Trojan.Win32.Jorik.ServStart.sf (Kaspersky), Trojan.Win32.Generic!BT (VIPRE), Virus.Win32.DsBot!IK (Emsisoft), DDoSNitol.YR (Lavasoft MAS)Behaviour: Trojan, Virus
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: 011d1e05bb63314922936d02b63a7a93
SHA1: 8177364ddcdc3ffb6560ea461624115b41b2a47f
SHA256: 0be1f07c4276dfce4aa7af72b23c45e59cec8fd151e78c54c50ed75105581fe7
SSDeep: 768:I0j4vEgVWfCXjF abNcErQdkIQQDiu80NYXKMujj f6GuhU7nU1lKSU4BQdRfQqU:I0mVWfcEgNcEiQcQaMuvq8MZ2wQqex1
Size: 85867 bytes
File type: PE32
Platform: WIN32
Entropy: Packed
PEID: undocumentedFPUinstructions; UPolyXv05_v6
Company: no certificate found
Created at: 2013-05-29 12:54:10
Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The Trojan creates the following process(es):
Reader_sl.exe:1064
wuauclt.exe:344
jusched.exe:1056
011d1e05bb63314922936d02b63a7a93.exe:1308
The Trojan injects its code into the following process(es):
qqucqg.exe:2012
File activity
The process wuauclt.exe:344 makes changes in a file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\SoftwareDistribution\DataStore\Logs\edb.chk (100 bytes)
%WinDir%\SoftwareDistribution\DataStore\Logs\edb.log (3576 bytes)
%WinDir%\SoftwareDistribution\DataStore\DataStore.edb (100 bytes)
The Trojan deletes the following file(s):
%WinDir%\SoftwareDistribution\DataStore\Logs\tmp.edb (0 bytes)
The process jusched.exe:1056 makes changes in a file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\jusched.log (347 bytes)
The process 011d1e05bb63314922936d02b63a7a93.exe:1308 makes changes in a file system.
The Trojan creates and/or writes to the following file(s):
%System%\qqucqg.exe (601 bytes)
Registry activity
The process Reader_sl.exe:1064 makes changes in a system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
The process qqucqg.exe:2012 makes changes in a system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F2 65 DF 25 AE 61 2E B9 F1 74 55 C3 2A 31 F3 76"
The process 011d1e05bb63314922936d02b63a7a93.exe:1308 makes changes in a system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F5 A2 C9 D9 90 9F ED 62 ED 8F 4D 8C 61 E9 0F 6B"
[HKLM\System\CurrentControlSet\Services\aspnet_states]
"Description" = "Provides support for out-of-to-process"
[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\SOFTWARE.LOG,"
Network activity (URLs)
No activity has been detected.
Rootkit activity
No anomalies have been detected.
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
wuauclt.exe:344
011d1e05bb63314922936d02b63a7a93.exe:1308 - Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
%WinDir%\SoftwareDistribution\DataStore\Logs\edb.chk (100 bytes)
%WinDir%\SoftwareDistribution\DataStore\Logs\edb.log (3576 bytes)
%WinDir%\SoftwareDistribution\DataStore\DataStore.edb (100 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jusched.log (347 bytes)
%System%\qqucqg.exe (601 bytes) - Reboot the computer.