in a file system.
The Backdoor creates and/or writes to the following file(s):
%WinDir%\Temp\3.tmp (46 bytes)
The Backdoor deletes the following file(s):
%WinDir%\Temp\3.tmp (0 bytes)
%System%\drivers\etc\hosts (0 bytes)
The process 63bfcc0f.exe:488 makes changes in a file system.
The Backdoor creates and/or writes to the following file(s):
%WinDir%\srdilnkb.dll (118 bytes)
The process 7f982a6ff9b2b415996b0de841c0467a.exe:1480 makes changes in a file system.
The Backdoor creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\9bfe054b.exe (16070 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3f1227d7.exe (2065 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\63bfcc0f.exe (10230 bytes)
Registry activity
The process Reader_sl.exe:1064 makes changes in a system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
The process 9bfe054b.exe:208 makes changes in a system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A8 07 B6 6B 5E AE 41 94 36 F2 97 0B F6 8B 8C 25"
[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\4.tmp,"
The process spoolsv.exe:1436 makes changes in a system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\System\CurrentControlSet\Services\d1a564c0]
"imagepath" = "\??\%WinDir%\TEMP\3.tmp"
[HKLM\System\CurrentControlSet\Services\d1a564c0]
"type" = "1"
[HKLM\System\CurrentControlSet\Control\Print\Providers]
"Order" = "LanMan Print Services, Internet Print Provider, 496339680"
[HKLM\System\CurrentControlSet\Control\Print\Providers\496339680]
"Name" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\2.tmp"
The Backdoor deletes the following registry key(s):
[HKLM\System\CurrentControlSet\Services\d1a564c0]
[HKLM\System\CurrentControlSet\Services\d1a564c0\Enum]
[HKLM\System\CurrentControlSet\Control\Print\Providers\496339680]
The process rundll32.exe:1100 makes changes in a system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "84 6E F2 F0 0C 61 30 B5 46 D1 F6 1D 64 BF 13 01"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Wtube]
"Eqegaqojoqoka" = "192"
To automatically run itself each time Windows is booted, the Backdoor adds the following link to its file to the system registry autorun key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Ihoragiqinicim" = "rundll32.exe %WinDir%\srdilnkb.dll,Startup"
The process rundll32.exe:220 makes changes in a system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "89 9D C1 FE 57 D3 ED A8 5B DF 0A EF EC 01 3B A2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Wtube]
"Bveqayeweci" = "43 01 38 03 58 05 51 07 41 09 44 0B 48 0D 41 0F"
The process 3f1227d7.exe:1848 makes changes in a system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "64 D8 C5 F6 D4 F8 A8 CF 44 8B 3E 66 B5 F3 32 F5"
The process 63bfcc0f.exe:488 makes changes in a system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "AF E3 26 A8 E5 3E 3D 5A AB 24 BA 3F BB 2E 04 53"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Wtube]
"Bveqayeweci" = "43 01 38 03 58 05 51 07 41 09 44 0B 48 0D 41 0F"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Wtube]
"Ydapup" = "44 01 35 03 36 05 30 07 4A 09 49 0B 4F 0D 38 0F"
The process 7f982a6ff9b2b415996b0de841c0467a.exe:1480 makes changes in a system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "5D 6B 46 48 A6 4A D5 76 75 CE 0E 93 70 78 EB 27"
Network activity (URLs)
| URL | IP |
|---|---|
| hxxp://011407dd091b.roonyx.net/get2.php?c=HUXKCMMH&d=26606B6739343F303D2F676268307D3F2220232323272E3177757E4469747A2219151A4210121F150E5C434F1169191D06737170020D7205790D797E0E7F080E757204017D030574707B7F79746B2C263E27372169646F657E31333F616F3B3D5404555A5143070305545B4D031E180A024C472C455329031B12474B4C4D4E4CB6B1B5B2BCA3F6F5E7EAB7CEF4FDE2E0E2F4E0BDD1CDD3B1F4FDABC4F9A0AFB9C3CDCCD7FBC09B978EDE9C9F919D88C98D8094C1898490D4D6DDD6869AD4DADEB4A4FFF2F7F4F4F7FBF8F2FFFEEB8B8082 | 69.43.161.167 |
| hxxp://ww1.011407dd091b.roonyx.net/get2.php?c=HUXKCMMH&d=26606B6739343F303D2F676268307D3F2220232323272E3177757E4469747A2219151A4210121F150E5C434F1169191D06737170020D7205790D797E0E7F080E757204017D030574707B7F79746B2C263E27372169646F657E31333F616F3B3D5404555A5143070305545B4D031E180A024C472C455329031B12474B4C4D4E4CB6B1B5B2BCA3F6F5E7EAB7CEF4FDE2E0E2F4E0BDD1CDD3B1F4FDABC4F9A0AFB9C3CDCCD7FBC09B978EDE9C9F919D88C98D8094C1898490D4D6DDD6869AD4DADEB4A4FFF2F7F4F4F7FBF8F2FFFEEB8B8082 | 91.195.240.84 |
Rootkit activity
Using the driver "UNKNOWN" the Backdoor controls loading executable images into a memory by installing the Load image notifier.
The Backdoor intercepts DriverStartIO in a miniport driver of a hard drive controller (ATAPI) to handle request to its own files:
StartIo
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Scan a system with an anti-rootkit tool.
- Terminate malicious process(es) (How to End a Process With the Task Manager):
wuauclt.exe:344
9bfe054b.exe:208
rundll32.exe:220
3f1227d7.exe:1848
63bfcc0f.exe:488
7f982a6ff9b2b415996b0de841c0467a.exe:1480 - Delete the original Backdoor file.
- Delete or disinfect the following files created/modified by the Backdoor:
%WinDir%\SoftwareDistribution\DataStore\Logs\edb.chk (100 bytes)
%WinDir%\SoftwareDistribution\DataStore\Logs\edb.log (3576 bytes)
%WinDir%\SoftwareDistribution\DataStore\DataStore.edb (100 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jusched.log (347 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\1.tmp (1281 bytes)
%WinDir%\Temp\3.tmp (46 bytes)
%WinDir%\srdilnkb.dll (118 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\9bfe054b.exe (16070 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3f1227d7.exe (2065 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\63bfcc0f.exe (10230 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Ihoragiqinicim" = "rundll32.exe %WinDir%\srdilnkb.dll,Startup" - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Reboot the computer.