Gen.Heur.SMHeist.3_dfb37fc74d
Gen:Heur.SMHeist.3 (BitDefender), Backdoor:MSIL/Bladabindi.AA (Microsoft), HEUR:Trojan.Win32.Generic (Kaspersky), BackDoor.Siggen.49176 (DrWeb), Gen:Heur.SMHeist.3 (B) (Emsisoft), Artemis!DFB37FC74D6D (McAfee), Trojan.ADH (Symantec), Trojan.Inject (Ikarus), Gen:Heur.SMHeist.3 (FSecure), MSIL2.MTX (AVG), MSIL:Agent-BVQ [Trj] (Avast), TROJ_GEN.R08NC0DCP17 (TrendMicro), Gen:Heur.SMHeist.3 (AdAware), Installer.Win32.SmartIM.FD, InstallerSmartIM.YR (Lavasoft MAS)
Behaviour: Trojan, Backdoor, Installer
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
| Requires JavaScript enabled! |
|---|
MD5: dfb37fc74d6da3acfebf0b2271d4c378
SHA1: 968937f2e6ed497ddaf186e28d472c63631d7651
SHA256: 727caa08405db0dab9db51714adaf70a78d08a7cc0b357c4d2a920aec68e108f
SSDeep: 49152:fAI 3d9kHwUyudyfdAOPcyKw7Tcefk3vAmRQ7cM8lT5XVtXyp 6AmMbA:fAI t2HhfdIdAOEhkFf6I8JM8PXVCRkA
Size: 2779828 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: BorlandDelphi30, BorlandDelphiv30, UPolyXv05_v6
Company: no certificate found
Created at: 1992-06-20 01:22:17
Analyzed on: Windows7 SP1 32-bit
Summary:
Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Payload
No specific payload has been found.
Process activity
The Trojan creates the following process(es):
%original file name%.exe:1116
The Trojan injects its code into the following process(es):
No processes have been created.
Mutexes
The following mutexes were created/opened:
No objects were found.
File activity
The process %original file name%.exe:1116 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\$inst\7.tmp (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\$inst\5.tmp (36471 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\$inst\4.tmp (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\$inst\2.tmp (1732 bytes)
Registry activity
Dropped PE files
There are no dropped PE files.
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
VersionInfo
Company Name: Microsoft
Product Name:
Product Version:
Legal Copyright: Microsoft
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 1.7
File Description: ssPS17U_setup 1.7 Installation
Comments:
Language: Language Neutral
PE Sections
| Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
|---|---|---|---|---|---|
| CODE | 4096 | 148684 | 148992 | 4.57091 | 5e14e4ede2e2215bc7d72837b9871f8f |
| DATA | 155648 | 10388 | 10752 | 2.62963 | abafcbfbd7f8ac0226ca496a92a0cf06 |
| BSS | 167936 | 4341 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
| .idata | 176128 | 6040 | 6144 | 3.3864 | a4e0ac39d5ed487ceea059fa23dfce5e |
| .tls | 184320 | 8 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
| .rdata | 188416 | 24 | 512 | 0.14174 | c4fdd0c5c9efb616fcc85d66056ca490 |
| .reloc | 192512 | 6276 | 6656 | 4.56552 | 867a1120317d51734587a74f6ee70016 |
| .rsrc | 200704 | 113200 | 113664 | 5.33412 | 744e7c9cc36889eced36c97d60138149 |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
URLs
| URL | IP |
|---|---|
| teredo.ipv6.microsoft.com |  157.56.106.189 |
| dns.msftncsi.com | 131.107.255.255 |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
The Trojan connects to the servers at the folowing location(s):
.idata
.rdata
P.reloc
P.rsrc
uxtheme.dll
;CRt$
PSAPI.dll
kernel32.dll
1.1.4
SOFTWARE\Microsoft\Windows\CurrentVersion
Software\Microsoft\Windows\CurrentVersion\GrpConv\MapGroups
Software\Microsoft\Windows
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\
URLInfoAbout
SOFTWARE\Microsoft\.NETFramework\policy
..\sim.exe
deflate 1.1.4 Copyright 1995-2002 Jean-loup Gailly
inflate 1.1.4 Copyright 1995-2002 Mark Adler
CKv.AKv
user32.dll
GetKeyboardType
advapi32.dll
RegOpenKeyExA
RegCloseKey
oleaut32.dll
WinExec
gdi32.dll
GetKeyState
ExitWindowsEx
EnumWindows
winmm.dll
ole32.dll
comctl32.dll
shell32.dll
GetWindowsDirectoryA
RegQueryInfoKeyA
RegEnumKeyExA
RegCreateKeyExA
ShellExecuteExA
ShellExecuteA
cabinet.dll
0(0,00040
7 7$717?7
? ?$?(?,?0?4?
1 1h1
uussshez
%FG/#ce
&[[]]]][[&
.AK}O
%Uk|H
k.DC)>
<<;*;::]:88
KWindows
UrlMon
version="1.0.0.0"
name="Microsoft.Windows.SIM"
<requestedExecutionLevel level="requireAdministrator"/>
name="Microsoft.Windows.Common-Controls"
version="6.0.0.0"
publicKeyToken="6595b64144ccf1df"
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
%original file name%.exe:1116
- Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\$inst\7.tmp (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\$inst\5.tmp (36471 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\$inst\4.tmp (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\$inst\2.tmp (1732 bytes) - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
*Manual removal may cause unexpected system behaviour and should be performed at your own risk.
