Trojan.Win32.Cosmu.gw (Kaspersky), Trojan.Win32.Generic!SB.0 (VIPRE), Trojan.Win32.IEDummy.FD, GenericAutorunWorm.YR (Lavasoft MAS)Behaviour: Trojan, Worm, WormAutorun
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: 7a06191de92e521381dec5d65dc2110b
SHA1: bb7600c53845d9b2fd6cd04beb35dc9e89e5c661
SHA256: 5577a931c6eae8cafd9c1584a0229bf0f727763f58a72810fe4d2e49249bb05c
SSDeep: 384:1FCOUX57TWGxy6RMvXwG8AfAoJqQpfMqdIqYHMaewe/0O4q4ra73dghxXt:1cBFTxy6sXT8AfbpfldYMhr4wMxXt
Size: 22545 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: PECompactV2X, PECompactv20, UPolyXv05_v6
Company: WinterSoft
Created at: 2009-06-28 05:04:33
Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Dynamic Analysis
Payload
| Behaviour | Description |
|---|---|
| WormAutorun | A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Trojan's file once a user opens a drive's folder in Windows Explorer. |
Process activity
The Trojan creates the following process(es):
File activity
Registry activity
Network activity (URLs)
| URL | IP |
|---|---|
| hxxp://www.google.com/ | 173.194.43.80 |
| hxxp://www.google.ca/?gws_rd=cr&ei=1_yIUsKPEomW2QWHo4EY | 173.194.43.95 |
| hxxp://anyhub.net/file/fotoico.exe | 69.64.147.243 |
| hxxp://www.google.ca/images/icons/product/chrome-48.png | |
| hxxp://www.google.ca/images/srpr/nav_logo80.png | |
| hxxp://isearchquick.com/ | 64.74.223.37 |
| hxxp://www.google.ca/images/srpr/logo9w.png | |
| hxxp://www.google.ca/xjs/_/js/k=xjs.hp.en_US.uIkN8wEusrU.O/m=sb_he,pcc/rt=j/d=1/sv=1/rs=AItRSTONOMMzHtdQ1eLoNMPqTPkAzI0P9Q | |
| hxxp://ssl.gstatic.com/gb/js/scm_2bf72ca8b905c136a1cc15e3cca84091.js | 173.194.43.79 |
| hxxp://www.google.ca/generate_204 | |
| clients1.google.ca | 173.194.43.88 |
HOSTS file anomalies
The Trojan modifies "%System%\drivers\etc\hosts" file which is used to translate DNS entries to IP addresses. The modified file is 2799 bytes in size. The following strings are added to the hosts file listed below:
| 127.0.0.1 | avp.com |
| 127.0.0.1 | ca.com |
| 127.0.0.1 | customer.symantec.com |
| 127.0.0.1 | dispatch.mcafee.com |
| 127.0.0.1 | download.mcafee.com |
| 127.0.0.1 | f-secure.com |
| 127.0.0.1 | kaspersky.com |
| 127.0.0.1 | kaspersky-labs.com |
| 127.0.0.1 | liveupdate.symantec.com |
| 127.0.0.1 | liveupdate.symantecliveupdate.com |
| 127.0.0.1 | mast.mcafee.com |
| 127.0.0.1 | mcafee.com |
| 127.0.0.1 | microsoft.com |
| 127.0.0.1 | my-etrust.com |
| 127.0.0.1 | nai.com |
| 127.0.0.1 | networkassociates.com |
| 127.0.0.1 | pandasoftware.com |
| 127.0.0.1 | rads.mcafee.com |
| 127.0.0.1 | secure.nai.com |
| 127.0.0.1 | securityresponse.symantec.com |
| 127.0.0.1 | sophos.com |
| 127.0.0.1 | symantec.com |
| 127.0.0.1 | trendmicro.com |
| 127.0.0.1 | updates.symantec.com |
| 127.0.0.1 | update.symantec.com |
| 127.0.0.1 | us.mcafee.com |
| 127.0.0.1 | viruslist.com |
| 127.0.0.1 | virustotal.com |
| 127.0.0.1 | www.avp.com |
| 127.0.0.1 | www.f-secure.com |
| 127.0.0.1 | www.grisoft.com |
| 127.0.0.1 | www.kaspersky.com |
| 127.0.0.1 | www.mcafee.com |
| 127.0.0.1 | www.microsoft.com |
| 127.0.0.1 | www.moneybookers.com |
| 127.0.0.1 | www.my-etrust.com |
| 127.0.0.1 | www.nai.com |
| 127.0.0.1 | www.networkassociates.com |
| 127.0.0.1 | www.pandasoftware.com |
| 127.0.0.1 | www.sophos.com |
| 127.0.0.1 | www.symantec.com |
| 127.0.0.1 | www.trendmicro.com |
| 127.0.0.1 | www.virustotal.com |
| 127.0.0.1 | u20.eset.com |
| 127.0.0.1 | u21.eset.com |
| 127.0.0.1 | u22.eset.com |
| 127.0.0.1 | u23.eset.com |
| 127.0.0.1 | u24.eset.com |
| 127.0.0.1 | 89.202.157.135 |
| 127.0.0.1 | 89.202.157.136 |
| 127.0.0.1 | 89.202.157.137 |
| 127.0.0.1 | 89.202.157.138 |
| 127.0.0.1 | 89.202.157.139 |
| 127.0.0.1 | u30.eset.com |
| 127.0.0.1 | u31.eset.com |
| 127.0.0.1 | u32.eset.com |
| 127.0.0.1 | u33.eset.com |
| 127.0.0.1 | u34.eset.com |
| 127.0.0.1 | u35.eset.com |
| 127.0.0.1 | u36.eset.com |
| 127.0.0.1 | u37.eset.com |
| 127.0.0.1 | u38.eset.com |
| 127.0.0.1 | u39.eset.com |
| 127.0.0.1 | u40.eset.com |
| 127.0.0.1 | u41.eset.com |
| 127.0.0.1 | u42.eset.com |
| 127.0.0.1 | u43.eset.com |
| 127.0.0.1 | u44.eset.com |
| 127.0.0.1 | u45.eset.com |
| 127.0.0.1 | u46.eset.com |
| 127.0.0.1 | u47.eset.com |
| 127.0.0.1 | u48.eset.com |
| 127.0.0.1 | u49.eset.com |
Rootkit activity
No anomalies have been detected.
Propagation
A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Trojan's file once a user opens a drive's folder in Windows Explorer.
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Delete the original Trojan file.
- Restore the original content of the HOSTS file (%System%\drivers\etc\hosts): 127.0.0.1 localhost
- Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
- Reboot the computer.