Skip to main content

Backdoor.Win32.Farfli_a61c1e2f7d


Win32.Ramnit.N (BitDefender), Virus:Win32/Ramnit.AE (Microsoft), Trojan.Win32.Patched.md (Kaspersky), Virus.Win32.Ramnit.a!dam (v) (VIPRE), Win32.Rmnet.8 (DrWeb), Win32.Ramnit.N (B) (Emsisoft), W32/Ramnit.b (McAfee), W32.Ramnit.B!inf (Symantec), Virus.Win32.Zbot (Ikarus), Win32.Ramnit.N (FSecure), Win32/Zbot.G (AVG), Win32:Ramnit-inf (Avast), PE_RAMNIT.KC (TrendMicro), Backdoor.Win32.Farfli.FD, GenericInjector.YR, BackdoorCaphaw_QKKBAL.YR (Lavasoft MAS)Behaviour: Trojan, Backdoor, Virus

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

MD5: a61c1e2f7d8e12f860cc81f7e1f02b24

SHA1: 01db0f6f821bdac7f440f0fed29588d73ef70c97

SHA256: 3a3442c8b37d63a648c85ee70ad27107701e5cf842b3682548556188a6288530

SSDeep: 3072:jox34lgaah0gQYujo9ia8wDekuc0Sa2UoA8wklJ1bH5yj:jm38gaQJgjha8w3BAdkbB5Y

Size: 129506 bytes

File type: DLL

Platform: WIN32

Entropy: Packed

PEID: UPolyXv05_v6

Company: LLC Pentagon

Created at: 2008-10-11 00:48:33

Analyzed on: WindowsXP SP3 32-bit

Summary: Backdoor. Malware that enables a remote control of victim's machine.

Dynamic Analysis

Payload

No specific payload has been found.

Process activity

The Backdoor creates the following process(es):

regsvr32mgr.exe:2728
regsvr32.exe:2632
ajvmmkjkbtsibwto.exe:3016

The Backdoor injects its code into the following process(es):

ctfmon.exe:252

File activity

The process regsvr32mgr.exe:2728 makes changes in the file system.


The Backdoor creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\ajvmmkjkbtsibwto.exe (601 bytes)

The process regsvr32.exe:2632 makes changes in the file system.


The Backdoor creates and/or writes to the following file(s):

%System%\regsvr32mgr.exe (116 bytes)

The process ajvmmkjkbtsibwto.exe:3016 makes changes in the file system.


The Backdoor creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\psyykfdm.sys (15 bytes)

The Backdoor deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\psyykfdm.sys (0 bytes)

Registry activity

The process ctfmon.exe:252 makes changes in the system registry.


The Backdoor deletes the following value(s) in system registry:


The Backdoor disables automatic startup of the application by deleting the following autorun value:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"internat.exe"

The process regsvr32mgr.exe:2728 makes changes in the system registry.


The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "20 37 2A 77 31 C3 1F 75 5A 6D A2 63 A4 D4 6A 74"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f3-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{773a730e-74fb-11e2-b597-000c293bdf2f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp]
"ajvmmkjkbtsibwto.exe" = "ajvmmkjkbtsibwto"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f2-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f5-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
"Personal" = "%Documents and Settings%\%current user%\My Documents"

The Backdoor modifies IE settings for security zones to map all web-nodes that bypassing proxy to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"

The Backdoor modifies IE settings for security zones to map all urls to the Intranet Zone:

"IntranetName" = "1"

The Backdoor modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The process regsvr32.exe:2632 makes changes in the system registry.


The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A6 65 13 CC 41 3C B7 52 B3 59 51 0C 84 0D 00 10"

The process ajvmmkjkbtsibwto.exe:3016 makes changes in the system registry.


The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2B 98 77 4F F2 DF E7 80 FB 3A EE 1D 7A 9B 4B C4"

Network activity (URLs)

No activity has been detected.

HOSTS file anomalies

No changes have been detected.

Rootkit activity

The Backdoor installs the following kernel-mode hooks:

ZwCreateKey
ZwOpenKey

The Backdoor installs the following user-mode hooks in USER32.dll:

TranslateMessage

The Backdoor installs the following user-mode hooks in WS2_32.dll:

WSASendTo
WSARecvFrom
WSASend
recv
WSARecv
send
closesocket
recvfrom
sendto

The Backdoor installs the following user-mode hooks in ntdll.dll:

LdrLoadDll
NtResumeThread
ZwQueryDirectoryFile

Propagation

Removals

Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.

Manual removal*

  1. Scan a system with an anti-rootkit tool.
  2. Terminate malicious process(es) (How to End a Process With the Task Manager):

    regsvr32mgr.exe:2728
    regsvr32.exe:2632
    ajvmmkjkbtsibwto.exe:3016

  3. Delete the original Backdoor file.
  4. Delete or disinfect the following files created/modified by the Backdoor:

    %Documents and Settings%\%current user%\Local Settings\Temp\ajvmmkjkbtsibwto.exe (601 bytes)
    %System%\regsvr32mgr.exe (116 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\psyykfdm.sys (15 bytes)

  5. Reboot the computer.
*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Static Analysis

Network Activity

Map

Strings from Dumps