Trojan:Win32/Malex.gen!J (Microsoft), Trojan.Win32.Fsysna.fej (Kaspersky), Artemis!21F8B9D9A6FA (McAfee), Win32/DH{IANhDx4kIiUtexM} (AVG), Trojan-Downloader.Win32.Torcohost.FD (Lavasoft MAS)Behaviour: Trojan-Downloader, Trojan
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: 21f8b9d9a6fa3a0cd3a3f0644636bf09
SHA1: 0392f25130ce88fdee482b771e38a3eaae90f3e2
SHA256: 31d4e1b2e67706fda51633b450b280554c0c4eb595b3a0606ef4ab8421a04dc9
SSDeep: 98304:/9 taUtxVN7lLB9KpK5V Ahe9skiVNiQ/RkrEdElxYheKpUw1bVc:ItaU7lLB9KpK58oe9skUNiQKrEdkYIKW
Size: 5224645 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 1970-01-01 03:00:00
Analyzed on: WindowsXP SP3 32-bit
Summary: Trojan-Downloader. Trojan program, which downloads files from the Internet without user's notice and executes them.
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The Trojan-Downloader creates the following process(es):
spoolsv.exe:2000
%original file name%.exe:208
The Trojan-Downloader injects its code into the following process(es):No processes have been created.
File activity
The process spoolsv.exe:2000 makes changes in the file system.
The Trojan-Downloader deletes the following file(s):
C:\%original file name%.exe (0 bytes)
The process %original file name%.exe:208 makes changes in the file system.
The Trojan-Downloader creates and/or writes to the following file(s):
%Documents and Settings%\All Users\Start Menu\Programs\Startup\spoolsv.exe (5224645 bytes)
Registry activity
The process spoolsv.exe:2000 makes changes in the system registry.
The Trojan-Downloader creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "AE B8 3B 3E C2 8B 9D DD 27 AC 31 97 79 2E 3F 70"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Startup" = "%Documents and Settings%\All Users\Start Menu\Programs\Startup"
The process %original file name%.exe:208 makes changes in the system registry.
The Trojan-Downloader creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "DB DE B4 B9 4D EE FC BF 12 E2 E3 7D 16 D8 24 F3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Startup" = "%Documents and Settings%\All Users\Start Menu\Programs\Startup"
Network activity (URLs)
| URL | IP |
|---|---|
| hxxp://ekiga.net/ip/ | 86.64.162.35 |
| hxxp://5ji235jysrvwfgmb.onion/sendlog.php | Tor |
| hxxp://5ji235jysrvwfgmb.onion/recvdata.php | Tor |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
%original file name%.exe:208
- Delete the original Trojan-Downloader file.
- Delete or disinfect the following files created/modified by the Trojan-Downloader:
%Documents and Settings%\All Users\Start Menu\Programs\Startup\spoolsv.exe (5224645 bytes)
- Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).