Susp_Dropper (Kaspersky), Trojan.Win32.Generic!BT (VIPRE), Trojan-PWS.Win32.Simda!IK (Emsisoft), Backdoor.Win32.Shiz.FD, BankerGeneric.YR, GenericInjector.YR, Shiz.YR, BackdoorCaphaw_QKKBAL.YR (Lavasoft MAS)Behaviour: Banker, Trojan, Backdoor
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: 03388fb007a752ab04f16711b91e3120
SHA1: 388caa2783b3abdaffc64df5849385d91057b53d
SHA256: 9711429171024bc7f9917c830545bca87d23c4d498416b5bcf63c6ec24e7a00a
SSDeep: 6144:HQ48pCnPKppDqM2VC 75E8IysL8VrbVOS:HdzPgld2VC78IyI noS
Size: 213504 bytes
File type: PE32
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2001-05-12 05:16:56
Summary: Banker. Steals data relating to online banking systems, e-payment systems and credit card systems.
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The Trojan creates the following process(es):
03388fb007a752ab04f16711b91e3120.exe:1520
File activity
The process 03388fb007a752ab04f16711b91e3120.exe:1520 makes changes in a file system.
The Trojan creates and/or writes to the following file(s):
%System%\config\software (2549 bytes)
%WinDir%\AppPatch\hlfexgj.dat (1707 bytes)
%System%\config\SOFTWARE.LOG (6307 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\1.tmp (0 bytes)
Registry activity
The process 03388fb007a752ab04f16711b91e3120.exe:1520 makes changes in a system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "4D A3 D6 8D E1 62 D4 A7 1D 4A DD 80 DD 96 28 97"
[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"ID" = "989633816"
[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\%WinDir%\apppatch\hlfexgj.dat_, \??\%WinDir%\apppatch\hlfexgj.dat"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"a8a67a25" = "%WinDir%\apppatch\hlfexgj.dat"
[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"Name" = "03388fb007a752ab04f16711b91e3120.exe"
Network activity (URLs)
URL | IP |
---|---|
hxxp://91.195.240.83/login.php |
Rootkit activity
The Trojan installs the following user-mode hooks in USER32.dll:
GetClipboardData
SetThreadDesktop
GetMessageA
GetMessageW
TranslateMessage
The Trojan installs the following user-mode hooks in ntdll.dll:
RtlGetNativeSystemInformation
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Scan a system with an anti-rootkit tool.
- Terminate malicious process(es) (How to End a Process With the Task Manager):
03388fb007a752ab04f16711b91e3120.exe:1520
- Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
%System%\config\software (2549 bytes)
%WinDir%\AppPatch\hlfexgj.dat (1707 bytes)
%System%\config\SOFTWARE.LOG (6307 bytes) - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Reboot the computer.