Gen:Heur.MSIL.Krypt.85 (BitDefender), HEUR:Trojan.Win32.Generic (Kaspersky), Trojan.Win32.Generic!BT (VIPRE), Trojan.KeyLogger.19357 (DrWeb), Gen:Heur.MSIL.Krypt.85 (B) (Emsisoft), Artemis!5B7ECD2A9453 (McAfee), WS.Reputation.1 (Symantec), Trojan.Inject (Ikarus), Gen:Heur.MSIL.Krypt.85 (FSecure), Inject.ALDM (AVG), MSIL:Injector-FT [Trj] (Avast), TROJ_SCAR.BMC (TrendMicro), Backdoor.Win32.Fynloski.FD, Trojan.Win32.Iconomon.FD, Trojan.Win32.Sasfis.FD, VirTool.Win32.DelfInject.FD, BackdoorFynloski.YR, GenericDownloader.YR, GenericInjector.YR, TrojanDownloaderAndromeda.YR (Lavasoft MAS)Behaviour: Trojan-Downloader, Trojan, Backdoor, VirTool
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: 5b7ecd2a9453d7f7879f503d67b7259e
SHA1: f7a5fd1c4c10add76d55d303d5f3a8f5db5fca9d
SHA256: 43f66cb67cd399910f2b286c698cf19e50eea2f05218500bbf941a74d6e41b35
SSDeep: 12288:fGheVNXGxuXEngmvMPvzhHmZB8rr604KiPUwCEesSjRPckKUpWFBct0i7P9fZ:ceDXCuXEgmvM3V6B8rrPeswCPsSj2kKC
Size: 687104 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: MicrosoftVisualC, NETexecutable, UPolyXv05_v6
Company: no certificate found
Created at: 2013-12-07 10:04:20
Analyzed on: WindowsXP SP3 32-bit
Summary: Backdoor. Malware that enables a remote control of victim's machine.
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The Backdoor creates the following process(es):No processes have been created.The Backdoor injects its code into the following process(es):
vbc.exe:2004
%original file name%.exe:1268
File activity
The process vbc.exe:2004 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):
%Documents and Settings%\All Users\Start Menu\Programs\MSDCSC\msdcsc.exe (7547 bytes)
Registry activity
The process vbc.exe:2004 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D8 EE 03 82 00 5E CF 54 A8 F0 92 41 4C 56 44 BA"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Programs" = "%Documents and Settings%\All Users\Start Menu\Programs"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
To automatically run itself each time Windows is booted, the Backdoor adds the following link to its file to the system registry autorun key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"MicroUpdate" = "%Documents and Settings%\All Users\Start Menu\Programs\MSDCSC\msdcsc.exe"
The Backdoor adds the reference to itself to be executed when a user logs on:
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"UserInit" = "%System%\userinit.exe,%Documents and Settings%\All Users\Start Menu\Programs\MSDCSC\msdcsc.exe"
The process %original file name%.exe:1268 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "5A AA 1D 7B 78 8E D8 51 CE 48 C3 A5 90 44 D1 4C"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
Network activity (URLs)
No activity has been detected.
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
- Delete the original Backdoor file.
- Delete or disinfect the following files created/modified by the Backdoor:
%Documents and Settings%\All Users\Start Menu\Programs\MSDCSC\msdcsc.exe (7547 bytes)
- Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"MicroUpdate" = "%Documents and Settings%\All Users\Start Menu\Programs\MSDCSC\msdcsc.exe" - Remove the references to the Backdoor by modifying the following registry value(s) (How to Work with System Registry):
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"UserInit" = "%System%\userinit.exe,%Documents and Settings%\All Users\Start Menu\Programs\MSDCSC\msdcsc.exe" - Reboot the computer.