HEUR:Trojan.Win32.Generic (Kaspersky), Trojan.MSIL.Injector.ea (v) (VIPRE), Trojan-Dropper.Small!IK (Emsisoft), Backdoor.Win32.Turkojan.FD, RATTurkojan.YR, GenericInjector.YR (Lavasoft MAS)Behaviour: Trojan-Dropper, Trojan, Backdoor
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: 56e520e5238123988a686a6d8c95c5ad
SHA1: 8765947917c13a0da6150fa362ac2ae9f52f0759
SHA256: e95987cdd7e44cdac5cdb6a8c76428269bd4565e2d2c240cd80d26f3c3ea770b
SSDeep: 6144:JlRSny9iM4c4UpyIqhzzayF6KB qlpoWvexY04hki:xcLW hRiWEv
Size: 344064 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: MicrosoftVisualC, NETexecutable, UPolyXv05_v6
Company: SummerSoft
Created at: 2013-07-18 02:07:03
Summary: Backdoor. Malware that enables a remote control of victim's machine.
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The Backdoor creates the following process(es):
56e520e5238123988a686a6d8c95c5ad.exe:1652
csc.exe:1648
cvtres.exe:892
The Backdoor injects its code into the following process(es):
56e520e5238123988a686a6d8c95c5ad.exe:428
File activity
The process 56e520e5238123988a686a6d8c95c5ad.exe:1652 makes changes in a file system.
The Backdoor creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\udfb0s-v.out (305 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\udfb0s-v.0.cs (196 bytes)
%Documents and Settings%\%current user%\Application Data\56e520e5238123988a686a6d8c95c5ad.exe (6 bytes)
%Documents and Settings%\%current user%\Application Data\Facebook Hack\Facebook Hack.exe (2105 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\udfb0s-v.cmdline (238 bytes)
The Backdoor deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\udfb0s-v.0.cs (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\udfb0s-v.err (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\udfb0s-v.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\udfb0s-v.out (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\udfb0s-v.cmdline (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\udfb0s-v.dll (0 bytes)
The process csc.exe:1648 makes changes in a file system.
The Backdoor creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\CSC1.tmp (652 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\udfb0s-v.out (396 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\udfb0s-v.dll (3110 bytes)
The Backdoor deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\CSC1.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RES2.tmp (0 bytes)
The process cvtres.exe:892 makes changes in a file system.
The Backdoor creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\RES2.tmp (2912 bytes)
Registry activity
The process 56e520e5238123988a686a6d8c95c5ad.exe:1652 makes changes in a system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1D 5F CA C5 19 F4 29 D2 74 99 29 4F 66 EA 19 89"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKCU\Environment]
"SEE_MASK_NOZONECHECKS" = "1"
To automatically run itself each time Windows is booted, the Backdoor adds the following link to its file to the system registry autorun key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Facebook Hack" = "%Documents and Settings%\%current user%\Application Data\Facebook Hack\Facebook Hack.exe"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Facebook Hack" = "%Documents and Settings%\%current user%\Application Data\Facebook Hack\Facebook Hack.exe"
The process 56e520e5238123988a686a6d8c95c5ad.exe:428 makes changes in a system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FD 3B 51 B5 E7 1C 58 F7 5A 95 86 2D 32 5B 96 A6"
The process csc.exe:1648 makes changes in a system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "80 2A 13 B1 04 34 66 EB 3A 74 5E BB A5 4D DC 22"
The process cvtres.exe:892 makes changes in a system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C5 96 7E F6 CC F9 CF 01 22 4F 55 59 92 6B 76 BA"
Network activity (URLs)
No activity has been detected.
Rootkit activity
No anomalies have been detected.
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
56e520e5238123988a686a6d8c95c5ad.exe:1652
csc.exe:1648
cvtres.exe:892 - Delete the original Backdoor file.
- Delete or disinfect the following files created/modified by the Backdoor:
%Documents and Settings%\%current user%\Local Settings\Temp\udfb0s-v.out (305 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\udfb0s-v.0.cs (196 bytes)
%Documents and Settings%\%current user%\Application Data\56e520e5238123988a686a6d8c95c5ad.exe (6 bytes)
%Documents and Settings%\%current user%\Application Data\Facebook Hack\Facebook Hack.exe (2105 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\udfb0s-v.cmdline (238 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\CSC1.tmp (652 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\udfb0s-v.dll (3110 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RES2.tmp (2912 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Facebook Hack" = "%Documents and Settings%\%current user%\Application Data\Facebook Hack\Facebook Hack.exe"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Facebook Hack" = "%Documents and Settings%\%current user%\Application Data\Facebook Hack\Facebook Hack.exe" - Reboot the computer.