Backdoor.Hupigon.AAAH (BitDefender), HEUR:Trojan.Win32.Generic (Kaspersky), Trojan.Win32.Packer.KBySV0.28 (ep) (VIPRE), Tool.Siggen.8267 (DrWeb), Backdoor.Hupigon.AAAH (B) (Emsisoft), Generic Malware.gv (McAfee), Backdoor.Trojan (Symantec), Virus.Win32.Delf (Ikarus), Backdoor.Hupigon.AAAH (FSecure), Win32/Delf.2.K (AVG), Win32:Malware-gen (Avast), Trojan-PSW.Win32.MSNPassword.FD, Trojan.Win32.FlyStudio.FD, GenericEmailWorm.YR, GenericInjector.YR, GenericPhysicalDrive0.YR, TrojanFlyStudio.YR (Lavasoft MAS)Behaviour: Trojan-PSW, Trojan, Backdoor, Worm, EmailWorm, Virus
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: dc4a096481a5d274fec42ee017c61da7
SHA1: 4c2b2549337a11229e7d3f1ba049ff888f58032b
SHA256: 567a5a3772e28dfc6fa9aedcf0c9478b29d90876c75ab216e768af20b26af5cf
SSDeep: 49152:rE4KBZoJ2fQn0qgw91H8OoLAdzc/eK K5:rE4KBZ7I0qg41H8OkAdzcmn
Size: 2025472 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2013-12-05 14:23:54
Analyzed on: WindowsXP SP3 32-bit
Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Dynamic Analysis
Payload
| Behaviour | Description |
|---|---|
| EmailWorm | Worm can send e-mails. |
Process activity
The Trojan creates the following process(es):No processes have been created.The Trojan injects its code into the following process(es):
%original file name%.exe:1044
File activity
The process %original file name%.exe:1044 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\SkinH_EL.dll (88 bytes)
%System%\drivers\etc\hosts (368 bytes)
Registry activity
The process %original file name%.exe:1044 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FA 08 15 FD C3 32 2B 55 F6 9C D8 A9 31 00 76 C4"
[HKCU\Software\Microsoft\Multimedia\DrawDib]
"vga.drv 1024x768x32(BGR 0)" = "31,31,31,31"
Network activity (URLs)
No activity has been detected.
HOSTS file anomalies
The Trojan modifies "%System%\drivers\etc\hosts" file which is used to translate DNS entries to IP addresses. The modified file is 368 bytes in size. The following strings are added to the hosts file listed below:
| 127.0.0.1 | www.qqtz.com |
| 127.0.0.1 | www.tt336.com |
| 127.0.0.1 | www.dnfrufeng.com |
| 127.0.0.1 | www.xyhai.com |
| 127.0.0.1 | xyhai.com |
| 127.0.0.1 | WWW.DNFXM2012.COM |
| 127.0.0.1 | www.25zm.com |
| 127.0.0.1 | www.dnflangqun.com |
| 127.0.0.1 | a158421294.9000hk.info |
| 127.0.0.1 | nxyq.cccpan.com |
| 127.0.0.1 | wg68.cccpan.com |
Rootkit activity
No anomalies have been detected.
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
- Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
C:\SkinH_EL.dll (88 bytes)
%System%\drivers\etc\hosts (368 bytes) - Restore the original content of the HOSTS file (%System%\drivers\etc\hosts): 127.0.0.1 localhost
- Reboot the computer.