Gen:Heur.Conjar.9 (BitDefender), Backdoor:Win32/Cycbot.B (Microsoft), Trojan.Win32.FraudPack.czuc (Kaspersky), Backdoor.Win32.Cycbot.ga (v) (VIPRE), Gen:Heur.Conjar.9 (B) (Emsisoft), BackDoor-EXI.gen.aa (McAfee), Backdoor.Cycbot!gen10 (Symantec), Backdoor.Win32.Agent (Ikarus), Gen:Heur.Conjar.9 (FSecure), Win32/Cryptor (AVG), Win32:Cybota [Trj] (Avast), TROJ_GEN.F0C2C00KO13 (TrendMicro), Backdoor.Win32.Cycbot.FD, Trojan.Win32.Alureon.FD, Trojan.Win32.Swrort.3.FD, BackdoorCycbot.YR (Lavasoft MAS)Behaviour: Trojan, Backdoor
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: 47ff1262657adaf99a31591645d21f15
SHA1: 08d12e1698c35730df48e2c64d513d3241240ed8
SHA256: 3cf3a5469cd24ef9df28410b2a3b25f564113192a807570606c8061b3f580f0f
SSDeep: 6144:oJCCr1ot9u83CKEuOwNEajLsSI4vSdEJ4BqRun1nMalzBNliSyjfWg:ob16T1OtsLsSIr3m6NVkD
Size: 291328 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: QuickSet
Created at: 2005-11-13 02:14:57
Summary: Backdoor. Malware that enables a remote control of victim's machine.
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The Backdoor creates the following process(es):
Reader_sl.exe:1064
wuauclt.exe:344
%original file name%.exe:1260
%original file name%.exe:1604
jusched.exe:1056
msiexec.exe:432
The Backdoor injects its code into the following process(es):
7.tmp:552
%original file name%.exe:1936
File activity
The process 7.tmp:552 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S2HINDGD\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\5UZM61QG\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Y4D92Q4Q\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\GSNRMVI6\desktop.ini (67 bytes)
The process wuauclt.exe:344 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):
%WinDir%\SoftwareDistribution\DataStore\Logs\edb.chk (100 bytes)
%WinDir%\SoftwareDistribution\DataStore\Logs\edb.log (3576 bytes)
%WinDir%\SoftwareDistribution\DataStore\DataStore.edb (100 bytes)
The Backdoor deletes the following file(s):
%WinDir%\SoftwareDistribution\DataStore\Logs\tmp.edb (0 bytes)
The process %original file name%.exe:1936 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):
%Program Files%\LP\0205\7.tmp (12988 bytes)
%Documents and Settings%\%current user%\Application Data\507CF\F2C6.07C (2656 bytes)
%Program Files%\LP\0205\C29.exe (282434 bytes)
%System%\config\software (949 bytes)
%System%\config\SOFTWARE.LOG (1987 bytes)
The process jusched.exe:1056 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\jusched.log (347 bytes)
Registry activity
The process 7.tmp:552 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C3 43 18 CF BA 88 B1 A5 A9 C5 2E 00 E1 4A FF 2B"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKCU\Software\WinRAR]
"HWID" = "7B 42 33 41 32 35 43 34 38 2D 36 34 43 33 2D 34"
The process Reader_sl.exe:1064 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
The process %original file name%.exe:1260 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "EF C9 82 C1 91 65 D9 EB EB 49 72 3F 03 F6 1F 59"
The process %original file name%.exe:1936 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "EF 7F 17 40 19 88 FE A4 FC 4D C7 60 F5 E2 6C 0C"
Automatic startup of the following service is disabled:
[HKLM\System\CurrentControlSet\Services\wscsvc]
"Start" = "3"
To automatically run itself each time Windows is booted, the Backdoor adds the following link to its file to the system registry autorun key:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"C29.exe" = "%Program Files%\LP\0205\C29.exe"
The process %original file name%.exe:1604 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "43 49 C9 AC A4 5E 4D 03 28 1D D2 3B F3 41 2D E2"
The process msiexec.exe:432 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "0B 42 C3 01 C6 09 09 F3 93 3F 01 27 D7 7E 03 97"
Network activity (URLs)
| URL | IP |
|---|---|
| hxxp://e6845.ce.akamaiedge.net/pca3-g2.crl | |
| hxxp://e6845.ce.akamaiedge.net/CSC3-2009.crl | |
| hxxp://e6845.ce.akamaiedge.net/pca3.crl | |
| hxxp://e6845.ce.akamaiedge.net/CSC3-2009-2.crl | |
| hxxp://istockanalyst.com/12.jpg?sv=592&tq=gwY92w4ANN/FPQmIj9ekE6ERdVFcRz8D+Ka/DQLh/0WgcLFyNNHZTBSAG2NGS0saAydI3JjSCpADTLZAInVgumG9EaLLBt1pYXo26UEmcWFV73obexQgcRnydpIUlGdZOhEyUZ4FXht/d27qXV/Clq+EbLMJGmtSq55kOBFW70/oAyaW55rtRZTeGpfRs3s71FPzvy0BO2E4sSNHOHdKpHumlpJUggk92uOIAVMwaPFZq+bkdmbB0aXEA0R7pJb/1c9KHSXImmHxAeNVv+t567VhfzAuQaaq7 | 66.70.127.101 |
| hxxp://50-i00fljd.batarryreanimayion.com/logo.png?sv=372&tq=gL5HtzoYwLzEpUb5fU3HxcW3A/U6EsazybMRtyFa0umG8Ar0SsSA/gSoSEU= | 62.116.181.25 |
| hxxp://a26.d.akamai.net/msdownload/update/v3/static/trustedr/en/authrootseq.txt | |
| hxxp://a26.d.akamai.net/msdownload/update/v3/static/trustedr/en/authrootstl.cab | |
| hxxp://50-i00fljd.batarryreanimayion.com/logo.png?sv=481&tq=gKZEtzoYwLzEvUb5dQzRsrCqA/AtTca3l74EgC5OjrPGpgfib1XGp5zpRPksUt+A/gSoSEU= | |
| hxxp://TRANSERSDATAFORME.COM/gate.php (ET CNC Zeus/Spyeye/Palevo Tracker Reported CnC Server (group 6) , Malicious) | |
| hxxp://f90.suras-ip.com/logo.png?sv=815&tq=gKZEtzoYwLzEvUb5dQzRsrCqA/AtTca3l74EgC9OjrPGpgfib1XGp5zpRPksUt+A/gSoSEU= | 69.43.161.176 |
| csc3-2009-2-crl.verisign.com | 23.61.69.163 |
| crl.verisign.com | 23.61.69.163 |
| -vxk4b1.batarryreanimayion.com | 62.116.181.25 |
| www.download.windowsupdate.com | 23.3.98.40 |
| csc3-2009-crl.verisign.com | 23.61.69.163 |
| transersdataforme.com | 192.155.89.148 |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
wuauclt.exe:344
%original file name%.exe:1260
%original file name%.exe:1604 - Delete the original Backdoor file.
- Delete or disinfect the following files created/modified by the Backdoor:
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S2HINDGD\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\5UZM61QG\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Y4D92Q4Q\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\GSNRMVI6\desktop.ini (67 bytes)
%WinDir%\SoftwareDistribution\DataStore\Logs\edb.chk (100 bytes)
%WinDir%\SoftwareDistribution\DataStore\Logs\edb.log (3576 bytes)
%WinDir%\SoftwareDistribution\DataStore\DataStore.edb (100 bytes)
%Program Files%\LP\0205\7.tmp (12988 bytes)
%Documents and Settings%\%current user%\Application Data\507CF\F2C6.07C (2656 bytes)
%Program Files%\LP\0205\C29.exe (282434 bytes)
%System%\config\software (949 bytes)
%System%\config\SOFTWARE.LOG (1987 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jusched.log (347 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"C29.exe" = "%Program Files%\LP\0205\C29.exe" - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Reboot the computer.