Susp_Dropper (Kaspersky), Trojan.Win32.Generic!BT (VIPRE), Trojan.Agent3!IK (Emsisoft), Backdoor.Win32.PcClient.FD, Tdl4.YR (Lavasoft MAS)Behaviour: Trojan, Backdoor
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: 071ab7d191644386fdbe8350518a6580
SHA1: 97550b70fe707877734433e23a1bb71cb56a72a6
SHA256: ce22287d5ee7c6d3be6432e5ce52ee559f2a5df767b84c1fa0bdd9d580c907f1
SSDeep: 6144:P18L9zbs7LHf3xn/KBvHxRzQh4yxxOxrrDuspd6z4 J1A4Rm/Um:t8L9zgnHf39KjRaT0rDNytvtm
Size: 339456 bytes
File type: PE32
Platform: WIN32
Entropy: Not Packed
PEID: UPolyXv05_v6
Company: StarApp
Created at: 2011-04-19 15:29:51
Summary: Backdoor. Malware that enables a remote control of victim's machine.
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The Backdoor creates the following process(es):
396a809a.exe:860
rundll32.exe:1952
52b404a5.exe:1188
9f208e79.exe:1464
071ab7d191644386fdbe8350518a6580.exe:412
The Backdoor injects its code into the following process(es):
spoolsv.exe:1424
rundll32.exe:1660
File activity
The process spoolsv.exe:1424 makes changes in a file system.
The Backdoor creates and/or writes to the following file(s):
%WinDir%\Temp\3.tmp (34 bytes)
The Backdoor deletes the following file(s):
%WinDir%\Temp\3.tmp (0 bytes)
%System%\drivers\etc\hosts (0 bytes)
The process 52b404a5.exe:1188 makes changes in a file system.
The Backdoor creates and/or writes to the following file(s):
%WinDir%\aclqlc.dll (110 bytes)
The process 9f208e79.exe:1464 makes changes in a file system.
The Backdoor creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\1.tmp (673 bytes)
The Backdoor deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\2.tmp (0 bytes)
The process 071ab7d191644386fdbe8350518a6580.exe:412 makes changes in a file system.
The Backdoor creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\396a809a.exe (4014 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\52b404a5.exe (11229 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\9f208e79.exe (15955 bytes)
Registry activity
The process 396a809a.exe:860 makes changes in a system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "8B EE 5E CC 5C FC 2C 81 F2 EE BF 01 74 2A 71 EA"
The process spoolsv.exe:1424 makes changes in a system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\System\CurrentControlSet\Services\4e8061e0]
"imagepath" = "\??\%WinDir%\TEMP\3.tmp"
[HKLM\System\CurrentControlSet\Services\4e8061e0]
"type" = "1"
[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\4.tmp, , \??\%WinDir%\TEMP\5.tmp,"
[HKLM\System\CurrentControlSet\Control\Print\Providers]
"Order" = "LanMan Print Services, Internet Print Provider, 2421248672"
[HKLM\System\CurrentControlSet\Control\Print\Providers\2421248672]
"Name" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\2.tmp"
The Backdoor deletes the following registry key(s):
[HKLM\System\CurrentControlSet\Services\4e8061e0]
[HKLM\System\CurrentControlSet\Services\4e8061e0\Enum]
[HKLM\System\CurrentControlSet\Control\Print\Providers\2421248672]
The process rundll32.exe:1952 makes changes in a system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "26 1D 02 13 D0 F1 8B 2E E0 25 AC 17 80 A1 0D 16"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Wtube]
"Bveqayeweci" = "43 01 38 03 58 05 51 07 41 09 44 0B 48 0D 41 0F"
The process rundll32.exe:1660 makes changes in a system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "77 21 ED 65 33 CA 58 BB 80 DF A7 7C 48 52 83 AD"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Wtube]
"Eqegaqojoqoka" = "186"
To automatically run itself each time Windows is booted, the Backdoor adds the following link to its file to the system registry autorun key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Ihoragiqinicim" = "rundll32.exe %WinDir%\aclqlc.dll,Startup"
The process 52b404a5.exe:1188 makes changes in a system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "5B 0A D6 9E DA EF D1 79 34 3D 43 E1 98 98 5E 2B"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Wtube]
"Bveqayeweci" = "43 01 38 03 58 05 51 07 41 09 44 0B 48 0D 41 0F"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Wtube]
"Ydapup" = "45 01 35 03 32 05 35 07 4D 09 32 0B 4E 0D 39 0F"
The process 9f208e79.exe:1464 makes changes in a system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "93 B0 68 04 C1 E5 70 37 34 FB 91 76 8D 34 B6 29"
[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\4.tmp,"
Network activity (URLs)
| URL | IP |
|---|---|
| hxxp://231307dd080d.fivetag.net/get2.php?c=HUXKCMMH&d=26606B6739343F343E2F676268307D3F222023232024213177757E4469747A2219151A4210121F150E5C434F1168191903740A7103000500010D7E0209040A0C02040476067677700971790E7C6B2C263E27372169646E617E31333F616F3B3D5404555A5143070305545B4D031E180A024C472C455329031B12474B4C4D4E48B7B9B7B0B5A3F6F5E7EAB7CEF4FDE2E0E2F4E0BDD1CDD3B1F4FDABC4F9A0AFB9C3CDCCD7FBC09B978EDE9C9F919D88C98D8094C1898490D4D6DDD6869AD4DADEB4A4FFF2F7F5F5F5F9FBF9F9FCEB8B8082 | 69.43.161.167 |
| hxxp://ww2.231307dd080d.fivetag.net/get2.php?c=HUXKCMMH&d=26606B6739343F343E2F676268307D3F222023232024213177757E4469747A2219151A4210121F150E5C434F1168191903740A7103000500010D7E0209040A0C02040476067677700971790E7C6B2C263E27372169646E617E31333F616F3B3D5404555A5143070305545B4D031E180A024C472C455329031B12474B4C4D4E48B7B9B7B0B5A3F6F5E7EAB7CEF4FDE2E0E2F4E0BDD1CDD3B1F4FDABC4F9A0AFB9C3CDCCD7FBC09B978EDE9C9F919D88C98D8094C1898490D4D6DDD6869AD4DADEB4A4FFF2F7F5F5F5F9FBF9F9FCEB8B8082 | 208.73.211.29 |
Rootkit activity
Using the driver "UNKNOWN" the Backdoor controls loading executable images into a memory by installing the Load image notifier.
The Backdoor intercepts DriverStartIO in a miniport driver of a hard drive controller (ATAPI) to handle request to its own files:
StartIo
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Scan a system with an anti-rootkit tool.
- Terminate malicious process(es) (How to End a Process With the Task Manager):
396a809a.exe:860
rundll32.exe:1952
52b404a5.exe:1188
9f208e79.exe:1464
071ab7d191644386fdbe8350518a6580.exe:412 - Delete the original Backdoor file.
- Delete or disinfect the following files created/modified by the Backdoor:
%WinDir%\Temp\3.tmp (34 bytes)
%WinDir%\aclqlc.dll (110 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\1.tmp (673 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\396a809a.exe (4014 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\52b404a5.exe (11229 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\9f208e79.exe (15955 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Ihoragiqinicim" = "rundll32.exe %WinDir%\aclqlc.dll,Startup" - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Reboot the computer.