Trojan.Win32.MicroFake.ba (Kaspersky), Trojan.Win32.Ramnit.d (v) (VIPRE), Trojan.Win32.MicroFake!IK (Emsisoft), DDoS.Win32.Nitol.FD, DDoSNitol.YR (Lavasoft MAS)Behaviour: Trojan
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: f85bf0be2e89fbe0806ad4f4f8c2e01c
SHA1: 014ec5ae70d5483a855d0740877eeadbfe08847d
SHA256: 89a985b717d072e8f5c869178db7bbb8d51fa781f0f8eb932e48edf53957aa80
SSDeep: 1536:OmL6BS7LL1BZ o9yHSmoZ5obCdcoLMomnI6c477NpYDe Hu07Xb:OFBon1BZJyHSsbONLMRnI6ckNpoX/
Size: 95744 bytes
File type: DLL
Platform: WIN32
Entropy: Packed
PEID: PolyEnE001byLennartHedlund, UPolyXv05_v6
Company: no certificate found
Created at: 2010-06-08 12:59:36
Analyzed on: WindowsXP SP3 32-bit
Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The DDoS creates the following process(es):
regsvr32.exe:240
hrl1.tmp:568
The DDoS injects its code into the following process(es):No processes have been created.
File activity
The process regsvr32.exe:240 makes changes in the file system.
The DDoS creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\hrl1.tmp (88 bytes)
The process hrl1.tmp:568 makes changes in the file system.
The DDoS creates and/or writes to the following file(s):
%System%\uuccug.exe (601 bytes)
Registry activity
The process regsvr32.exe:240 makes changes in the system registry.
The DDoS creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C2 87 8B 17 A0 06 48 09 9A C0 CF 97 F0 45 EC D8"
The process hrl1.tmp:568 makes changes in the system registry.
The DDoS creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A4 F6 13 B0 B2 87 C2 62 58 3E 93 49 2F 4C 76 73"
Network activity (URLs)
No activity has been detected.
HOSTS file anomalies
The DDoS modifies "%System%\drivers\etc\hosts" file which is used to translate DNS entries to IP addresses. The modified file is 734 bytes in size. The following strings are added to the hosts file listed below:
| 127.0.0.1 | ZieF.pl |
Rootkit activity
The DDoS installs the following user-mode hooks in ntdll.dll:
NtQueryInformationProcess
ZwOpenFile
NtCreateProcessEx
NtCreateProcess
NtCreateFile
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Scan a system with an anti-rootkit tool.
- Terminate malicious process(es) (How to End a Process With the Task Manager):
regsvr32.exe:240
hrl1.tmp:568 - Delete the original DDoS file.
- Delete or disinfect the following files created/modified by the DDoS:
%Documents and Settings%\%current user%\Local Settings\Temp\hrl1.tmp (88 bytes)
%System%\uuccug.exe (601 bytes) - Restore the original content of the HOSTS file (%System%\drivers\etc\hosts): 127.0.0.1 localhost
- Reboot the computer.