Gen:Heur.Conjar.9 (BitDefender), Backdoor:Win32/Cycbot.B (Microsoft), HEUR:Trojan.Win32.Generic (Kaspersky), Backdoor.Win32.Cycbot.ga (v) (VIPRE), BackDoor.Gbot.2017 (DrWeb), Gen:Heur.Conjar.9 (B) (Emsisoft), BackDoor-EXI.gen.aa (McAfee), Backdoor.Trojan (Symantec), Backdoor.Win32.Agent (Ikarus), Gen:Heur.Conjar.9 (FSecure), Win32/Cryptor (AVG), Win32:Cybota [Trj] (Avast), BKDR_CYCBOT.SMEE (TrendMicro), Backdoor.Win32.Cycbot.FD, Trojan.Win32.Alureon.FD, Trojan.Win32.Swrort.3.FD, BackdoorCycbot.YR (Lavasoft MAS)Behaviour: Trojan, Backdoor
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: e5c578da5791c78ecd6f45c37e529dd7
SHA1: fe3ad2fa663270374643d531f315712f2cc67e98
SHA256: 49c58e87f94c929bae1e18251a3a3b3a8a03a0b9ed5321751791d59a904061c6
SSDeep: 6144:PkAM60 lCvF/FlI9RqclbyD6aP9Wm7mf YvOM6Eb21kPZLgnl7ziol:PRM6HQF9lI9RqybkkEm2evZ0nl7ziol
Size: 293376 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2005-10-26 18:55:52
Summary: Backdoor. Malware that enables a remote control of victim's machine.
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The Backdoor creates the following process(es):
%original file name%.exe:1132
%original file name%.exe:1548
Reader_sl.exe:1064
wuauclt.exe:344
jusched.exe:1056
msiexec.exe:468
The Backdoor injects its code into the following process(es):
7.tmp:524
%original file name%.exe:1896
File activity
The process 7.tmp:524 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\YZ6XI5Y7\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\AX43K14N\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\IDAHU5IX\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\MTCHIDSF\desktop.ini (67 bytes)
The process %original file name%.exe:1896 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):
%Program Files%\LP\0205\7.tmp (12988 bytes)
%Documents and Settings%\%current user%\Application Data\507CF\F2C6.07C (2656 bytes)
%Program Files%\LP\0205\C29.exe (285938 bytes)
%System%\config\software (949 bytes)
%System%\config\SOFTWARE.LOG (1987 bytes)
The process wuauclt.exe:344 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):
%WinDir%\SoftwareDistribution\DataStore\Logs\edb.chk (100 bytes)
%WinDir%\SoftwareDistribution\DataStore\Logs\edb.log (3576 bytes)
%WinDir%\SoftwareDistribution\DataStore\DataStore.edb (100 bytes)
The Backdoor deletes the following file(s):
%WinDir%\SoftwareDistribution\DataStore\Logs\tmp.edb (0 bytes)
The process jusched.exe:1056 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\jusched.log (347 bytes)
Registry activity
The process 7.tmp:524 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E9 A7 EC 6C AE CA 9D 9B 36 29 4E 18 2A 08 27 49"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKCU\Software\WinRAR]
"HWID" = "7B 34 46 42 41 33 35 43 39 2D 33 46 41 35 2D 34"
The process %original file name%.exe:1132 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D2 7A AF 84 F4 08 BC E1 31 FF 5E 8D 26 FB 30 B2"
The process %original file name%.exe:1896 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "29 85 6F FA 56 F0 92 9C E0 68 99 B4 CF 13 AA DF"
Automatic startup of the following service is disabled:
[HKLM\System\CurrentControlSet\Services\wscsvc]
"Start" = "3"
To automatically run itself each time Windows is booted, the Backdoor adds the following link to its file to the system registry autorun key:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"C29.exe" = "%Program Files%\LP\0205\C29.exe"
The process %original file name%.exe:1548 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B4 64 A9 52 B9 F4 AB 19 FF 84 E2 EB 03 69 AC C2"
The process Reader_sl.exe:1064 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
The process msiexec.exe:468 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B3 F3 BE 5E 21 5C 6C EA 61 F4 3C 11 42 00 3C D5"
Network activity (URLs)
| URL | IP |
|---|---|
| hxxp://e6845.ce.akamaiedge.net/pca3-g2.crl | |
| hxxp://e6845.ce.akamaiedge.net/CSC3-2009.crl | |
| hxxp://e6845.ce.akamaiedge.net/pca3.crl | |
| hxxp://e6845.ce.akamaiedge.net/CSC3-2009-2.crl | |
| hxxp://freedownload3.com/screenshot/4/s/89_3278.gif?sv=869&tq=gwY92w4AEqFCUxLaKTaMUXv0sa7JApuPRP1NZsBCwHLUwmVJYby5ugIDomVANrw1YLSNdYUGus6qA+xBK0VFu42WbOcvylIZos9erm/BIBbsMknqpHLWcHBUN6Y+3A/hIaAqL/LbEt1Cb+As97dWA0vkGRSWjjc3C+jXEL/8rZQV30DvO5SrhoKwN7Rd/2nCcAsPgxjMFs1Lmv5ckoy/JLZfrhd9TjpqfH | 114.207.112.26 |
| hxxp://767113.parkingcrew.net/logo.png?sv=346&tq=gL5HtzoYwLzEpUb5fU3HxcW3A/U6EsazybMRtyFa0umG8Ar0SsSA/gSoSEU= | |
| hxxp://a26.d.akamai.net/msdownload/update/v3/static/trustedr/en/authrootseq.txt | |
| hxxp://a26.d.akamai.net/msdownload/update/v3/static/trustedr/en/authrootstl.cab | |
| hxxp://767113.parkingcrew.net/logo.png?sv=86&tq=gKZEtzoYwLzEvUb5dQzRsrCqA/AtTca3l74EgC5OjrPGpgfib1XGp5zpRPksUt+A/gSoSEU= | |
| hxxp://TRANSERSDATAFORME.COM/gate.php (ET CNC Zeus/Spyeye/Palevo Tracker Reported CnC Server (group 6) , Malicious) | |
| csc3-2009-2-crl.verisign.com | 23.61.69.163 |
| transersdataforme.com | 192.155.89.148 |
| crl.verisign.com | 23.61.69.163 |
| www.download.windowsupdate.com | 23.3.98.8 |
| csc3-2009-crl.verisign.com | 23.61.69.163 |
| ntgiqxfw8.imbirsupport.com | 62.116.143.18 |
| mqm6yuym5y.kolabatory.com | 69.43.161.176 |
| uk2ndc9r9.imbirsupport.com | 62.116.143.18 |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
%original file name%.exe:1132
%original file name%.exe:1548
wuauclt.exe:344 - Delete the original Backdoor file.
- Delete or disinfect the following files created/modified by the Backdoor:
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\YZ6XI5Y7\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\AX43K14N\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\IDAHU5IX\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\MTCHIDSF\desktop.ini (67 bytes)
%Program Files%\LP\0205\7.tmp (12988 bytes)
%Documents and Settings%\%current user%\Application Data\507CF\F2C6.07C (2656 bytes)
%Program Files%\LP\0205\C29.exe (285938 bytes)
%System%\config\software (949 bytes)
%System%\config\SOFTWARE.LOG (1987 bytes)
%WinDir%\SoftwareDistribution\DataStore\Logs\edb.chk (100 bytes)
%WinDir%\SoftwareDistribution\DataStore\Logs\edb.log (3576 bytes)
%WinDir%\SoftwareDistribution\DataStore\DataStore.edb (100 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jusched.log (347 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"C29.exe" = "%Program Files%\LP\0205\C29.exe" - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Reboot the computer.