Gen.Trojan.Heur.lLWt1cL2poi_76af4a0db0

by malwarelabrobot on May 24th, 2017 in Malware Descriptions.

Gen:Trojan.Heur.lLW@t1cL2poi (BitDefender), VirTool:Win32/DelfInject.gen!BI (Microsoft), Trojan.Win32.Buzus.kkrx (Kaspersky), Trojan.Win32.Generic.pak!cobra (VIPRE), BackDoor.Pigeon.63368 (DrWeb), Gen:Trojan.Heur.lLW@t1cL2poi (B) (Emsisoft), Artemis!76AF4A0DB0ED (McAfee), Trojan.Gen (Symantec), Trojan.Win32.Buzus (Ikarus), Gen:Trojan.Heur.lLW@t1cL2poi (FSecure), SHeur4.LMR (AVG), Win32:Injector-AHB [Trj] (Avast), TROJ_GEN.R047C0EGJ13 (TrendMicro), Gen:Trojan.Heur.lLW@t1cL2poi (AdAware), Trojan.Win32.Delphi.FD, Trojan.Win32.Sasfis.FD, VirTool.Win32.DelfInject.FD, GenericAutorunWorm.YR, GenericInjector.YR (Lavasoft MAS)
Behaviour: Trojan, Worm, VirTool, WormAutorun

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

Dynamic Analysis

Static Analysis

Network Activity

Map

Strings from Dumps

Removals

MD5: 76af4a0db0ed623fb3970fcb6305ac55
SHA1: 11d0036422f5d8760c292c013ffe66e0c8916e67
SHA256: 5d76de3f93d0c15ddff69308682b0705c3b670e3f5c0d27b0c5e23991950e96a
SSDeep: 24576:M3T15g0oU1SR8PicLuxkdWjbJ3HXjcDbxvVwIr22F 7n6w:4RAwujdnoD1VN2Eo
Size: 1229824 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2011-12-26 02:37:47
Analyzed on: Windows7 SP1 32-bit

Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

Behaviour	Description
WormAutorun	A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Trojan's file once a user opens a drive's folder in Windows Explorer.

Process activity

The Trojan creates the following process(es):

%original file name%.exe:1792

The Trojan injects its code into the following process(es):

usnscv.exe:2948
DllHost.exe:2932

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:1792 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\180911_107564029321438_100002035252119_50810_5193203_n.jpg (77 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\usnscv.exe (10014 bytes)

Registry activity

The process usnscv.exe:2948 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"usnscv.exe" = "C:\Users\"%CurrentUserName%"\AppData\Local\usnscv.exe /background"

The process DllHost.exe:2932 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Direct3D\MostRecentApplication]
"Name" = "DllHost.exe"

The process %original file name%.exe:1792 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached]
"{FFE2A43C-56B9-4BF5-9A79-CC6D4285608A} {00000122-0000-0000-C000-000000000046} 0xFFFF" = "01 00 00 00 00 00 00 00 96 BE 95 10 7C D3 D2 01"

[HKCU\Software\Microsoft\Direct3D\MostRecentApplication]
"Name" = "%original file name%.exe"

Dropped PE files

There are no dropped PE files.

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Trojan's file once a user opens a drive's folder in Windows Explorer.

VersionInfo

No information is available.

PE Sections

Name	Virtual Address	Virtual Size	Raw Size	Entropy	Section MD5
.text	4096	490544	491008	4.55978	87193bd6b9d538536b7a30b3433e4af4
.itext	495616	5952	6144	4.15052	262af476ac7b37ae360ce3f2339aa320
.data	503808	10460	10752	2.96929	46e5d8c24198a56458a5b2264a2c3201
.bss	516096	20088	0	0	d41d8cd98f00b204e9800998ecf8427e
.idata	536576	10436	10752	3.45096	b73fdf6748849997fbcff93309ccdf4b
.tls	548864	52	0	0	d41d8cd98f00b204e9800998ecf8427e
.rdata	552960	24	512	0.146134	aebd8e5970c0a0b756d2a8f5832d89b1
.reloc	557056	28644	28672	4.65094	a317186707586f34d41aa0c56a836959
.rsrc	585728	680740	680960	5.51014	a35668c56f1e76716bc254bf3aafbe80

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL	IP
dns.msftncsi.com

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

The Trojan connects to the servers at the folowing location(s):

usnscv.exe_2948:

.idata

.rdata

P.reloc

P.rsrc

kernel32.dll

Windows

MSWHEEL_ROLLMSG

MSH_WHEELSUPPORT_MSG

MSH_SCROLL_LINES_MSG

$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)

oleaut32.dll

EVariantBadIndexError

ssShift

htKeyword

EInvalidOperation

u%CNu

%s_%d

PSAPI.dll

EInvalidGraphicOperation

OPasswordRecovery

\Apple Computer\Preferences\keychain.plist

ole32.dll

USER32.DLL

comctl32.dll

uxtheme.dll

Uh_%D

MAPI32.DLL

IE(AL("%s",4),"AL(\"%0:s\",3)","JK(\"%1:s\",\"%0:s\")")

JumpID("","%s")

TKeyEvent

TKeyPressEvent

HelpKeywordlVA

crSQLWait

%s (%s)

imm32.dll

AutoHotkeys

ssHotTrack

TWindowState

poProportional

TWMKey

KeyPreview

WindowState

OnKeyDownTPD

OnKeyPress

OnKeyUp,OD

Shx%F

System\CurrentControlSet\Control\Keyboard Layouts\%.8x

vcltest3.dll

User32.dll

uURLHistory

pstorec.dll

Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook

Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\

IMAP Password

IMAP Password:

POP3 Password

POP3 Password:

encryptedPassword

WindowsLive:name=*

SELECT * FROM moz_logins

\Mozilla Firefox\

mozcrt19.dll

sqlite3.dll

nspr4.dll

plc4.dll

plds4.dll

nssutil3.dll

softokn3.dll

nss3.dll

PK11_GetInternalKeySlot

userenv.dll

sqlite3_open

sqlite3_close

sqlite3_get_table

sqlite3_exec

sqlite3_free

\Mozilla\Firefox\

profiles.ini

\signons3.txt

\signons.sqlite

avicap32.dll

HKEY_CLASSES_ROOT

HKEY_CURRENT_CONFIG

HKEY_CURRENT_USER

HKEY_LOCAL_MACHINE

HKEY_USERS

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\

melt.bat

melt.bat"

\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders

info.dat

Windows NT

Windows 2000

Windows XP

Windows Vista

Windows 7

Windows 95

Windows 98SE

Windows 98

Windows ME

TKeylogger

TWindows

TCnRawKeyBoard

User32.DLL

password

\update.exe

$000000.tmp

$temp.tmp

Can't rename %s

fo.dat

hp HTTP/1.1

:autorun.inf

HTTP/1.1

User-Agent: Opera/9.24 (Windows NT 5.1; U; en)

127.0.0.1\127.0.0.1

usnscv.exe:0

usnscv.exe

com.apple.Safari$#&(%'!"-.

DBv}.Bv

user32.dll

GetKeyboardType

advapi32.dll

RegOpenKeyExA

RegCloseKey

RegQueryInfoKeyA

RegFlushKey

RegEnumKeyExA

RegDeleteKeyA

RegCreateKeyExA

SetProcessShutdownParameters

SetNamedPipeHandleState

GetProcessShutdownParameters

GetCPInfo

CreatePipe

version.dll

gdi32.dll

SetViewportOrgEx

keybd_event

VkKeyScanA

UnhookWindowsHookEx

SetWindowsHookExA

MapVirtualKeyA

LoadKeyboardLayoutA

GetKeyboardState

GetKeyboardLayoutList

GetKeyboardLayout

GetKeyState

GetKeyNameTextA

EnumWindows

EnumThreadWindows

EnumChildWindows

ActivateKeyboardLayout

wsock32.dll

winmm.dll

msacm32.dll

crypt32.dll

shell32.dll

ShellExecuteA

wininet.dll

InternetOpenUrlA

SHFolder.dll

secur32.dll

5 5$5(5,5054585<5@5\5|5

1)2-21252<2

2(3,3034383|3

;,;9;@;_;

= =$=(=,=0=4=8=

> >/>?>_>

94999>9^9

: :$:(:,:0:

4"4&4*4.4

9":8:_:{:

5R5D5Z5

2 2$2(2,2024282<2@2|2

333333333333333333

33333833

3333333333333338

:*"*"$3338

33333333

33333333333

3333333333338

33338?383

333333333333

:*3:"$3338

333333333333333

KWindows

KuURLHistory

UrlMon

ZPasswordRecovery

untCMDList

uWindows

uKeylogger

HuntHTTPDownload

%uWebcam

uFireFox

)OPasswordRecovery

No help keyword specified.

JPEG error #%d

OLE error %.8x.Method '%s' not supported by automation object/Variant does not reference an automation object7Dispatch methods do not support more than 64 parameters"Unable to find a Table of Contents

No help found for %s#No context-sensitive help installed$No topic-based help system installed

Alt  Clipboard does not support Icons/Menu '%s' is already being used by another form

Unsupported clipboard format

Error creating window class Cannot focus a disabled or invisible window!Control '%s' has no parent window

List index out of bounds (%d) Out of memory while expanding memory stream

Error reading %s%s%s: %s

Failed to get data for '%s'

Failed to set data for '%s'

Resource %s not found

%s.Seek not implemented$Operation not allowed on sorted list$%s not in a class registration group

Property %s does not exist

*Can't write to a read-only resource streamECheckSynchronize called from thread $%x, which is NOT the main thread

Class %s not found

A class named %s already exists%List does not allow duplicates ($0%x)#A component named %s already exists%String list does not allow duplicates

Cannot create file "%s". %s

Cannot open file "%s". %s

Invalid stream format$''%s'' is not a valid component name

Invalid data type for '%s' List capacity out of bounds (%d)

List count out of bounds (%d)

Ancestor for '%s' not found

Cannot assign a %s to a %s

Interface not supported

%s (%s, line %d)

Abstract Error?Access violation at address %p in module '%s'. %s of address %p

System Error. Code: %d.

Invalid variant operation%Invalid variant operation (%s%.8x)

%s5Could not convert variant of type (%s) into type (%s)=Overflow while converting variant of type (%s) into type (%s)

Operation not supported

External exception %x

Invalid pointer operation

Invalid class typecast0Access violation at address %p. %s of address %p

Privileged instruction(Exception %s in module %s at %p.

Application Error1Format '%s' invalid or incompatible with argument

No argument for format '%s'"Variant method calls not supported

!'%s' is not a valid integer value

I/O error %d

Integer overflow Invalid floating point operation

usnscv.exe_2948_rwx_00400000_00091000:

.idata

.rdata

P.reloc

P.rsrc

kernel32.dll

Windows

MSWHEEL_ROLLMSG

MSH_WHEELSUPPORT_MSG

MSH_SCROLL_LINES_MSG

$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)

oleaut32.dll

EVariantBadIndexError

ssShift

htKeyword

EInvalidOperation

u%CNu

%s_%d

PSAPI.dll

EInvalidGraphicOperation

OPasswordRecovery

\Apple Computer\Preferences\keychain.plist

ole32.dll

USER32.DLL

comctl32.dll

uxtheme.dll

Uh_%D

MAPI32.DLL

IE(AL("%s",4),"AL(\"%0:s\",3)","JK(\"%1:s\",\"%0:s\")")

JumpID("","%s")

TKeyEvent

TKeyPressEvent

HelpKeywordlVA

crSQLWait

%s (%s)

imm32.dll

AutoHotkeys

ssHotTrack

TWindowState

poProportional

TWMKey

KeyPreview

WindowState

OnKeyDownTPD

OnKeyPress

OnKeyUp,OD

Shx%F

System\CurrentControlSet\Control\Keyboard Layouts\%.8x

vcltest3.dll

User32.dll

uURLHistory

pstorec.dll

Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook

Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\

IMAP Password

IMAP Password:

POP3 Password

POP3 Password:

encryptedPassword

WindowsLive:name=*

SELECT * FROM moz_logins

\Mozilla Firefox\

mozcrt19.dll

sqlite3.dll

nspr4.dll

plc4.dll

plds4.dll

nssutil3.dll

softokn3.dll

nss3.dll

PK11_GetInternalKeySlot

userenv.dll

sqlite3_open

sqlite3_close

sqlite3_get_table

sqlite3_exec

sqlite3_free

\Mozilla\Firefox\

profiles.ini

\signons3.txt

\signons.sqlite

avicap32.dll

HKEY_CLASSES_ROOT

HKEY_CURRENT_CONFIG

HKEY_CURRENT_USER

HKEY_LOCAL_MACHINE

HKEY_USERS

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\

melt.bat

melt.bat"

\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders

info.dat

Windows NT

Windows 2000

Windows XP

Windows Vista

Windows 7

Windows 95

Windows 98SE

Windows 98

Windows ME

TKeylogger

TWindows

TCnRawKeyBoard

User32.DLL

password

\update.exe

$000000.tmp

$temp.tmp

Can't rename %s

fo.dat

hp HTTP/1.1

:autorun.inf

HTTP/1.1

User-Agent: Opera/9.24 (Windows NT 5.1; U; en)

127.0.0.1\127.0.0.1

usnscv.exe:0

usnscv.exe

com.apple.Safari$#&(%'!"-.

DBv}.Bv

user32.dll

GetKeyboardType

advapi32.dll

RegOpenKeyExA

RegCloseKey

RegQueryInfoKeyA

RegFlushKey

RegEnumKeyExA

RegDeleteKeyA

RegCreateKeyExA

SetProcessShutdownParameters

SetNamedPipeHandleState

GetProcessShutdownParameters

GetCPInfo

CreatePipe

version.dll

gdi32.dll

SetViewportOrgEx

keybd_event

VkKeyScanA

UnhookWindowsHookEx

SetWindowsHookExA

MapVirtualKeyA

LoadKeyboardLayoutA

GetKeyboardState

GetKeyboardLayoutList

GetKeyboardLayout

GetKeyState

GetKeyNameTextA

EnumWindows

EnumThreadWindows

EnumChildWindows

ActivateKeyboardLayout

wsock32.dll

winmm.dll

msacm32.dll

crypt32.dll

shell32.dll

ShellExecuteA

wininet.dll

InternetOpenUrlA

SHFolder.dll

secur32.dll

5 5$5(5,5054585<5@5\5|5

1)2-21252<2

2(3,3034383|3

;,;9;@;_;

= =$=(=,=0=4=8=

> >/>?>_>

94999>9^9

: :$:(:,:0:

4"4&4*4.4

9":8:_:{:

5R5D5Z5

2 2$2(2,2024282<2@2|2

333333333333333333

33333833

3333333333333338

:*"*"$3338

33333333

33333333333

3333333333338

33338?383

333333333333

:*3:"$3338

333333333333333

KWindows

KuURLHistory

UrlMon

ZPasswordRecovery

untCMDList

uWindows

uKeylogger

HuntHTTPDownload

%uWebcam

uFireFox

)OPasswordRecovery

No help keyword specified.

JPEG error #%d

OLE error %.8x.Method '%s' not supported by automation object/Variant does not reference an automation object7Dispatch methods do not support more than 64 parameters"Unable to find a Table of Contents

No help found for %s#No context-sensitive help installed$No topic-based help system installed

Alt  Clipboard does not support Icons/Menu '%s' is already being used by another form

Unsupported clipboard format

Error creating window class Cannot focus a disabled or invisible window!Control '%s' has no parent window

List index out of bounds (%d) Out of memory while expanding memory stream

Error reading %s%s%s: %s

Failed to get data for '%s'

Failed to set data for '%s'

Resource %s not found

%s.Seek not implemented$Operation not allowed on sorted list$%s not in a class registration group

Property %s does not exist

*Can't write to a read-only resource streamECheckSynchronize called from thread $%x, which is NOT the main thread

Class %s not found

A class named %s already exists%List does not allow duplicates ($0%x)#A component named %s already exists%String list does not allow duplicates

Cannot create file "%s". %s

Cannot open file "%s". %s

Invalid stream format$''%s'' is not a valid component name

Invalid data type for '%s' List capacity out of bounds (%d)

List count out of bounds (%d)

Ancestor for '%s' not found

Cannot assign a %s to a %s

Interface not supported

%s (%s, line %d)

Abstract Error?Access violation at address %p in module '%s'. %s of address %p

System Error. Code: %d.

Invalid variant operation%Invalid variant operation (%s%.8x)

%s5Could not convert variant of type (%s) into type (%s)=Overflow while converting variant of type (%s) into type (%s)

Operation not supported

External exception %x

Invalid pointer operation

Invalid class typecast0Access violation at address %p. %s of address %p

Privileged instruction(Exception %s in module %s at %p.

Application Error1Format '%s' invalid or incompatible with argument

No argument for format '%s'"Variant method calls not supported

!'%s' is not a valid integer value

I/O error %d

Integer overflow Invalid floating point operation

DllHost.exe_2932:

.text

`.data

.rsrc

@.reloc

KERNEL32.dll

msvcrt.dll

ole32.dll

ntdll.dll

dllhost.pdb

_wcmdln

_amsg_exit

6.1.7600.16385 (win7_rtm.090713-1255)

dllhost.exe

Windows

Operating System

6.1.7600.16385

Remove it with Ad-Aware

Click (here) to download and install Ad-Aware Free Antivirus.
Update the definition files.
Run a full scan of your computer.

Manual removal*

Terminate malicious process(es) (How to End a Process With the Task Manager):

%original file name%.exe:1792
Delete the original Trojan file.
Delete or disinfect the following files created/modified by the Trojan:

C:\Users\"%CurrentUserName%"\AppData\Local\180911_107564029321438_100002035252119_50810_5193203_n.jpg (77 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\usnscv.exe (10014 bytes)
Delete the following value(s) in the autorun key (How to Work with System Registry):

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"usnscv.exe" = "C:\Users\"%CurrentUserName%"\AppData\Local\usnscv.exe /background"
Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
Reboot the computer.