Trojan.Win32.Qhost.nzs (Kaspersky), Trojan.Generic.5047574 (B) (Emsisoft), Trojan.Generic.5047574 (AdAware), GenericIRCBot.YR (Lavasoft MAS)Behaviour: Trojan, IRCBot
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: a7ff6704656e3a5616ae0dc69f41b0c1
SHA1: bdd5ce779accfd8c11ef681d93f08fa660ac2016
SHA256: 87bcb00d23f5f54e4c8ae827bcf66d364bb9af379dccb94386a1e11b92d6c074
SSDeep: 768:ojNsRrb81IQuzRGnbPQ84R4z5Sjbi05F8adxBwcgy2if4XTc:oia1I/Rmouzp0Aadwfo
Size: 40960 bytes
File type: PE32
Platform: WIN32
Entropy: Packed
PEID: PackerUPXCompresorGratuitowwwupxsourceforgenet, UPolyXv05_v6
Company: Premium Installer
Created at: 1970-01-01 03:00:00
Analyzed on: WindowsXP SP3 32-bit
Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Dynamic Analysis
Payload
| Behaviour | Description |
|---|---|
| IRCBot | A bot can communicate with command and control servers via IRC channel. |
Process activity
The Trojan creates the following process(es):
%original file name%.exe:1480
%original file name%.exe:588
The Trojan injects its code into the following process(es):No processes have been created.
File activity
The process %original file name%.exe:588 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Application Data\HEX-5823-6893-6818\jusched.exe (40 bytes)
Registry activity
The process %original file name%.exe:1480 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "34 7B DB 83 84 09 D1 AA E1 AB 6B E4 BF B3 B8 4A"
The process %original file name%.exe:588 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "46 24 DF 02 A6 1F D7 83 2A 76 A3 6A FA D7 50 1E"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Documents and Settings%\%current user%\Application Data\HEX-5823-6893-6818]
"jusched.exe" = "u49J61G23x84"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
Adds a rule to the firewall Windows which allows any network activity:
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\%Documents and Settings%\%current user%\Application Data\HEX-5823-6893-6818]
"jusched.exe" = "%Documents and Settings%\%current user%\Application Data\HEX-5823-6893-6818\jusched.exe:*:Enabled:Java Update Manager"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
"IntranetName" = "1"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
"UNCAsIntranet" = "1"
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Java Update Manager" = "%Documents and Settings%\%current user%\Application Data\HEX-5823-6893-6818\jusched.exe"
Dropped PE files
There are no dropped PE files.
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
%original file name%.exe:1480
%original file name%.exe:588 - Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
%Documents and Settings%\%current user%\Application Data\HEX-5823-6893-6818\jusched.exe (40 bytes)
- Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Java Update Manager" = "%Documents and Settings%\%current user%\Application Data\HEX-5823-6893-6818\jusched.exe" - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Reboot the computer.
Static Analysis
VersionInfo
Company Name: wkb62b77
Product Name: M8oFM10iV
Product Version: 28.84.0059
Legal Copyright: ByYTw47v90Yv
Legal Trademarks: UhY56b60
Original Filename: w43d57.exe
Internal Name: w43d57
File Version: 28.84.0059
File Description: u49J61G23x84
Comments: a36U81S84
Language: English (United States)
Company Name: wkb62b77Product Name: M8oFM10iVProduct Version: 28.84.0059Legal Copyright: ByYTw47v90YvLegal Trademarks: UhY56b60Original Filename: w43d57.exeInternal Name: w43d57File Version: 28.84.0059File Description: u49J61G23x84Comments: a36U81S84Language: English (United States)
PE Sections
| Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
|---|---|---|---|---|---|
| UPX0 | 4096 | 49152 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
| UPX1 | 53248 | 36864 | 35840 | 5.45692 | 1ed6f16f233145528fc8adb2ee984713 |
| .rsrc | 90112 | 200704 | 4096 | 3.01371 | 74bdd543c558a6898ec8cae7ceaf52d3 |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Network Activity
URLs
| URL | IP |
|---|---|
| msnsolution.nicaze.net |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic