Gen.Heur.MSIL.Androm.3_bba21f5311
Trojan.Generic.KDV.83510 (BitDefender), VirTool:Win32/BeeInject (Microsoft), Trojan.Win32.Generic!BT (VIPRE), Trojan.DownLoader1.43187 (DrWeb), Trojan.Generic.KDV.83510 (B) (Emsisoft), Artemis!BBA21F531186 (McAfee), Trojan.Gen (Symantec), Trojan-Dropper.Win32.Injector (Ikarus), Trojan.Generic.KDV.83510 (FSecure), Dropper.Generic2.CEKT (AVG), Win32:Malware-gen (Avast), TROJ_SPNR.03CI11 (TrendMicro), Gen:Heur.MSIL.Androm.3 (AdAware), GenericAutorunWorm.YR (Lavasoft MAS)
Behaviour: Trojan-Dropper, Trojan, Worm, VirTool, WormAutorun, Malware
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
| Requires JavaScript enabled! |
|---|
MD5: bba21f5311867e5aa932d4d328526ba0
SHA1: 09ff777d014569989a0cdc5cd2df8ffe73c5e8fa
SHA256: 3281a0ebd4a2851f25af22151035dda7f327b563be184d68861475114f94db86
SSDeep: 3072:uPe/Xd7VkDq8ybW0kyJbMYbb94QwMRbXxPC d:uepHjdfyYbbrwMu
Size: 114688 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: MicrosoftVisualC, NETexecutable, UPolyXv05_v6
Company: no certificate found
Created at: 2010-12-05 19:20:37
Analyzed on: Windows7 SP1 32-bit
Summary:
Trojan-Dropper. Trojan program, intended for stealth installation of other malware into user's system.
Payload
| Behaviour | Description |
|---|---|
| WormAutorun | A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Trojan's file once a user opens a drive's folder in Windows Explorer. |
Process activity
The Trojan creates the following process(es):
%original file name%.exe:2604
%original file name%.exe:3424
The Trojan injects its code into the following process(es):
iexplore.exe:3492
Mutexes
The following mutexes were created/opened:
No objects were found.
File activity
The process %original file name%.exe:2604 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Roaming\Program.exe (601 bytes)
The process %original file name%.exe:3424 makes changes in the file system.
The Trojan deletes the following file(s):
Registry activity
The process %original file name%.exe:2604 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"program" = "C:\Users\"%CurrentUserName%"\AppData\Roaming\Program.exe"
The process %original file name%.exe:3424 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCU\Software\LuCi]
"FileNameActual" = "c:\%original file name%.exe"
Dropped PE files
There are no dropped PE files.
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Trojan's file once a user opens a drive's folder in Windows Explorer.
VersionInfo
Company Name:
Product Name:
Product Version: 0.0.0.0
Legal Copyright:
Legal Trademarks:
Original Filename: zhlxocgd.exe
Internal Name: zhlxocgd.exe
File Version: 0.0.0.0
File Description:
Comments:
Language: English (United Kingdom)
PE Sections
| Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
|---|---|---|---|---|---|
| .text | 8192 | 94228 | 98304 | 5.32927 | 8736b65c08e334ea7f4d93c8f72ae378 |
| .sdata | 106496 | 97 | 4096 | 0.164742 | aae1763c27970d2dce8b5573c854173a |
| .rsrc | 114688 | 680 | 4096 | 0.473709 | 6128c37094b60ed2f3e2647c2d74d147 |
| .reloc | 122880 | 12 | 4096 | 0.011373 | b52a2bffb0104c7ee8f28a5c66c98fdf |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
URLs
No activity has been detected.
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
Web Traffic was not found.
The Trojan connects to the servers at the folowing location(s):
.text
`.data
.rsrc
@.reloc
>.uzf
.us;}
IEFRAME.dll
MLANG.dll
iertutil.dll
urlmon.dll
ole32.dll
SHELL32.dll
SHLWAPI.dll
msvcrt.dll
USER32.dll
KERNEL32.dll
ADVAPI32.dll
RegOpenKeyExW
RegCloseKey
GetWindowsDirectoryW
_amsg_exit
_wcmdln
UrlApplySchemeW
PathIsURLW
UrlCanonicalizeW
UrlCreateFromPathW
iexplore.pdb
KEYW
KEYWh
KEYWD
.ENNNG.
a.ry.v
l.igM4
?1%SGf
xh.JW^
.97777"7" " " !
3.... ))
8888888888888
8888888888
.lPV)
úW1
.ApX/
H.ZAf
ð[U
%s!FK
1YYYY1YY9GEAA=77YRNNNW:.VT1
888777777
Y.hilkRROMLK=C,
..(((($$
3...((((%
3....(.''$
3.2...((((%
33.2....(,'
55323222...
(%&'00443445?
00.,,,4(
000.,,9(
0020..9(
003200;(
(#'( (''''!'!Microsoft.InternetExplorer.Default
user32.dll
Kernel32.DLL
xfire.exe
wlmail.exe
winamp.exe
waol.exe
sidebar.exe
psocdesigner.exe
np.exe
netscape.exe
netcaptor.exe
neoplanet.exe
msn.exe
mshtmpad.exe
mshta.exe
loader42.exe
infopath.exe
iexplore.exe
iepreview.exe
groove.exe
explorer.exe
dreamweaver.exe
contribute.exe
aol.exe
{28fb17e0-d393-439d-9a21-9474a070473a}Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings
DShell32.dll
Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe
Software\Microsoft\Active Setup\Installed Components\>{26923b43-4d38-484f-9b9e-de460746276c}"%s" %s
Kernel32.dll
\AppPatch\sysmain.sdb
-extoff go.microsoft.com/fwlink/?LinkId=106323
-extoff go.microsoft.com/fwlink/?LinkId=106322
-extoff go.microsoft.com/fwlink/?LinkId=106320
kernel32.dll
{00000000-0000-0000-0000-000000000000}\\?\Volume
shell:%s
Imaging_CreateWebPagePreview_Perftrack
Browseui_Tabs_Tearoff_BetweenWindows
Frame_URLEntered
Imaging_CreateWebPagePreview
WS_ExecuteQuery
Shdocvw_BaseBrowser_FireEvent_WindowStateChanged
IdleTask_Execution_Time
9.00.8112.16421 (WIN7_IE9_RTM.110308-0330)
IEXPLORE.EXE
Windows
9.00.8112.16421
iexplore.exe_3492_rwx_00050000_00001000:
kernel32.dll
iexplore.exe_3492_rwx_00090000_00001000:
kernel32.dll
iexplore.exe_3492_rwx_001F0000_00001000:
kernel32.dll
iexplore.exe_3492_rwx_004A0000_00001000:
kernel32.dll
iexplore.exe_3492_rwx_004E0000_00001000:
kernel32.dll
iexplore.exe_3492_rwx_00520000_00001000:
kernel32.dll
iexplore.exe_3492_rwx_00560000_00001000:
kernel32.dll
iexplore.exe_3492_rwx_00670000_00001000:
kernel32.dll
iexplore.exe_3492_rwx_007D0000_00001000:
kernel32.dll
iexplore.exe_3492_rwx_00810000_00001000:
kernel32.dll
iexplore.exe_3492_rwx_00850000_00001000:
kernel32.dll
iexplore.exe_3492_rwx_00890000_00001000:
kernel32.dll
iexplore.exe_3492_rwx_008D0000_00001000:
kernel32.dll
iexplore.exe_3492_rwx_00910000_00001000:
kernel32.dll
iexplore.exe_3492_rwx_00950000_00001000:
kernel32.dll
iexplore.exe_3492_rwx_00990000_00001000:
kernel32.dll
iexplore.exe_3492_rwx_009D0000_00001000:
kernel32.dll
iexplore.exe_3492_rwx_00A10000_00001000:
kernel32.dll
iexplore.exe_3492_rwx_00A50000_00001000:
kernel32.dll
iexplore.exe_3492_rwx_00A90000_00001000:
kernel32.dll
iexplore.exe_3492_rwx_00AD0000_00001000:
kernel32.dll
iexplore.exe_3492_rwx_00B10000_00001000:
kernel32.dll
iexplore.exe_3492_rwx_00B50000_00001000:
kernel32.dll
iexplore.exe_3492_rwx_00B90000_00001000:
kernel32.dll
iexplore.exe_3492_rwx_00BD0000_00001000:
kernel32.dll
iexplore.exe_3492_rwx_00C10000_00001000:
kernel32.dll
iexplore.exe_3492_rwx_00C50000_00001000:
kernel32.dll
iexplore.exe_3492_rwx_01950000_00001000:
kernel32.dll
iexplore.exe_3492_rwx_01990000_00001000:
kernel32.dll
iexplore.exe_3492_rwx_019D0000_00001000:
kernel32.dll
iexplore.exe_3492_rwx_01A10000_00001000:
kernel32.dll
iexplore.exe_3492_rwx_01A50000_00001000:
kernel32.dll
iexplore.exe_3492_rwx_01A80000_00001000:
user32.dll
iexplore.exe_3492_rwx_01AB0000_00001000:
GetKeyboardType
iexplore.exe_3492_rwx_01AC0000_00001000:
user32.dll
iexplore.exe_3492_rwx_01B00000_00001000:
user32.dll
iexplore.exe_3492_rwx_01B30000_00001000:
advapi32.dll
iexplore.exe_3492_rwx_01B70000_00001000:
advapi32.dll
iexplore.exe_3492_rwx_01BA0000_00001000:
RegOpenKeyExA
iexplore.exe_3492_rwx_01BB0000_00001000:
advapi32.dll
iexplore.exe_3492_rwx_01BE0000_00001000:
RegCloseKey
iexplore.exe_3492_rwx_01BF0000_00001000:
advapi32.dll
iexplore.exe_3492_rwx_01E20000_00001000:
oleaut32.dll
iexplore.exe_3492_rwx_01E60000_00001000:
oleaut32.dll
iexplore.exe_3492_rwx_01EA0000_00001000:
oleaut32.dll
iexplore.exe_3492_rwx_01ED0000_00001000:
kernel32.dll
iexplore.exe_3492_rwx_01F10000_00001000:
kernel32.dll
iexplore.exe_3492_rwx_01F50000_00001000:
kernel32.dll
iexplore.exe_3492_rwx_01F90000_00001000:
kernel32.dll
iexplore.exe_3492_rwx_01FD0000_00001000:
kernel32.dll
iexplore.exe_3492_rwx_02010000_00001000:
kernel32.dll
iexplore.exe_3492_rwx_02250000_00001000:
kernel32.dll
iexplore.exe_3492_rwx_02280000_00001000:
advapi32.dll
iexplore.exe_3492_rwx_022C0000_00001000:
advapi32.dll
iexplore.exe_3492_rwx_02300000_00001000:
advapi32.dll
iexplore.exe_3492_rwx_02330000_00001000:
RegOpenKeyExA
iexplore.exe_3492_rwx_02340000_00001000:
advapi32.dll
iexplore.exe_3492_rwx_02380000_00001000:
advapi32.dll
iexplore.exe_3492_rwx_023B0000_00001000:
RegCreateKeyA
iexplore.exe_3492_rwx_023C0000_00001000:
advapi32.dll
iexplore.exe_3492_rwx_023F0000_00001000:
RegCloseKey
iexplore.exe_3492_rwx_02400000_00001000:
advapi32.dll
iexplore.exe_3492_rwx_02440000_00001000:
advapi32.dll
iexplore.exe_3492_rwx_02580000_00001000:
advapi32.dll
iexplore.exe_3492_rwx_025C0000_00001000:
advapi32.dll
iexplore.exe_3492_rwx_02600000_00001000:
advapi32.dll
iexplore.exe_3492_rwx_02630000_00001000:
kernel32.dll
iexplore.exe_3492_rwx_02670000_00001000:
kernel32.dll
iexplore.exe_3492_rwx_026B0000_00001000:
kernel32.dll
iexplore.exe_3492_rwx_026F0000_00001000:
kernel32.dll
iexplore.exe_3492_rwx_02730000_00001000:
kernel32.dll
iexplore.exe_3492_rwx_02770000_00001000:
kernel32.dll
iexplore.exe_3492_rwx_028B0000_00001000:
kernel32.dll
iexplore.exe_3492_rwx_028F0000_00001000:
kernel32.dll
iexplore.exe_3492_rwx_02930000_00001000:
kernel32.dll
iexplore.exe_3492_rwx_02970000_00001000:
kernel32.dll
iexplore.exe_3492_rwx_029B0000_00001000:
kernel32.dll
iexplore.exe_3492_rwx_029F0000_00001000:
kernel32.dll
iexplore.exe_3492_rwx_02A30000_00001000:
kernel32.dll
iexplore.exe_3492_rwx_02A70000_00001000:
kernel32.dll
iexplore.exe_3492_rwx_02AB0000_00001000:
kernel32.dll
iexplore.exe_3492_rwx_02AF0000_00001000:
kernel32.dll
iexplore.exe_3492_rwx_02B30000_00001000:
kernel32.dll
iexplore.exe_3492_rwx_02B70000_00001000:
kernel32.dll
iexplore.exe_3492_rwx_02BB0000_00001000:
kernel32.dll
iexplore.exe_3492_rwx_02BF0000_00001000:
kernel32.dll
iexplore.exe_3492_rwx_02C30000_00001000:
kernel32.dll
iexplore.exe_3492_rwx_02C70000_00001000:
kernel32.dll
iexplore.exe_3492_rwx_02CB0000_00001000:
kernel32.dll
iexplore.exe_3492_rwx_02CF0000_00001000:
kernel32.dll
iexplore.exe_3492_rwx_02D30000_00001000:
kernel32.dll
iexplore.exe_3492_rwx_02D70000_00001000:
kernel32.dll
iexplore.exe_3492_rwx_02DB0000_00001000:
kernel32.dll
iexplore.exe_3492_rwx_02DF0000_00001000:
kernel32.dll
iexplore.exe_3492_rwx_02E30000_00001000:
kernel32.dll
iexplore.exe_3492_rwx_02E70000_00001000:
kernel32.dll
iexplore.exe_3492_rwx_02EB0000_00001000:
kernel32.dll
iexplore.exe_3492_rwx_02EF0000_00001000:
kernel32.dll
iexplore.exe_3492_rwx_02F30000_00001000:
kernel32.dll
iexplore.exe_3492_rwx_02F70000_00001000:
kernel32.dll
iexplore.exe_3492_rwx_02FB0000_00001000:
kernel32.dll
iexplore.exe_3492_rwx_02FE0000_00001000:
user32.dll
iexplore.exe_3492_rwx_03020000_00001000:
user32.dll
iexplore.exe_3492_rwx_03050000_00001000:
wsock32.dll
iexplore.exe_3492_rwx_03090000_00001000:
wsock32.dll
iexplore.exe_3492_rwx_032D0000_00001000:
wsock32.dll
iexplore.exe_3492_rwx_03310000_00001000:
wsock32.dll
iexplore.exe_3492_rwx_03350000_00001000:
wsock32.dll
iexplore.exe_3492_rwx_03390000_00001000:
wsock32.dll
iexplore.exe_3492_rwx_033D0000_00001000:
wsock32.dll
iexplore.exe_3492_rwx_03410000_00001000:
wsock32.dll
iexplore.exe_3492_rwx_03450000_00001000:
wsock32.dll
iexplore.exe_3492_rwx_03490000_00001000:
wsock32.dll
iexplore.exe_3492_rwx_034D0000_00001000:
wsock32.dll
iexplore.exe_3492_rwx_03510000_00001000:
wsock32.dll
iexplore.exe_3492_rwx_03550000_00001000:
wsock32.dll
iexplore.exe_3492_rwx_03590000_00001000:
wsock32.dll
iexplore.exe_3492_rwx_035D0000_00001000:
wsock32.dll
iexplore.exe_3492_rwx_03600000_00001000:
shell32.dll
iexplore.exe_3492_rwx_03640000_00001000:
shell32.dll
iexplore.exe_3492_rwx_10410000_00010000:
.idata
.reloc
P.rsrc
kernel32.dll
Windows NT 4.0
Windows 2000
Windows XP
Windows Server 2003
Windows Vista
Windows 7
Windows 95
Windows 98
Windows Me
udprec
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
TSqliteDatabase
TSqliteQueryResultsU
sqlite3_open
sqlite3_errmsg
sqlite3_free
sqlite3_close
sqlite3_last_insert_rowid
sqlite3_total_changes
sqlite3_errcode
sqlite3_bind_text
sqlite3_bind_int
sqlite3_bind_int64
sqlite3_bind_double
sqlite3_bind_null
sqlite3_bind_blob
sqlite3_prepare_v2
sqlite3_step
sqlite3_reset
sqlite3_finalize
sqlite3_prepare
sqlite3_busy_timeout
sqlite3_libversion
sqlite3_bind_parameter_index
sqlite3_changes
sqlite3_column_count
sqlite3_column_name
sqlite3_column_type
sqlite3_column_int64
sqlite3_column_double
sqlite3_column_bytes
sqlite3_column_blob
sqlite3_column_text
Error: %s%s%s
:\autorun.inf
icon=%SystemRoot%\system32\SHELL32.dll,4
\Mozilla Firefox\
nss3.dll
mozcrt19.dll
sqlite3.dll
nspr4.dll
plc4.dll
plds4.dll
nssutil3.dll
softokn3.dll
PK11_GetInternalKeySlot
userenv.dll
\Mozilla\Firefox\
profiles.ini
\signons3.txt
\Mozilla\Firefox\profiles.ini
signons.sqlite
SELECT * FROM moz_logins
Urlmon.dll
Shell32.dll
URLDownloadToFileA
ShellExecuteA
UDPStart||*||
SOFTWARE\Mozilla\Mozilla Firefox\CurrentVersion
WEBDL
user32.dll
GetKeyboardType
advapi32.dll
RegOpenKeyExA
RegCloseKey
oleaut32.dll
RegCreateKeyA
wsock32.dll
shell32.dll
sqlite3dll
KWindows
UrlMon
sqlite3
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
%original file name%.exe:2604
%original file name%.exe:3424 - Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
C:\Users\"%CurrentUserName%"\AppData\Roaming\Program.exe (601 bytes)
- Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"program" = "C:\Users\"%CurrentUserName%"\AppData\Roaming\Program.exe" - Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
- Reboot the computer.
*Manual removal may cause unexpected system behaviour and should be performed at your own risk.
