Trojan.Generic.9467074 (BitDefender), not-a-virus:RiskTool.Win32.BitCoinMiner.frk (Kaspersky), Trojan.Win32.Generic!BT (VIPRE), Trojan.BtcMine.156 (DrWeb), Trojan.Generic.9467074 (B) (Emsisoft), Artemis!F865C1990241 (McAfee), Win32.SuspectCrc (Ikarus), Trojan.Generic.9467074 (FSecure), Generic33.BQKR (AVG), Win32:BitCoinMiner-CA [Trj] (Avast), HKTL_BITMINE.SML (TrendMicro), HackTool.Win32.RemoteAdmin.FD (Lavasoft MAS)Behaviour: Trojan, RemoteAdmin, HackTool
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: f865c199024105a2ffdf5fa98f391d74
SHA1: f838fb106e39fe4d9804b1d65edbc58c1fc98713
SHA256: c80d165f662a216e0830d961f4a5ec969afe00a1dba331bd88a4bcdf064b928f
SSDeep: 12288:WJecTp 1JEX/eq8nPn/eb6GulDk73sFDmX8nPn/KNac6:6egcS2q8ub9ulDk7W 8aN0
Size: 589798 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2013-05-23 10:15:21
Summary: HackTool. Can be used to investigate, analyze or compromise the system security. Some HackTools are multi-purpose programs, while others may have legitimate uses.Potentially Unwanted Program. An application that does not display malicious behavior yet is installed without having first sought affirmative user consent for installation. Users may not realize, due to the nature of the installation procedure, that an application they have not explicitly agreed to has been installed. This category can also be used to classify other applications which in a certain context can be wanted e.g. remote administration tools or IRC clients.
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The HackTool creates the following process(es):
nircmd.exe:628
f865c199024105a2ffdf5fa98f391d74.exe:420
attrib.exe:1348
reg.exe:1940
system.exe:196
File activity
The process f865c199024105a2ffdf5fa98f391d74.exe:420 makes changes in a file system.
The HackTool creates and/or writes to the following file(s):
%WinDir%\syso\critical\libcurl-4.dll (245795 bytes)
%WinDir%\syso\critical\system.exe (187904 bytes)
%WinDir%\syso\critical\pthreadGC2.dll (119888 bytes)
%WinDir%\syso\critical\antivirus.bat (108 bytes)
%WinDir%\syso\critical\sys.bat (337 bytes)
%WinDir%\syso\critical\zlib1.dll (100864 bytes)
%WinDir%\syso\critical\libcurl.dll (245795 bytes)
%WinDir%\syso\critical\nircmd.exe (43520 bytes)
The HackTool deletes the following file(s):
%WinDir%\syso\__tmp_rar_sfx_access_check_2265734 (0 bytes)
Registry activity
The process nircmd.exe:628 makes changes in a system registry.
The HackTool creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "3B 14 1D 04 3E B4 84 B8 A7 DA D2 48 68 A7 04 B7"
The process f865c199024105a2ffdf5fa98f391d74.exe:420 makes changes in a system registry.
The HackTool creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "86 FC 8B 8C F8 C8 4F 0C 4D 97 FA 4B 4A A3 FE 76"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\Windows\syso\critical]
"sys.bat" = "sys"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Ãâ€Ã¾ÃºÑƒÃ¼ÃµÃ½Ñ‚Ñ‹"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\àðñþчøù ÑÂтþû"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{91167d45-103d-11db-8c91-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{d8c0d8da-77bd-11e0-bb02-000c293bc0fd}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{91167d42-103d-11db-8c91-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\àðñþчøù ÑÂтþû"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\Ãœþø ôþúуüõýты"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{ebcf8d94-66db-11de-b228-806d6172696f}]
"BaseClass" = "Drive"
The HackTool modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The HackTool modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The HackTool modifies IE settings for security zones to map all web-nodes that bypassing proxy to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"
The process attrib.exe:1348 makes changes in a system registry.
The HackTool creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "97 64 90 E1 2A DA 4A AC 14 0B D9 AB F9 8C 76 CA"
The process reg.exe:1940 makes changes in a system registry.
The HackTool creates and/or sets the following values in system registry:
To automatically run itself each time Windows is booted, the HackTool adds the following link to its file to the system registry autorun key:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Update" = "C:\Windows\syso\critical\antivirus.bat"
The process system.exe:196 makes changes in a system registry.
The HackTool creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FE 24 99 EC 51 6F E5 BF DD 53 2B 3B 0B C4 17 D7"
Network activity (URLs)
No activity has been detected.
Rootkit activity
No anomalies have been detected.
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
nircmd.exe:628
f865c199024105a2ffdf5fa98f391d74.exe:420
attrib.exe:1348
reg.exe:1940
system.exe:196 - Delete the original HackTool file.
- Delete or disinfect the following files created/modified by the HackTool:
%WinDir%\syso\critical\libcurl-4.dll (245795 bytes)
%WinDir%\syso\critical\system.exe (187904 bytes)
%WinDir%\syso\critical\pthreadGC2.dll (119888 bytes)
%WinDir%\syso\critical\antivirus.bat (108 bytes)
%WinDir%\syso\critical\sys.bat (337 bytes)
%WinDir%\syso\critical\zlib1.dll (100864 bytes)
%WinDir%\syso\critical\libcurl.dll (245795 bytes)
%WinDir%\syso\critical\nircmd.exe (43520 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Update" = "C:\Windows\syso\critical\antivirus.bat"