Trojan.VIZ.Gen.1 (BitDefender), PWS:Win32/Zbot.gen!AM (Microsoft), HEUR:Trojan.Win32.Generic (Kaspersky), Trojan.Win32.Generic!SB.0 (VIPRE), Trojan.Packed.24465 (DrWeb), Trojan.VIZ.Gen.1 (B) (Emsisoft), FakeSecTool-FAZ!75DBBD8467CC (McAfee), Suspicious.Cloud.5 (Symantec), Trojan.VIZ.Gen.1 (FSecure), Generic_s.CAC (AVG), TROJ_GEN.R03EC0RIA13 (TrendMicro), GenericInjector.YR (Lavasoft MAS)Behaviour: Trojan, Packed
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: 75dbbd8467ccac69bf5ff049c3938f49
SHA1: 33929b00e7ca93b9e79b1d00378a286e28044c64
SHA256: 836f9a8bd0a1fbad3670ed7a0ccb655f7277daf7cfaf7f22105a052e998d109d
SSDeep: 6144:faSyRwnN0diGGoy26DnMgqCYT3IvU2KU0pep1/8 2951vJ USIGbAZ:fabGnKdiGG79qlp28pw/W951RSIG
Size: 304128 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2006-04-18 12:18:53
Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The Trojan creates the following process(es):
oleb.exe:2896
75dbbd8467ccac69bf5ff049c3938f49.exe:2608
The Trojan injects its code into the following process(es):
ctfmon.exe:252
File activity
The process oleb.exe:2896 makes changes in a file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\ntuser.dat.LOG (2208 bytes)
%Documents and Settings%\%current user%\NTUSER.DAT (540 bytes)
The process 75dbbd8467ccac69bf5ff049c3938f49.exe:2608 makes changes in a file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\FUH46D7.bat (173 bytes)
%Documents and Settings%\%current user%\Application Data\Dila\oleb.exe (1729 bytes)
The process ctfmon.exe:252 makes changes in a file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\ntuser.dat.LOG (3120 bytes)
%Documents and Settings%\%current user%\NTUSER.DAT (2428 bytes)
Registry activity
The process oleb.exe:2896 makes changes in a system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1C 42 E7 F0 E2 A9 35 94 46 46 4E 5A 2F 4D 1E D0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"
[HKCU\Software\Microsoft\Yxasihoq]
"27jdb841" = "wA4epcP8fnzwoA==ÇŽ"
The process 75dbbd8467ccac69bf5ff049c3938f49.exe:2608 makes changes in a system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "78 A1 82 2C 35 87 AD DC 47 84 BC 9B CA 39 3A CC"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"
The process ctfmon.exe:252 makes changes in a system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "8F 2A 41 32 A4 64 EA 8A 44 D1 91 9A 19 EC 97 BC"
[HKCU\Identities]
"Last User ID" = "{6855BFC2-9E4A-4896-A11D-74388FBABDC2}"
[HKCU\Identities]
"Last Username" = "Main Identity"
[HKCU\Software\Microsoft\WAB\WAB4]
"OlkFolderRefresh" = "0"
[HKCU\Software\Microsoft\WAB\WAB4]
"FirstRun" = "1"
[HKCU\Identities]
"Identity Login" = "622675"
[HKCU\Software\Microsoft\Yxasihoq]
"238jdg33" = "E4 0E 75 A5"
[HKCU\Software\Microsoft\Internet Account Manager]
"Server ID" = "4"
[HKCU\Identities]
"Identity Ordinal" = "2"
[HKCU\Software\Microsoft\WAB\WAB4]
"OlkContactRefresh" = "0"
The Trojan deletes the following value(s) in system registry:
[HKCU\Identities]
"Changing"
[HKCU\Identities]
"OutgoingID"
[HKCU\Identities]
"IncomingID"
The Trojan disables automatic startup of the application by deleting the following autorun value:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"internat.exe"
Network activity (URLs)
No activity has been detected.
Rootkit activity
The Trojan installs the following user-mode hooks in WININET.dll:
HttpSendRequestExW
HttpSendRequestExA
InternetWriteFile
InternetReadFileExA
InternetReadFileExW
HttpSendRequestA
HttpSendRequestW
InternetQueryDataAvailable
HttpQueryInfoW
InternetCloseHandle
HttpQueryInfoA
InternetReadFile
The Trojan installs the following user-mode hooks in CRYPT32.dll:
PFXImportCertStore
The Trojan installs the following user-mode hooks in USER32.dll:
GetClipboardData
TranslateMessage
The Trojan installs the following user-mode hooks in Secur32.dll:
UnsealMessage
SealMessage
DeleteSecurityContext
The Trojan installs the following user-mode hooks in WS2_32.dll:
WSAGetOverlappedResult
WSASend
recv
gethostbyname
WSARecv
send
closesocket
freeaddrinfo
getaddrinfo
GetAddrInfoW
The Trojan installs the following user-mode hooks in ntdll.dll:
LdrLoadDll
NtCreateThread
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Scan a system with an anti-rootkit tool.
- Terminate malicious process(es) (How to End a Process With the Task Manager):
oleb.exe:2896
75dbbd8467ccac69bf5ff049c3938f49.exe:2608 - Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
%Documents and Settings%\%current user%\ntuser.dat.LOG (2208 bytes)
%Documents and Settings%\%current user%\NTUSER.DAT (540 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\FUH46D7.bat (173 bytes)
%Documents and Settings%\%current user%\Application Data\Dila\oleb.exe (1729 bytes) - Reboot the computer.