HEUR:Trojan.Win32.Generic (Kaspersky), TrojanPWS.Win32.Fareit.aa (v) (VIPRE), Trojan-PWS.Win32.Fareit!IK (Emsisoft), Trojan.Win32.Nedsym.FD, TrojanNedsym.YR (Lavasoft MAS)Behaviour: Trojan
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: 4589fed6107b01617c4b2f5e40d3f240
SHA1: 73b9c0df367896b5008f4acc295d138edd7ee8ee
SHA256: 776a73ad30fd761456389a359f4cc4bac93a24aca46e8a1868c63e73573f9f77
SSDeep: 1536:pzqc7h/pJL27akkoVAeflhbfmmiostHCCOWE3DIhxd8yveRd35HSjXQiiYHmejbO:FkUqldRcOrIzlvGFSbTiqbmQs01wh
Size: 120448 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2013-07-31 14:30:59
Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The Trojan creates the following process(es):
%original file name%.exe:544
svcnost.exe:1136
The Trojan injects its code into the following process(es):
svcnost.exe:1060
File activity
The process %original file name%.exe:544 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%System%\drivers\etc\hosts (5 bytes)
The Trojan deletes the following file(s):
%System%\drivers\etc\hosts (0 bytes)
The process svcnost.exe:1060 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Application Data\ntuser.dat (55 bytes)
%Documents and Settings%\%current user%\Application Data\desktop.ini (9 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Application Data\desktop.ini (0 bytes)
Registry activity
The process %original file name%.exe:544 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Windows Init" = "%Documents and Settings%\%current user%\Application Data\xkwigjfwbqfvadqegkccyi3tqrn3hmpr2\svcnost.exe"
The process svcnost.exe:1060 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "20 1C 13 C2 62 21 70 3C 27 0D EB 70 6F 18 97 CB"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\Microsoft\Internet Explorer\LowRegistry]
"SavedLegacySettingsML" = "36 34 39 39 36 33 31 34 33"
Adds a rule to the firewall Windows which allows any network activity:
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\c:\documents and settings\"%CurrentUserName%"\application data\xkwigjfwbqfvadqegkccyi3tqrn3hmpr2]
"svcnost.exe" = "c:\documents and settings\"%CurrentUserName%"\application data\xkwigjfwbqfvadqegkccyi3tqrn3hmpr2\svcnost.exe:*:Enabled:ldrsoft"
Network activity (URLs)
| URL | IP |
|---|---|
| hxxp://yjrdv.ru/stat1.php (Malicious) | 46.17.57.182 |
| gateway-f1.isp.att.net | 204.127.217.16 |
| mailin-01.mx.aol.com | 205.188.59.194 |
| mxmta.sympatico.ca | 67.69.240.24 |
| mailin-04.mx.aol.com | 205.188.146.194 |
| mailin-02.mx.aol.com | 205.188.155.110 |
| mx4.hotmail.com | 65.55.37.88 |
| mx00.t-online.de | 194.25.134.8 |
| extmail.bigpond.com | 61.9.168.122 |
| mail2.suburbancollection.com | 206.245.132.67 |
| mail.pontuswidenmaskin.se | 217.78.28.227 |
| mx2.sbcglobal.am0.yahoodns.net | 98.138.206.39 |
| mta5.am0.yahoodns.net | 66.196.118.33 |
| mx3.me.com.akadns.net | 17.158.8.61 |
| mx3.hotmail.com | 65.55.92.168 |
| mx-1.mercury.net | 64.7.161.17 |
| relay.verizon.net | 206.46.232.11 |
| mta6.am0.yahoodns.net | 98.138.112.38 |
| mail2.ainweb.net | 54.208.119.129 |
| mxzhb.bluewin.ch | 195.186.99.50 |
| gmail-smtp-in.l.google.com | 74.125.142.27 |
| mx1.hotmail.com | 65.54.188.94 |
| mx2.free.fr | 212.27.42.59 |
| mxbw.bluewin.ch | 195.186.99.50 |
| mx3.earthlink.net | 209.86.93.228 |
| mx2.hotmail.com | 65.55.37.104 |
| mx.bt.lon5.cpcloud.co.uk | 65.20.0.49 |
| mymail.bright.net | 209.143.0.180 |
| mulgara.westnet.com.au | 203.10.1.146 |
| mx1.earthlink.net | 209.86.93.226 |
| idcmail.shaw.ca | 24.71.223.11 |
| inbound.localnet.com | 207.251.194.26 |
| mx2.comcast.net | 76.96.40.147 |
| alt1.gmail-smtp-in.l.google.com | 173.194.74.26 |
| mail.cvwrf.org | 173.8.90.131 |
| alt2.gmail-smtp-in.l.google.com | 173.194.75.26 |
| alt4.gmail-smtp-in.l.google.com | 173.194.65.27 |
| mx.dca.untd.com | 64.136.44.37 |
| mx1.comcast.net | 68.87.26.147 |
| mx-eu.mail.am0.yahoodns.net | 188.125.69.79 |
| alt3.gmail-smtp-in.l.google.com | 173.194.66.26 |
| mta7.am0.yahoodns.net | 66.196.118.35 |
| smtp.ciaccess.com | 209.216.133.240 |
| mail2.accuridecorp.com | 12.129.87.232 |
| mailin-03.mx.aol.com | 205.188.59.193 |
| postoffice03.mail-hub.dodo.com.au | 202.136.40.236 |
| extmail.bpbb.bigpond.com | 61.9.189.122 |
| smtp-in.orange.fr | 193.252.22.65 |
| jejrw.su | Unresolvable |
HOSTS file anomalies
The Trojan modifies "%System%\drivers\etc\hosts" file which is used to translate DNS entries to IP addresses. The modified file is 5915 bytes in size. The following strings are added to the hosts file listed below:
| 127.0.0.1 | downloads4.kaspersky-labs.com |
| 127.0.0.1 | downloads3.kaspersky-labs.com |
| 127.0.0.1 | downloads2.kaspersky-labs.com |
| 127.0.0.1 | downloads1.kaspersky-labs.com |
| 127.0.0.1 | downloads-us1.kaspersky-labs.com |
| 127.0.0.1 | rads.mcafee.com |
| 127.0.0.1 | www.secuser.com |
| 127.0.0.1 | a188.x.akamai.net |
| 127.0.0.1 | liveupdate.symantecliveupdate.com |
| 127.0.0.1 | liveupdate.symantec.com |
| 127.0.0.1 | liveupdate.symantec.d4p.net |
| 127.0.0.1 | update.symantec.com |
| 127.0.0.1 | ftp.nai.com |
| 127.0.0.1 | www.grisoft.cz |
| 127.0.0.1 | www.grisoft.com |
| 127.0.0.1 | free.grisoft.cz |
| 127.0.0.1 | tds.diamondcs.com.au |
| 127.0.0.1 | ieupdate.gdata.de |
| 127.0.0.1 | ieupdate6.gdata.de |
| 127.0.0.1 | ieupdate5.gdata.de |
| 127.0.0.1 | ieupdate4.gdata.de |
| 127.0.0.1 | ieupdate3.gdata.de |
| 127.0.0.1 | ieupdate2.gdata.de |
| 127.0.0.1 | ieupdate1.gdata.de |
| 127.0.0.1 | www.iavs.cz |
| 127.0.0.1 | download7.avast.com |
| 127.0.0.1 | download6.avast.com |
| 127.0.0.1 | download5.avast.com |
| 127.0.0.1 | download4.avast.com |
| 127.0.0.1 | download3.avast.com |
| 127.0.0.1 | download2.avast.com |
| 127.0.0.1 | download1.avast.com |
| 127.0.0.1 | upgrade.bitdefender.com |
| 127.0.0.1 | windowsupdate.microsoft.com |
| 127.0.0.1 | www.lavasoftusa.com |
| 127.0.0.1 | www.a-2.org |
| 127.0.0.1 | updates.a-2.org |
| 127.0.0.1 | niuone.norman.no |
| 127.0.0.1 | www.diamondcs.com.au |
| 127.0.0.1 | www.attechnical.com |
| 127.0.0.1 | www.zeylstra.nl |
| 127.0.0.1 | fractus.mat.uson.mx |
| 127.0.0.1 | www.toonbox.de |
| 127.0.0.1 | radius.turvamies.com |
| 127.0.0.1 | diamondcs.fileburst.com |
| 127.0.0.1 | downloads.My-eTrust.com |
| 127.0.0.1 | acs.pandasoftware.com |
| 127.0.0.1 | v4.windowsupdate.microsoft.com |
| 127.0.0.1 | www.NoAdware.net |
| 127.0.0.1 | www.nod32.com |
| 127.0.0.1 | www.eset.sk |
| 127.0.0.1 | avu.zonelabs.com |
| 127.0.0.1 | retail.sp.f-secure.com |
| 127.0.0.1 | retail01.sp.f-secure.com |
| 127.0.0.1 | retail02.sp.f-secure.com |
| 127.0.0.1 | www.moosoft.com |
| 127.0.0.1 | secuser.model-fx.com |
| 127.0.0.1 | secuser.com |
| 127.0.0.1 | downloads-eu1.kaspersky-labs.com |
| 127.0.0.1 | downloads2.kaspersky-labs.com |
| 127.0.0.1 | downloads4.kaspersky-labs.com |
| 127.0.0.1 | downloads1.kaspersky-labs.com |
| 127.0.0.1 | pccreg.antivirus.com |
| 127.0.0.1 | dl1.antivir.de |
| 127.0.0.1 | dl2.antivir.de |
| 127.0.0.1 | dl3.antivir.de |
| 127.0.0.1 | dl4.antivir.de |
| 127.0.0.1 | ad.doubleclick.net |
| 127.0.0.1 | ad.fastclick.net |
| 127.0.0.1 | ads.fastclick.net |
| 127.0.0.1 | ar.atwola.com |
| 127.0.0.1 | atdmt.com |
| 127.0.0.1 | avp.ch |
| 127.0.0.1 | avp.com |
| 127.0.0.1 | avp.com |
| 127.0.0.1 | avp.ru |
| 127.0.0.1 | awaps.net |
| 127.0.0.1 | banner.fastclick.net |
| 127.0.0.1 | banners.fastclick.net |
| 127.0.0.1 | ca.com |
| 127.0.0.1 | ca.com |
| 127.0.0.1 | click.atdmt.com |
| 127.0.0.1 | clicks.atdmt.com |
| 127.0.0.1 | customer.symantec.com |
| 127.0.0.1 | dispatch.mcafee.com |
| 127.0.0.1 | dispatch.mcafee.com |
| 127.0.0.1 | download.mcafee.com |
| 127.0.0.1 | download.mcafee.com |
| 127.0.0.1 | download.mcafee.com |
| 127.0.0.1 | download.microsoft.com |
| 127.0.0.1 | downloads.microsoft.com |
| 127.0.0.1 | downloads1.kaspersky-labs.com |
| 127.0.0.1 | downloads1.kaspersky-labs.com |
| 127.0.0.1 | downloads1.kaspersky-labs.com |
| 127.0.0.1 | downloads2.kaspersky-labs.com |
| 127.0.0.1 | downloads3.kaspersky-labs.com |
| 127.0.0.1 | downloads4.kaspersky-labs.com |
| 127.0.0.1 | downloads-us1.kaspersky-labs.com |
| 127.0.0.1 | downloads-us2.kaspersky-labs.com |
| 127.0.0.1 | downloads-us3.kaspersky-labs.com |
| 127.0.0.1 | engine.awaps.net |
| 127.0.0.1 | fastclick.net |
| 127.0.0.1 | f-secure.com |
| 127.0.0.1 | f-secure.com |
| 127.0.0.1 | ftp.avp.ch |
| 127.0.0.1 | ftp.downloads2.kaspersky-labs.com |
| 127.0.0.1 | ftp.f-secure.com |
| 127.0.0.1 | ftp.kasperskylab.ru |
| 127.0.0.1 | ftp.sophos.com |
| 127.0.0.1 | go.microsoft.com |
| 127.0.0.1 | ids.kaspersky-labs.com |
| 127.0.0.1 | kaspersky.com |
| 127.0.0.1 | kaspersky-labs.com |
| 127.0.0.1 | liveupdate.symantec.com |
| 127.0.0.1 | liveupdate.symantec.com |
| 127.0.0.1 | liveupdate.symantec.com |
| 127.0.0.1 | liveupdate.symantecliveupdate.com |
| 127.0.0.1 | liveupdate.symantecliveupdate.com |
| 127.0.0.1 | mast.mcafee.com |
| 127.0.0.1 | mast.mcafee.com |
| 127.0.0.1 | mcafee.com |
| 127.0.0.1 | mcafee.com |
| 127.0.0.1 | media.fastclick.net |
| 127.0.0.1 | msdn.microsoft.com |
| 127.0.0.1 | my-etrust.com |
| 127.0.0.1 | my-etrust.com |
| 127.0.0.1 | nai.com |
| 127.0.0.1 | nai.com |
| 127.0.0.1 | networkassociates.com |
| 127.0.0.1 | networkassociates.com |
| 127.0.0.1 | office.microsoft.com |
| 127.0.0.1 | phx.corporate-ir.net |
| 127.0.0.1 | rads.mcafee.com |
| 127.0.0.1 | secure.nai.com |
| 127.0.0.1 | secure.nai.com |
| 127.0.0.1 | securityresponse.symantec.com |
| 127.0.0.1 | securityresponse.symantec.com |
| 127.0.0.1 | service1.symantec.com |
| 127.0.0.1 | sophos.com |
| 127.0.0.1 | sophos.com |
| 127.0.0.1 | spd.atdmt.com |
| 127.0.0.1 | support.microsoft.com |
| 127.0.0.1 | symantec.com |
| 127.0.0.1 | symantec.com |
| 127.0.0.1 | trendmicro.com |
| 127.0.0.1 | update.symantec.com |
| 127.0.0.1 | update.symantec.com |
| 127.0.0.1 | update.symantec.com |
| 127.0.0.1 | updates.symantec.com |
| 127.0.0.1 | updates.symantec.com |
| 127.0.0.1 | updates1.kaspersky-labs.com |
| 127.0.0.1 | updates1.kaspersky-labs.com |
| 127.0.0.1 | updates2.kaspersky-labs.com |
| 127.0.0.1 | updates3.kaspersky-labs.com |
| 127.0.0.1 | updates3.kaspersky-labs.com |
| 127.0.0.1 | updates4.kaspersky-labs.com |
| 127.0.0.1 | updates5.kaspersky-labs.com |
| 127.0.0.1 | us.mcafee.com |
| 127.0.0.1 | us.mcafee.com |
| 127.0.0.1 | vil.nai.com |
| 127.0.0.1 | viruslist.com |
| 127.0.0.1 | viruslist.ru |
| 127.0.0.1 | windowsupdate.microsoft.com |
| 127.0.0.1 | www.avp.ch |
| 127.0.0.1 | www.avp.com |
| 127.0.0.1 | www.avp.com |
| 127.0.0.1 | www.avp.ru |
| 127.0.0.1 | www.awaps.net |
| 127.0.0.1 | www.ca.com |
| 127.0.0.1 | www.ca.com |
| 127.0.0.1 | www.fastclick.net |
| 127.0.0.1 | www.f-secure.com |
| 127.0.0.1 | www.f-secure.com |
| 127.0.0.1 | www.grisoft.com |
| 127.0.0.1 | www.kaspersky.com |
| 127.0.0.1 | www.kaspersky.ru |
| 127.0.0.1 | www.kaspersky.ru |
| 127.0.0.1 | www.kaspersky-labs.com |
| 127.0.0.1 | www.mcafee.com |
| 127.0.0.1 | www.mcafee.com |
| 127.0.0.1 | www.my-etrust.com |
| 127.0.0.1 | www.my-etrust.com |
| 127.0.0.1 | www.nai.com |
| 127.0.0.1 | www.nai.com |
| 127.0.0.1 | www.networkassociates.com |
| 127.0.0.1 | www.networkassociates.com |
| 127.0.0.1 | www.sophos.com |
| 127.0.0.1 | www.sophos.com |
| 127.0.0.1 | www.symantec.com |
| 127.0.0.1 | www.symantec.com |
| 127.0.0.1 | www.trendmicro.com |
| 127.0.0.1 | www.trendmicro.com |
| 127.0.0.1 | www.viruslist.com |
| 127.0.0.1 | www.viruslist.ru |
Rootkit activity
No anomalies have been detected.
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
%original file name%.exe:544
svcnost.exe:1136 - Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
%System%\drivers\etc\hosts (5 bytes)
%Documents and Settings%\%current user%\Application Data\ntuser.dat (55 bytes)
%Documents and Settings%\%current user%\Application Data\desktop.ini (9 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Windows Init" = "%Documents and Settings%\%current user%\Application Data\xkwigjfwbqfvadqegkccyi3tqrn3hmpr2\svcnost.exe" - Restore the original content of the HOSTS file (%System%\drivers\etc\hosts): 127.0.0.1 localhost
- Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Reboot the computer.