Susp_Dropper (Kaspersky), VirTool.Win32.Obfuscator.hg!a (v) (VIPRE), Win32.SuspectCrc!IK (Emsisoft), Backdoor.Win32.Shiz.FD, GenericInjector.YR, Shiz.YR, BackdoorCaphaw_QKKBAL.YR (Lavasoft MAS)Behaviour: Backdoor, VirTool
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: b8d3316b1e714f81cf848ccc455705bf
SHA1: b0bf429b719e884539691978a50e45fe8655f899
SHA256: 6a309f34d48c974fc9835825dbf195b61c3fc92db9086802d1b29a1d4d4e6efb
SSDeep: 6144:dcfqGJSFKnLQXBgBrX227mz4DgAxOvKWr8:mtJS40x0pDgAxOv/8
Size: 245248 bytes
File type: PE32
Platform: WIN32
Entropy: Packed
PEID: BorlandDelphi30; UPolyXv05_v6
Company: no certificate found
Created at: 1990-04-16 10:11:03
Summary: Backdoor. Malware that enables a remote control of victim's machine.
Dynamic Analysis
Process activity
The Backdoor creates the following process(es):
b8d3316b1e714f81cf848ccc455705bf.exe:2592
The Backdoor injects its code into the following process(es):
ctfmon.exe:252
File activity
The process b8d3316b1e714f81cf848ccc455705bf.exe:2592 makes changes in a file system.
The Backdoor creates and/or writes to the following file(s):
%WinDir%\AppPatch\xynodu.exe (1771 bytes)
%System%\config\software (3028 bytes)
%System%\config\software.LOG (5300 bytes)
The Backdoor deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\1.tmp (0 bytes)
Registry activity
The process b8d3316b1e714f81cf848ccc455705bf.exe:2592 makes changes in a system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "83 DA CA B3 FE 27 65 DA BF C3 EA 29 68 75 51 4E"
[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\%WinDir%\apppatch\xynodu.exe_, \??\%WinDir%\apppatch\xynodu.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"d8cc41db" = "ÂÂCêkæÚ`Ã¥D 5õÃâ€PôPW«m&e4¹àâ€Â¸a4d‚\yìqÂÂA}(Äé¼ü4|Âá@â€Â°™,¡¤üHrѼ©€©â€Â´D0}éiXª¸|Èy4¡RYÑúiÂÂèmÑ©È„IáØð±¼(¤ ádI򯬓dËœ XYâÀeÅ“iü¥AÅ¡Ii¸rÂ¥(¡A\y 9€éñ$ZÃâ€axÙ9The process ctfmon.exe:252 makes changes in a system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
The Backdoor disables automatic startup of the application by deleting the following autorun value:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"internat.exe"
Network activity (URLs)
URL: hxxp://50.116.56.144/login.php Country: United States
Rootkit activity
The Backdoor installs the following user-mode hooks in CRYPT32.dll: CertVerifyCertificateChainPolicy
HttpSendRequestExW
HttpSendRequestExA
InternetReadFileExA
InternetReadFileExW
HttpSendRequestA
HttpSendRequestW
InternetQueryDataAvailable
InternetCloseHandle
InternetReadFile
GetWindowTextA
GetClipboardData
SendInput
GetMessageA
GetMessageW
TranslateMessage
CryptEncrypt
WSASend
recv
gethostbyname
WSARecv
send
CreateFileW
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Scan a system with an anti-rootkit tool.
- Terminate malicious process(es) (How to End a Process With the Task Manager):
b8d3316b1e714f81cf848ccc455705bf.exe:2592
- Delete the original Backdoor file.
- Delete or disinfect the following files created/modified by the Backdoor:
%WinDir%\AppPatch\xynodu.exe (1771 bytes)
%System%\config\software (3028 bytes)
%System%\config\software.LOG (5300 bytes) - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Reboot the computer.