Trojan.GenericKDZ.13200_a6d3d363eb

Dynamic Analysis

Payload

Behaviour	Description
WormAutorun	A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Trojan's file once a user opens a drive's folder in Windows Explorer.

Process activity

The Trojan creates the following process(es):

winlog.exe:1580
winlog.exe:936
winlog.exe:1576
%original file name%.exe:1684

The Trojan injects its code into the following process(es):

winlog.exe:496

Mutexes

The following mutexes were created/opened:No objects were found.

File activity

The process winlog.exe:496 makes changes in the file system.

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Application Data\Microsoft\winlog.exe (0 bytes)

The process %original file name%.exe:1684 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Application Data\Microsoft\winlog.exe (5441 bytes)

Registry activity

The process winlog.exe:496 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C2 5C 6E FA B8 BB DB 0E 1B 96 44 C5 AF 0A F1 37"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"winlog.exe" = "%Documents and Settings%\%current user%\Application Data\Microsoft\winlog.exe"

The process %original file name%.exe:1684 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1C B8 F2 05 99 6A 66 51 2B 02 00 36 C6 1E E3 A8"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Documents and Settings%\%current user%\Application Data\Microsoft]
"winlog.exe" = "Opera Internet Browser"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Dropped PE files

There are no dropped PE files.

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Trojan's file once a user opens a drive's folder in Windows Explorer.

Removals

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Terminate malicious process(es) (How to End a Process With the Task Manager):

   winlog.exe:1580
   winlog.exe:936
   winlog.exe:1576
   %original file name%.exe:1684
   

2. Delete the original Trojan file.
   
3. Delete or disinfect the following files created/modified by the Trojan:

   %Documents and Settings%\%current user%\Application Data\Microsoft\winlog.exe (5441 bytes)

4. Delete the following value(s) in the autorun key (How to Work with System Registry):

   [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   "winlog.exe" = "%Documents and Settings%\%current user%\Application Data\Microsoft\winlog.exe"

5. Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
   
6. Reboot the computer.
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Static Analysis

VersionInfo

Company Name: Opera Software
Product Name: Opera Internet Browser
Product Version: 12.14
Legal Copyright: Copyright (c) Opera Software 1995-2012
Legal Trademarks:
Original Filename: Opera.exe
Internal Name: Opera
File Version: 1738
File Description: Opera Internet Browser
Comments:
Language: English (United States)

Company Name: Opera SoftwareProduct Name: Opera Internet BrowserProduct Version: 12.14Legal Copyright: Copyright (c) Opera Software 1995-2012Legal Trademarks: Original Filename: Opera.exeInternal Name: OperaFile Version: 1738File Description: Opera Internet BrowserComments: Language: English (United States)

PE Sections

Name	Virtual Address	Virtual Size	Raw Size	Entropy	Section MD5
.text	4096	62052	62464	4.54124	036599d50e758e2b3b4585f1083c7917
.rdata	69632	7518	7680	3.83355	e3d268f90d2a4f97cbbacd86fcecddf4
.data	77824	13180	10240	2.14862	c3b443ece25fb59d5f9b51f23848f3ee
.rsrc	94208	660468	660480	5.33524	8fa7e0950a06ebd70de1577886a21e22

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Network Activity

URLs

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

Map

The Trojan connects to the servers at the folowing location(s):

Strings from Dumps

winlog.exe_496:

.idata

.idata

.rdata

.rdata

P.reloc

P.reloc

P.rsrc

P.rsrc

kernel32.dll

kernel32.dll

$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)

$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)

oleaut32.dll

oleaut32.dll

EVariantBadIndexError

EVariantBadIndexError

u%CNu

u%CNu

TSocketPort

TSocketPort

TUdpSocket

TUdpSocket

TUdpSocketd

TUdpSocketd

LocalPort4

LocalPort4

RemotePort0

RemotePort0

%d.%d.%d.%d

%d.%d.%d.%d

0.0.0.0

0.0.0.0

PSAPI.dll

PSAPI.dll

Windows

Windows

Urlmon.dll

Urlmon.dll

SOFTWARE\Microsoft\Windows\CurrentVersion\Run

SOFTWARE\Microsoft\Windows\CurrentVersion\Run

SOFTWARE\Microsoft\Windows\CurrentVersion\Run\

SOFTWARE\Microsoft\Windows\CurrentVersion\Run\

:\autorun.inf

:\autorun.inf

icon=%SystemRoot%\system32\SHELL32.dll,4

icon=%SystemRoot%\system32\SHELL32.dll,4

\Mozilla Firefox\

\Mozilla Firefox\

nss3.dll

nss3.dll

mozcrt19.dll

mozcrt19.dll

sqlite3.dll

sqlite3.dll

nspr4.dll

nspr4.dll

plc4.dll

plc4.dll

plds4.dll

plds4.dll

nssutil3.dll

nssutil3.dll

softokn3.dll

softokn3.dll

PK11_GetInternalKeySlot

PK11_GetInternalKeySlot

userenv.dll

userenv.dll

\Mozilla\Firefox\

\Mozilla\Firefox\

profiles.ini

profiles.ini

\signons3.txt

\signons3.txt

MSGBOX

MSGBOX

Firefox

Firefox

windows

windows

Windows|

Windows|

WebDL

WebDL

URLDownloadToFileA

URLDownloadToFileA

StUDP|

StUDP|

user32.dll

user32.dll

GetKeyboardType

GetKeyboardType

advapi32.dll

advapi32.dll

RegOpenKeyExA

RegOpenKeyExA

RegCloseKey

RegCloseKey

RegFlushKey

RegFlushKey

RegCreateKeyExA

RegCreateKeyExA

GetCPInfo

GetCPInfo

version.dll

version.dll

MsgWaitForMultipleObjects

MsgWaitForMultipleObjects

EnumWindows

EnumWindows

wsock32.dll

wsock32.dll

shell32.dll

shell32.dll

ShellExecuteA

ShellExecuteA

SHFolder.dll

SHFolder.dll

1#101[1`1

1#101[1`1

KWindows

KWindows

UrlMon

UrlMon

%s.Seek not implemented$Operation not allowed on sorted list

%s.Seek not implemented$Operation not allowed on sorted list

Property %s does not exist

Property %s does not exist

Thread creation error: %s

Thread creation error: %s

Thread Error: %s (%d)

Thread Error: %s (%d)

%List does not allow duplicates ($0%x)#A component named %s already exists%String list does not allow duplicates

%List does not allow duplicates ($0%x)#A component named %s already exists%String list does not allow duplicates

Cannot create file "%s". %s

Cannot create file "%s". %s

Cannot open file "%s". %s$''%s'' is not a valid component name

Cannot open file "%s". %s$''%s'' is not a valid component name

Invalid property value List capacity out of bounds (%d)

Invalid property value List capacity out of bounds (%d)

List count out of bounds (%d)

List count out of bounds (%d)

List index out of bounds (%d) Out of memory while expanding memory stream

List index out of bounds (%d) Out of memory while expanding memory stream

Error reading %s%s%s: %s

Error reading %s%s%s: %s

Failed to set data for '%s'

Failed to set data for '%s'

Ancestor for '%s' not found

Ancestor for '%s' not found

Cannot assign a %s to a %sECheckSynchronize called from thread $%x, which is NOT the main thread

Cannot assign a %s to a %sECheckSynchronize called from thread $%x, which is NOT the main thread

Class %s not found

Class %s not found

%s (%s, line %d)

%s (%s, line %d)

Abstract Error?Access violation at address %p in module '%s'. %s of address %p

Abstract Error?Access violation at address %p in module '%s'. %s of address %p

System Error. Code: %d.

System Error. Code: %d.

Invalid variant operation%Invalid variant operation (%s%.8x)

Invalid variant operation%Invalid variant operation (%s%.8x)

%s5Could not convert variant of type (%s) into type (%s)=Overflow while converting variant of type (%s) into type (%s)

%s5Could not convert variant of type (%s) into type (%s)=Overflow while converting variant of type (%s) into type (%s)

Operation not supported

Operation not supported

External exception %x

External exception %x

Interface not supported

Interface not supported

Invalid pointer operation

Invalid pointer operation

Invalid class typecast0Access violation at address %p. %s of address %p

Invalid class typecast0Access violation at address %p. %s of address %p

Privileged instruction(Exception %s in module %s at %p.

Privileged instruction(Exception %s in module %s at %p.

Application Error1Format '%s' invalid or incompatible with argument

Application Error1Format '%s' invalid or incompatible with argument

No argument for format '%s'"Variant method calls not supported

No argument for format '%s'"Variant method calls not supported

!'%s' is not a valid integer value

!'%s' is not a valid integer value

I/O error %d

I/O error %d

Integer overflow Invalid floating point operation

Integer overflow Invalid floating point operation

winlog.exe_496_rwx_11490000_0002A000:

.idata

.idata

.rdata

.rdata

P.reloc

P.reloc

P.rsrc

P.rsrc

kernel32.dll

kernel32.dll

$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)

$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)

oleaut32.dll

oleaut32.dll

EVariantBadIndexError

EVariantBadIndexError

u%CNu

u%CNu

TSocketPort

TSocketPort

TUdpSocket

TUdpSocket

TUdpSocketd

TUdpSocketd

LocalPort4

LocalPort4

RemotePort0

RemotePort0

%d.%d.%d.%d

%d.%d.%d.%d

0.0.0.0

0.0.0.0

PSAPI.dll

PSAPI.dll

Windows

Windows

Urlmon.dll

Urlmon.dll

SOFTWARE\Microsoft\Windows\CurrentVersion\Run

SOFTWARE\Microsoft\Windows\CurrentVersion\Run

SOFTWARE\Microsoft\Windows\CurrentVersion\Run\

SOFTWARE\Microsoft\Windows\CurrentVersion\Run\

:\autorun.inf

:\autorun.inf

icon=%SystemRoot%\system32\SHELL32.dll,4

icon=%SystemRoot%\system32\SHELL32.dll,4

\Mozilla Firefox\

\Mozilla Firefox\

nss3.dll

nss3.dll

mozcrt19.dll

mozcrt19.dll

sqlite3.dll

sqlite3.dll

nspr4.dll

nspr4.dll

plc4.dll

plc4.dll

plds4.dll

plds4.dll

nssutil3.dll

nssutil3.dll

softokn3.dll

softokn3.dll

PK11_GetInternalKeySlot

PK11_GetInternalKeySlot

userenv.dll

userenv.dll

\Mozilla\Firefox\

\Mozilla\Firefox\

profiles.ini

profiles.ini

\signons3.txt

\signons3.txt

MSGBOX

MSGBOX

Firefox

Firefox

windows

windows

Windows|

Windows|

WebDL

WebDL

URLDownloadToFileA

URLDownloadToFileA

StUDP|

StUDP|

user32.dll

user32.dll

GetKeyboardType

GetKeyboardType

advapi32.dll

advapi32.dll

RegOpenKeyExA

RegOpenKeyExA

RegCloseKey

RegCloseKey

RegFlushKey

RegFlushKey

RegCreateKeyExA

RegCreateKeyExA

GetCPInfo

GetCPInfo

version.dll

version.dll

MsgWaitForMultipleObjects

MsgWaitForMultipleObjects

EnumWindows

EnumWindows

wsock32.dll

wsock32.dll

shell32.dll

shell32.dll

ShellExecuteA

ShellExecuteA

SHFolder.dll

SHFolder.dll

1#101[1`1

1#101[1`1

KWindows

KWindows

UrlMon

UrlMon

%s.Seek not implemented$Operation not allowed on sorted list

%s.Seek not implemented$Operation not allowed on sorted list

Property %s does not exist

Property %s does not exist

Thread creation error: %s

Thread creation error: %s

Thread Error: %s (%d)

Thread Error: %s (%d)

%List does not allow duplicates ($0%x)#A component named %s already exists%String list does not allow duplicates

%List does not allow duplicates ($0%x)#A component named %s already exists%String list does not allow duplicates

Cannot create file "%s". %s

Cannot create file "%s". %s

Cannot open file "%s". %s$''%s'' is not a valid component name

Cannot open file "%s". %s$''%s'' is not a valid component name

Invalid property value List capacity out of bounds (%d)

Invalid property value List capacity out of bounds (%d)

List count out of bounds (%d)

List count out of bounds (%d)

List index out of bounds (%d) Out of memory while expanding memory stream

List index out of bounds (%d) Out of memory while expanding memory stream

Error reading %s%s%s: %s

Error reading %s%s%s: %s

Failed to set data for '%s'

Failed to set data for '%s'

Ancestor for '%s' not found

Ancestor for '%s' not found

Cannot assign a %s to a %sECheckSynchronize called from thread $%x, which is NOT the main thread

Cannot assign a %s to a %sECheckSynchronize called from thread $%x, which is NOT the main thread

Class %s not found

Class %s not found

%s (%s, line %d)

%s (%s, line %d)

Abstract Error?Access violation at address %p in module '%s'. %s of address %p

Abstract Error?Access violation at address %p in module '%s'. %s of address %p

System Error. Code: %d.

System Error. Code: %d.

Invalid variant operation%Invalid variant operation (%s%.8x)

Invalid variant operation%Invalid variant operation (%s%.8x)

%s5Could not convert variant of type (%s) into type (%s)=Overflow while converting variant of type (%s) into type (%s)

%s5Could not convert variant of type (%s) into type (%s)=Overflow while converting variant of type (%s) into type (%s)

Operation not supported

Operation not supported

External exception %x

External exception %x

Interface not supported

Interface not supported

Invalid pointer operation

Invalid pointer operation

Invalid class typecast0Access violation at address %p. %s of address %p

Invalid class typecast0Access violation at address %p. %s of address %p

Privileged instruction(Exception %s in module %s at %p.

Privileged instruction(Exception %s in module %s at %p.

Application Error1Format '%s' invalid or incompatible with argument

Application Error1Format '%s' invalid or incompatible with argument

No argument for format '%s'"Variant method calls not supported

No argument for format '%s'"Variant method calls not supported

!'%s' is not a valid integer value

!'%s' is not a valid integer value

I/O error %d

I/O error %d

Integer overflow Invalid floating point operation

Integer overflow Invalid floating point operation