Trojan.Generic.8702975 (BitDefender), Trojan-Dropper.MSIL.Agent.aipp (Kaspersky), BackDoor.Tordev.8 (DrWeb), Trojan.Generic.8702975 (B) (Emsisoft), Win32.SuspectCrc (Ikarus), Agent3.BXLA (AVG), AutoIt:MalOb-EQ [Trj] (Avast), Trojan-Banker.Win32.Brasil.FD, Trojan.Win32.Delphi.FD, Trojan.Win32.Sasfis.FD, VirTool.Win32.DelfInject.FD, mzpefinder_pcap_file.YR, GenericAutorunWorm.YR (Lavasoft MAS)Behaviour: Trojan-Dropper, Banker, Trojan, Worm, VirTool, WormAutorun
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: 6cf06dae542efc5b1ddd8f6cb5841db8
SHA1: f4fcc400d88cdc57029d115355b36e010f38e8df
SHA256: 58c2727a4dac7ff8a215c988769de6f13831d1b648128f0fc7c247648e8cb82b
SSDeep: 24576:9thEVaPqLWn8/vj5Vb4PBZWtm66rm0/ h8u:lEVUcWn8XFV54669GO
Size: 1096192 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: MicrosoftVisualC, NETexecutable, UPolyXv05_v6
Company: AtSync.com
Created at: 2012-08-06 18:43:22
Analyzed on: WindowsXP SP3 32-bit
Summary: Trojan-Dropper. Trojan program, intended for stealth installation of other malware into user's system.
Dynamic Analysis
Payload
| Behaviour | Description |
|---|---|
| WormAutorun | A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Trojan-Banker's file once a user opens a drive's folder in Windows Explorer. |
Process activity
The Trojan-Banker creates the following process(es):
windowshos.exe:876
windowshos.exe:1756
000881EA.exe:1744
DW20.EXE:972
The Trojan-Banker injects its code into the following process(es):
Hotdog XL.exe:1944
service.exe:1344
%original file name%.exe:1772
Pin.exe:1796
File activity
The process windowshos.exe:876 makes changes in the file system.
The Trojan-Banker creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Start Menu\Programs\Startup\lsass.exe (1773 bytes)
The process windowshos.exe:1756 makes changes in the file system.
The Trojan-Banker creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\aut1.tmp (1345 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ogrej.orh (601 bytes)
The Trojan-Banker deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\aut1.tmp (0 bytes)
The process 000881EA.exe:1744 makes changes in the file system.
The Trojan-Banker creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\service.exe (196 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\aut4.tmp (1441 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ogrej.orh (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\aut3.tmp (2 bytes)
The Trojan-Banker deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\aut4.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\aut3.tmp (0 bytes)
The process service.exe:1344 makes changes in the file system.
The Trojan-Banker creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Application Data\Pin.exe (27 bytes)
%Documents and Settings%\%current user%\Application Data\pid.txt (4 bytes)
%Documents and Settings%\%current user%\Application Data\WindowsUpdate.exe (4 bytes)
%Documents and Settings%\%current user%\Application Data\pidloc.txt (41 bytes)
The process %original file name%.exe:1772 makes changes in the file system.
The Trojan-Banker creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\windowshos.exe (1773 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Hotdog XL.exe (1862 bytes)
The process DW20.EXE:972 makes changes in the file system.
The Trojan-Banker creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\dw.log (76 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\9B2D9.dmp (597329 bytes)
Registry activity
The process windowshos.exe:876 makes changes in the system registry.
The Trojan-Banker creates and/or sets the following values in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Startup" = "%Documents and Settings%\%current user%\Start Menu\Programs\Startup"
The process windowshos.exe:1756 makes changes in the system registry.
The Trojan-Banker creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B9 D3 18 27 79 94 4B 07 3E 91 82 9B B1 02 6D 5A"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{5c14c4f6-74da-11e2-81b0-000c29ec7fc5}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
To automatically run itself each time Windows is booted, the Trojan-Banker adds the following link to its file to the system registry autorun key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"windowshos.exe" = "%Documents and Settings%\%current user%\Local Settings\Temp\windowshos.exe"
The process Hotdog XL.exe:1944 makes changes in the system registry.
The Trojan-Banker creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "8F 55 BD 35 AA 6F 0D 19 CC 70 F3 65 9F A4 82 AB"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{5c14c4f6-74da-11e2-81b0-000c29ec7fc5}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
The process 000881EA.exe:1744 makes changes in the system registry.
The Trojan-Banker creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E4 68 71 CB 04 0D 76 95 06 AE F5 1A 21 26 2D A5"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{5c14c4f6-74da-11e2-81b0-000c29ec7fc5}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
To automatically run itself each time Windows is booted, the Trojan-Banker adds the following link to its file to the system registry autorun key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"000881EA.exe" = "%Documents and Settings%\%current user%\Application Data\000881EA.exe"
The process service.exe:1344 makes changes in the system registry.
The Trojan-Banker creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "AB 42 E3 88 18 84 D6 78 5B EF 68 37 2E 81 5F 99"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{5c14c4f6-74da-11e2-81b0-000c29ec7fc5}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"Hidden" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Documents and Settings%\%current user%\Application Data]
"Pin.exe" = "Microsoft Security Essentials"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
"Personal" = "%Documents and Settings%\%current user%\My Documents"
The Trojan-Banker modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan-Banker modifies IE settings for security zones to map all urls to the Intranet Zone:
"IntranetName" = "1"
To automatically run itself each time Windows is booted, the Trojan-Banker adds the following link to its file to the system registry autorun key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Windows Update" = "%Documents and Settings%\%current user%\Application Data\WindowsUpdate.exe"
The Trojan-Banker modifies IE settings for security zones to map all web-nodes that bypassing proxy to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"
The process %original file name%.exe:1772 makes changes in the system registry.
The Trojan-Banker creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E7 50 B2 86 4C 21 36 CA A9 D0 C3 1D 98 8F 24 E2"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{5c14c4f6-74da-11e2-81b0-000c29ec7fc5}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Documents and Settings%\%current user%\Local Settings\Temp]
"windowshos.exe" = "windowshos"
"Hotdog XL.exe" = "XL by Nurun Irsandi"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
The Trojan-Banker modifies IE settings for security zones to map all web-nodes that bypassing proxy to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"
The Trojan-Banker modifies IE settings for security zones to map all urls to the Intranet Zone:
"IntranetName" = "1"
The Trojan-Banker modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
"UNCAsIntranet" = "1"
The process Pin.exe:1796 makes changes in the system registry.
The Trojan-Banker creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "6B 92 54 4B 52 B6 4D DC C5 C2 62 D2 41 0C BB BE"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
The process DW20.EXE:972 makes changes in the system registry.
The Trojan-Banker creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "75 B1 35 BE 42 12 EA C3 92 DA BE B7 59 F7 3D 5F"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1C 00 00 00 01 00 00 00 00 00 00 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan-Banker deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
Network activity (URLs)
| URL | IP |
|---|---|
| hxxp://espressomachinesreviewsshop.com/solarbot/ | 49.128.177.79 |
| hxxp://espressomachinesreviewsshop.com/vv/FlashPlayerhost.exe (ET POLICY PE EXE or DLL Windows file download , Malicious) | |
| hxxp://espressomachinesreviewsshop.com/solarbot/ComputerInfo.bin (ET POLICY PE EXE or DLL Windows file download , Malicious) | |
| hxxp://espressomachinesreviewsshop.com/solarbot/WalletSteal.bin (ET POLICY PE EXE or DLL Windows file download , Malicious) | |
| hxxp://pastebin.com/raw.php?i=1qEs747L | 190.93.250.20 |
| hxxp://pastebin.com/1qEs747L | |
| mail.espressomachinesreviewsshop.com | 49.128.177.79 |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Trojan-Banker's file once a user opens a drive's folder in Windows Explorer.
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
windowshos.exe:876
windowshos.exe:1756
000881EA.exe:1744
DW20.EXE:972 - Delete the original Trojan-Banker file.
- Delete or disinfect the following files created/modified by the Trojan-Banker:
%Documents and Settings%\%current user%\Start Menu\Programs\Startup\lsass.exe (1773 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\aut1.tmp (1345 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ogrej.orh (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\service.exe (196 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\aut4.tmp (1441 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\aut3.tmp (2 bytes)
%Documents and Settings%\%current user%\Application Data\Pin.exe (27 bytes)
%Documents and Settings%\%current user%\Application Data\pid.txt (4 bytes)
%Documents and Settings%\%current user%\Application Data\WindowsUpdate.exe (4 bytes)
%Documents and Settings%\%current user%\Application Data\pidloc.txt (41 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\windowshos.exe (1773 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Hotdog XL.exe (1862 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\dw.log (76 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\9B2D9.dmp (597329 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"windowshos.exe" = "%Documents and Settings%\%current user%\Local Settings\Temp\windowshos.exe"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"000881EA.exe" = "%Documents and Settings%\%current user%\Application Data\000881EA.exe"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Windows Update" = "%Documents and Settings%\%current user%\Application Data\WindowsUpdate.exe" - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
- Reboot the computer.