Trojan.Win32.Scarsi.uhm (Kaspersky), Trojan.Win32.Generic!BT (VIPRE), GenericInjector.YR, BackdoorCaphaw_QKKBAL.YR, TrojanPSWZbot.YR (Lavasoft MAS)Behaviour: Trojan-PSW, Trojan, Backdoor
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: 52d3b26a03495d02414e621ee4d0c04e
SHA1: b3f8fbf715ab4ce38557b27246de15e32682d1ab
SHA256: e6adbb4cd6bd23ed1e3d65c896c463850674439b4a771ee8924013c877a03665
SSDeep: 24576:yhQ31kHu2EnDNpSkGXaUWrPoIUihhON06Fo6Z/B5fqt:yKAu/pSsjoIFRL6ZGt
Size: 1245328 bytes
File type: broken
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2013-11-27 18:59:26
Analyzed on: WindowsXP SP3 32-bit
Summary: Backdoor. Malware that enables a remote control of victim's machine.
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The Backdoor creates the following process(es):
iqga.exe:2388
iqga.exe:1764
%original file name%.exe:860
%original file name%.exe:3180
The Backdoor injects its code into the following process(es):
ctfmon.exe:1240
File activity
The process %original file name%.exe:3180 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\tmp3191bac0.bat (177 bytes)
%Documents and Settings%\%current user%\Application Data\Itqeok\iqga.exe (2293904 bytes)
Registry activity
The process iqga.exe:2388 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1A E2 0E 32 D3 D3 6D B0 D9 C5 F5 D2 A5 85 01 AF"
The process iqga.exe:1764 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "24 39 8E D6 4C 18 14 D7 26 08 FC D5 24 37 9C 74"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
The process %original file name%.exe:860 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E3 CB 36 72 89 92 98 84 F1 1D A0 08 6F F1 3E 2D"
The process %original file name%.exe:3180 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "57 9E 8C AD 0E 31 01 30 B6 15 F2 23 22 93 F7 76"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
The process ctfmon.exe:1240 makes changes in the system registry.
The Backdoor deletes the following value(s) in system registry:
The Backdoor disables automatic startup of the application by deleting the following autorun value:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"internat.exe"
Network activity (URLs)
URL | IP |
---|---|
checkip.dyndns.org |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
iqga.exe:2388
iqga.exe:1764
%original file name%.exe:860
%original file name%.exe:3180 - Delete the original Backdoor file.
- Delete or disinfect the following files created/modified by the Backdoor:
%Documents and Settings%\%current user%\Local Settings\Temp\tmp3191bac0.bat (177 bytes)
%Documents and Settings%\%current user%\Application Data\Itqeok\iqga.exe (2293904 bytes) - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Reboot the computer.