Trojan.Rincux.AW (BitDefender), DDoS:Win32/Nitol.A (Microsoft), Trojan.Win32.MicroFake.pgu (Kaspersky), Trojan.Win32.Nitol.b (v) (VIPRE), Trojan.Inject1.247 (DrWeb), Trojan.Rincux.AW (B) (Emsisoft), Artemis!F7A09F3251B0 (McAfee), Trojan.Win32.MicroFake (Ikarus), Trojan.Rincux.AW (FSecure), Downloader.Generic12.VDR (AVG), Win32:Malware-gen (Avast), PE_VIRUX.R (TrendMicro), DDoSNitol.YR (Lavasoft MAS)Behaviour: Trojan
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: f7a09f3251b01fe135667af3b73bdc52
SHA1: bb103f63f1c8ad480899c1a422d0e5370a686565
SHA256: ad28f76bd242f11229ff79562e44f92f5b4a4d03220166c8ca22f2676c600f78
SSDeep: 3072:fl0M2hwxyHdlDap78fw/Fh4jsCsm8N3vtWqucSvO/msxfaTMLGQ3Y:flt4wxyHdlmhOwth4A3IcSvOHp3Y
Size: 155648 bytes
File type: DLL
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2011-07-18 17:52:28
Analyzed on: WindowsXP SP3 32-bit
Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The Trojan creates the following process(es):
regsvr32.exe:596
hrl1.tmp:1536
The Trojan injects its code into the following process(es):No processes have been created.
File activity
The process regsvr32.exe:596 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\hrl1.tmp (147 bytes)
The process hrl1.tmp:1536 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%System%\qusoue.exe (673 bytes)
Registry activity
The process regsvr32.exe:596 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A3 69 5E 6A 35 BE FF 95 A3 51 14 33 BA 53 0C 80"
Network activity (URLs)
No activity has been detected.
HOSTS file anomalies
The Trojan modifies "%System%\drivers\etc\hosts" file which is used to translate DNS entries to IP addresses. The modified file is 734 bytes in size. The following strings are added to the hosts file listed below:
127.0.0.1 | www.Brenz.pl |
Rootkit activity
The Trojan installs the following user-mode hooks in ntdll.dll:
NtQueryInformationProcess
ZwOpenFile
NtDeviceIoControlFile
NtCreateProcessEx
NtCreateProcess
NtCreateFile
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Scan a system with an anti-rootkit tool.
- Terminate malicious process(es) (How to End a Process With the Task Manager):
regsvr32.exe:596
hrl1.tmp:1536 - Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
%Documents and Settings%\%current user%\Local Settings\Temp\hrl1.tmp (147 bytes)
%System%\qusoue.exe (673 bytes) - Restore the original content of the HOSTS file (%System%\drivers\etc\hosts): 127.0.0.1 localhost
- Reboot the computer.