HEUR:Trojan.Win32.Generic (Kaspersky), Trojan.Win32.StartPage.rh (v) (VIPRE), Backdoor.Win32.DarkMoon!IK (Emsisoft), Trojan.Win32.Hideproc.FD, GenericAutorunWorm.YR (Lavasoft MAS)Behaviour: Trojan, Backdoor, Worm, WormAutorun
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: 1700d105969064379ec05fe8b20b0b5d
SHA1: a9fa911167989f91513a2950df8fc06573762ec5
SHA256: cc3f024370f127917974c017fbde032f423e77cd101ca5d32b1438b7c6cac3d3
SSDeep: 1536:4QeKcnrJXSWLv5z2 KWa4z0SYFfv82Zl5jsrQBg4:4QHcnrJXSUBz2 KWam0S /srH4
Size: 83890 bytes
File type: broken
Platform: WIN32
Entropy: Not Packed
PEID: PackerUPXCompresorGratuitowwwupxsourceforgenet, UPolyXv05_v6
Company: no certificate found
Created at: 1992-06-20 01:22:17
Analyzed on: Windows7 SP1 32-bit
Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Dynamic Analysis
Payload
| Behaviour | Description |
|---|---|
| WormAutorun | A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Trojan's file once a user opens a drive's folder in Windows Explorer. |
Process activity
The Trojan creates the following process(es):
%original file name%.exe:3808
The Trojan injects its code into the following process(es):
smss.exe:2960
File activity
The process %original file name%.exe:3808 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\Windows\System32\sstiqdrcem\smss.exe (601 bytes)
C:\Windows\System32\ulrghrhgaj\explorer.exe (687 bytes)
The process smss.exe:2960 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
D:\{¸ßÇåÊÓƵ}.exe (601 bytes)
D:\$RECYCLE.BIN.exe (601 bytes)
D:\plugins.exe (601 bytes)
Registry activity
Network activity (URLs)
No activity has been detected.
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Trojan's file once a user opens a drive's folder in Windows Explorer.
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
%original file name%.exe:3808
- Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
C:\Windows\System32\sstiqdrcem\smss.exe (601 bytes)
C:\Windows\System32\ulrghrhgaj\explorer.exe (687 bytes)
D:\{¸ßÇåÊÓƵ}.exe (601 bytes)
D:\$RECYCLE.BIN.exe (601 bytes)
D:\plugins.exe (601 bytes) - Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
- Reboot the computer.