Trojan.Microfake.D (BitDefender), DDoS:Win32/Nitol.A (Microsoft), Trojan.Win32.MicroFake.ba (Kaspersky), Trojan.Win32.Ramnit.d (v) (VIPRE), DDoS.Rincux.316 (DrWeb), Trojan.Microfake.D (B) (Emsisoft), Trojan-FCKC!1BB2A09457D7 (McAfee), Backdoor.Trojan (Symantec), Trojan.Win32.MicroFake (Ikarus), Generic21.ANLJ (AVG), Win32:Malware-gen (Avast), PE_VIRUX.R-2 (TrendMicro), DDoS.Win32.Nitol.FD, DDoSNitol.YR (Lavasoft MAS)Behaviour: Trojan, Backdoor
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: 1bb2a09457d7acb98710b397fef16626
SHA1: 5407457a65aa36d07fdf24ac20c4dcc8fd59696f
SHA256: bc606a15702c803a45790b5c0c176e1417be50721f1b85aaca9398947c1958ee
SSDeep: 1536:0m/iI2tZ7XDBZzn6yH1mgkGuMgYehHFgFj1RmjR:0MHsZHBZuyH196hpupG
Size: 75776 bytes
File type: DLL
Platform: WIN32
Entropy: Not Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2010-06-08 12:59:36
Analyzed on: WindowsXP SP3 32-bit
Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The DDoS creates the following process(es):
regsvr32.exe:2664
hrl1.tmp:2772
The DDoS injects its code into the following process(es):No processes have been created.
File activity
The process regsvr32.exe:2664 makes changes in the file system.
The DDoS creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\hrl1.tmp (68 bytes)
The process hrl1.tmp:2772 makes changes in the file system.
The DDoS creates and/or writes to the following file(s):
%System%\vmjfic.exe (601 bytes)
Registry activity
The process regsvr32.exe:2664 makes changes in the system registry.
The DDoS creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "4D A9 EF 60 A7 A6 CC EB A7 47 37 86 CB 2F D9 18"
The process hrl1.tmp:2772 makes changes in the system registry.
The DDoS creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F8 6A 71 A1 F7 EF F8 E4 7D 1D 95 5A E6 1F 7D 14"
Network activity (URLs)
No activity has been detected.
HOSTS file anomalies
The DDoS modifies "%System%\drivers\etc\hosts" file which is used to translate DNS entries to IP addresses. The modified file is 734 bytes in size. The following strings are added to the hosts file listed below:
| 127.0.0.1 | www.Brenz.pl |
Rootkit activity
The DDoS installs the following user-mode hooks in ntdll.dll:
NtQueryInformationProcess
ZwOpenFile
ZwDeviceIoControlFile
NtCreateProcessEx
NtCreateProcess
ZwCreateFile
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Scan a system with an anti-rootkit tool.
- Terminate malicious process(es) (How to End a Process With the Task Manager):
regsvr32.exe:2664
hrl1.tmp:2772 - Delete the original DDoS file.
- Delete or disinfect the following files created/modified by the DDoS:
%Documents and Settings%\%current user%\Local Settings\Temp\hrl1.tmp (68 bytes)
%System%\vmjfic.exe (601 bytes) - Restore the original content of the HOSTS file (%System%\drivers\etc\hosts): 127.0.0.1 localhost
- Reboot the computer.