Gen:Variant.Strictor.32657 (BitDefender), VirTool:Win32/Obfuscator.XZ (Microsoft), HEUR:Trojan.Win32.StartPage (Kaspersky), Gen:Variant.Strictor.32657 (B) (Emsisoft), Artemis!3D4F193D9E6E (McAfee), Win32.SuspectCrc (Ikarus), Trojan:W32/DelfInject.R (FSecure), Trojan.Win32.FlyStudio.FD, TrojanFlyStudio.YR (Lavasoft MAS)Behaviour: Trojan, VirTool
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: 3d4f193d9e6e54c4a22523f29720d1ef
SHA1: c69f399949490e5bf12b17ff00aa24d9da82c673
SHA256: 3858e97dde7873da187ca37f74668fd8a14dc3c4c169d18123318bec2129a059
SSDeep: 24576:mjmEXt8ZQZLiJtJbbOF7xokTZaqdiXSp0c02uFG6dAk3CMtwfPMKNcCWdg7:mK ZYiRTZaqdwk0c05HGiw1/J7
Size: 2068480 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: MicrosoftVisualC, MicrosoftVisualCv50v60MFC, MicrosoftVisualC50, Armadillov171, UPolyXv05_v6
Company: no certificate found
Created at: 2013-11-30 18:04:48
Analyzed on: WindowsXP SP3 32-bit
Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The Trojan creates the following process(es):No processes have been created.The Trojan injects its code into the following process(es):
%original file name%.exe:860
File activity
The process %original file name%.exe:860 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%System%\360natmon.sys (134656 bytes)
C:\SkinH_EL.dll (88576 bytes)
The Trojan deletes the following file(s):
%System%\360natmon.sys (0 bytes)
Registry activity
The process %original file name%.exe:860 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "7A 7E A9 5E 22 48 F1 D0 82 5E 17 E3 D4 6D E6 B7"
[HKLM\SOFTWARE\Microsoft\InternetExplorer\Main]
"Start Page" = "www.2345.com/?k744606640"
[HKCU\Software\Microsoft\Internet Explorer\Main]
"Start Page" = "www.2345.com/?k744606640"
[HKCU\Software\Microsoft\Multimedia\DrawDib]
"vga.drv 1276x846x32(BGR 0)" = "31,31,31,31"
Network activity (URLs)
No activity has been detected.
HOSTS file anomalies
No changes have been detected.
Rootkit activity
The Trojan installs the following kernel-mode hooks:
ZwQuerySystemInformation
ZwReadVirtualMemory
ZwWriteVirtualMemory
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Scan a system with an anti-rootkit tool.
- Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
- Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
%System%\360natmon.sys (134656 bytes)
C:\SkinH_EL.dll (88576 bytes) - Reboot the computer.