Gen:Variant.Kazy.108760 (BitDefender), TrojanDropper:Win32/Finkmilt.C (Microsoft), Trojan-Banker.Win32.Qhost.abjk (Kaspersky), Trojan.Win32.Generic!BT (VIPRE), Trojan.MulDrop4.11405 (DrWeb), Gen:Variant.Kazy.108760 (B) (Emsisoft), Artemis!36714A9304AD (McAfee), Trojan.Gen (Symantec), Trojan-Dropper.Win32.Finkmilt (Ikarus), Gen:Variant.Kazy.108760 (FSecure), Dropper.Generic7.EWA (AVG), Win32:Kryptik-KPI [Trj] (Avast), Gen:Variant.Kazy.108760 (AdAware)Behaviour: Trojan-Dropper, Banker, Trojan
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: 36714a9304adb032fa7e801d6c7a532c
SHA1: a96f40508893e35e9ec6d5ff84d054d4225e0462
SHA256: 77d7bd60d394d9fe4aee5f51db5454a71a4a26bec8c19aea6866b9e394f4c7a4
SSDeep: 1536:MEBBCTBZ7CENctLUUTuD61XYL0jgWFFyEZSHAdj4PCMSFZu18rOvZEuUR ry4X:jBBeBZeUctLU/D61ILsfZ2PwZuluuqpQ
Size: 93696 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: BorlandDelphi30, UPolyXv05_v6
Company: no certificate found
Created at: 2006-06-21 03:19:11
Analyzed on: WindowsXP SP3 32-bit
Summary: Trojan-Dropper. Trojan program, intended for stealth installation of other malware into user's system.
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The Trojan creates the following process(es):
%original file name%.exe:344
The Trojan injects its code into the following process(es):No processes have been created.
File activity
The process %original file name%.exe:344 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\Zfbng77.bat (142 bytes)
%System%\drivers\etc\host7 (491 bytes)
%WinDir%\xored.sys (28544 bytes)
Registry activity
The process %original file name%.exe:344 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "BD 1E 1C DF 16 A1 CC B0 25 11 0C D0 CE 6A 97 0F"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\ÃÂâ€Âþúуüõýты"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\àðñþчøù ÑÂÂтþû"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{91167d45-103d-11db-8c91-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{d8c0d8da-77bd-11e0-bb02-000c293bc0fd}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{91167d42-103d-11db-8c91-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\àðñþчøù ÑÂÂтþû"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%WinDir%]
"Zfbng77.bat" = "Zfbng77"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\ÃÂœþø ôþúуüõýты"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{ebcf8d94-66db-11de-b228-806d6172696f}]
"BaseClass" = "Drive"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
Network activity (URLs)
No activity has been detected.
HOSTS file anomalies
No changes have been detected.
Rootkit activity
The Trojan installs the following kernel-mode hooks:
NtCreateFile
NtQueryDirectoryFile
NtOpenFile
NtQuerySystemInformation
ZwEnumerateKey
ZwEnumerateValueKey
ZwQueryKey
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Scan a system with an anti-rootkit tool.
- Terminate malicious process(es) (How to End a Process With the Task Manager):
%original file name%.exe:344
- Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
%WinDir%\Zfbng77.bat (142 bytes)
%System%\drivers\etc\host7 (491 bytes)
%WinDir%\xored.sys (28544 bytes)
Static Analysis
VersionInfo
No information is available.
No information is available.
PE Sections
| Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
|---|---|---|---|---|---|
| .text | 4096 | 73704 | 73728 | 4.22763 | 6efa5baf7a23fea6cef8cd9010fb4de6 |
| .rdata | 77824 | 14512 | 14848 | 3.49976 | 86d5727b4ef05549bb155338300b9d52 |
| .data | 94208 | 6688 | 3584 | 1.95805 | f06a6e9beb0149108709d7f38aae9fb3 |
| .rsrc | 102400 | 436 | 512 | 3.10818 | 6e2e78791ebef31e32034e406ecc829b |
Network Activity
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker: