Skip to main content

Shiz_03388fb007


Susp_Dropper (Kaspersky), Trojan.Win32.Generic!BT (VIPRE), Trojan-PWS.Win32.Simda!IK (Emsisoft), Backdoor.Win32.Shiz.FD, BankerGeneric.YR, GenericInjector.YR, Shiz.YR, BackdoorCaphaw_QKKBAL.YR (Lavasoft MAS)Behaviour: Banker, Trojan, Backdoor

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

MD5: 03388fb007a752ab04f16711b91e3120

SHA1: 388caa2783b3abdaffc64df5849385d91057b53d

SHA256: 9711429171024bc7f9917c830545bca87d23c4d498416b5bcf63c6ec24e7a00a

SSDeep: 6144:HQ48pCnPKppDqM2VC 75E8IysL8VrbVOS:HdzPgld2VC78IyI noS

Size: 213504 bytes

File type: PE32

Platform: WIN32

Entropy: Packed

PEID: UPolyXv05_v6

Company: no certificate found

Created at: 2001-05-12 05:16:56

Summary: Banker. Steals data relating to online banking systems, e-payment systems and credit card systems.

Dynamic Analysis

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

03388fb007a752ab04f16711b91e3120.exe:1520

File activity

The process 03388fb007a752ab04f16711b91e3120.exe:1520 makes changes in a file system.


The Trojan creates and/or writes to the following file(s):

%System%\config\software (2549 bytes)
%WinDir%\AppPatch\hlfexgj.dat (1707 bytes)
%System%\config\SOFTWARE.LOG (6307 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\1.tmp (0 bytes)

Registry activity

The process 03388fb007a752ab04f16711b91e3120.exe:1520 makes changes in a system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "4D A3 D6 8D E1 62 D4 A7 1D 4A DD 80 DD 96 28 97"

[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"ID" = "989633816"

[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\%WinDir%\apppatch\hlfexgj.dat_, \??\%WinDir%\apppatch\hlfexgj.dat"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"a8a67a25" = "%WinDir%\apppatch\hlfexgj.dat"

[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"Name" = "03388fb007a752ab04f16711b91e3120.exe"

Network activity (URLs)

URL IP
hxxp://91.195.240.83/login.php


Rootkit activity

The Trojan installs the following user-mode hooks in USER32.dll:

GetClipboardData
SetThreadDesktop
GetMessageA
GetMessageW
TranslateMessage

The Trojan installs the following user-mode hooks in ntdll.dll:

RtlGetNativeSystemInformation

Propagation

Removals

Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.

Manual removal*

  1. Scan a system with an anti-rootkit tool.
  2. Terminate malicious process(es) (How to End a Process With the Task Manager):

    03388fb007a752ab04f16711b91e3120.exe:1520

  3. Delete the original Trojan file.
  4. Delete or disinfect the following files created/modified by the Trojan:

    %System%\config\software (2549 bytes)
    %WinDir%\AppPatch\hlfexgj.dat (1707 bytes)
    %System%\config\SOFTWARE.LOG (6307 bytes)

  5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  6. Reboot the computer.
*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Static Analysis

Network Activity

Map

Strings from Dumps