HEUR:Trojan.Win32.Generic (Kaspersky), Trojan.Win32.Generic!BT (VIPRE), Win32.SuspectCrc!IK (Emsisoft), Backdoor.Win32.Xtrat.FD, GenericInjector.YR, GenericAutorunWorm.YR (Lavasoft MAS)Behaviour: Trojan, Backdoor, Worm, WormAutorun
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: e400a23d9a8943e045b4f2cf41e1fad5
SHA1: 3baa7ee161afef1a79fbb46f29d9740697e46ba1
SHA256: 1f83c716fc174f4e7a7a54b1b827689757f53d3548aedba53d4158787083fa5f
SSDeep: 3072:E67I9NObbbb7PAbFbbbbbAauBTDejBbGou4N2aLHCWNZ0gXN26nbbbbbbbbbbbb/:tUmBTDeVhLlBd26YUCHs
Size: 125440 bytes
File type: PE32
Platform: WIN32
Entropy: Not Packed
PEID: MicrosoftVisualC; UPolyXv05_v6; NETexecutable
Company: no certificate found
Created at: 2013-07-18 20:12:02
Summary: Backdoor. Malware that enables a remote control of victim's machine.
Dynamic Analysis
Payload
Behaviour | Description |
WormAutorun | A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Backdoor's file once a user opens a drive's folder in Windows Explorer. |
Process activity
The Backdoor creates the following process(es):
e400a23d9a8943e045b4f2cf41e1fad5.exe:556
ctfmon.exe:252
The Backdoor injects its code into the following process(es):
vbc.exe:2172
File activity
The process vbc.exe:2172 makes changes in a file system.
The Backdoor creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Windows\--((Mutex))--.dat (314 bytes)
%WinDir%\InstallDir\Win32.exe (7547 bytes)
The Backdoor deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\x.html (0 bytes)
Registry activity
The process vbc.exe:2172 makes changes in a system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f3-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\XtremeRAT]
"Mutex" = "--((Mutex))--"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"ID" = "1193211789"
[HKCU\Software\--((Mutex))--]
"ServerStarted" = "20/07/2013 06:21:46"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"Name" = "vbc.exe"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f2-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{QU08WH81-OV21-30CF-8A5N-MDME1EHN0201}]
"StubPath" = "%WinDir%\InstallDir\Win32.exe restart"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 40 00 00 00 01 00 00 00 00 00 00 00"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D8 98 BD 83 0B 7E FD 44 82 A2 C7 1E F3 71 0C B1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{773a730e-74fb-11e2-b597-000c293bdf2f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f5-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"
The Backdoor modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Backdoor modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Backdoor modifies IE settings for security zones to map all web-nodes that bypassing proxy to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"
To automatically run itself each time Windows is booted, the Backdoor adds the following link to its file to the system registry autorun key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"HKCU" = "%WinDir%\InstallDir\Win32.exe"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HKLM" = "%WinDir%\InstallDir\Win32.exe"
The Backdoor deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"
The process e400a23d9a8943e045b4f2cf41e1fad5.exe:556 makes changes in a system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "0C 3C 49 AE CF 50 72 0A 44 1E B2 8F AE 9B 32 29"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
The process ctfmon.exe:252 makes changes in a system registry.
The Backdoor deletes the following value(s) in system registry:
The Backdoor disables automatic startup of the application by deleting the following autorun value:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"internat.exe"
Network activity (URLs)
No activity has been detected.
Rootkit activity
No anomalies have been detected.
Propagation
A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Backdoor's file once a user opens a drive's folder in Windows Explorer.
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
e400a23d9a8943e045b4f2cf41e1fad5.exe:556
- Delete the original Backdoor file.
- Delete or disinfect the following files created/modified by the Backdoor:
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Windows\--((Mutex))--.dat (314 bytes)
%WinDir%\InstallDir\Win32.exe (7547 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"HKCU" = "%WinDir%\InstallDir\Win32.exe"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HKLM" = "%WinDir%\InstallDir\Win32.exe" - Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
- Reboot the computer.