Gen.Variant.MSILDrop.9_e2def1591b
HEUR:Trojan.Win32.Generic (Kaspersky), Gen:Variant.MSILDrop.9 (B) (Emsisoft), Gen:Variant.MSILDrop.9 (AdAware), GenericAutorunWorm.YR (Lavasoft MAS)
Behaviour: Trojan, Worm, WormAutorun
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
| Requires JavaScript enabled! |
|---|
MD5: e2def1591b3ff250e7ca42bba5697b95
SHA1: 4ee31b34382aa75eadfa6761c70aebacf4b4830f
SHA256: b6a886db87f7dde05d2dfbc7ba642e92fc91bbf9a56b689586a2a2e59e30f159
SSDeep: 3072:SdBaooypxo jhGHIQkN/rpQVm71HCdbnoWnuITGLLp:SdBaoNPl1zNGbnoWn3TGp
Size: 136394 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: MicrosoftVisualC, NETexecutable, UPolyXv05_v6
Company: no certificate found
Created at: 2012-07-05 11:10:26
Analyzed on: Windows7 SP1 32-bit
Summary:
Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Payload
| Behaviour | Description |
|---|---|
| WormAutorun | A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Trojan's file once a user opens a drive's folder in Windows Explorer. |
Process activity
The Trojan creates the following process(es):
%original file name%.exe:1792
The Trojan injects its code into the following process(es):
%original file name%.exe:2956
Mutexes
The following mutexes were created/opened:
No objects were found.
File activity
The process %original file name%.exe:2956 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\Windows\System32\drivers\etc\hosts (120 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\errorchecker.txt (8 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\MSASCui.exe (673 bytes)
Registry activity
The process %original file name%.exe:2956 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender" = "C:\Users\"%CurrentUserName%"\AppData\Local\Temp\MSASCui.exe"
Dropped PE files
There are no dropped PE files.
HOSTS file anomalies
The Trojan modifies "%System%\drivers\etc\hosts" file which is used to translate DNS entries to IP addresses.
The modified file is 120 bytes in size. The following strings are added to the hosts file listed below:
| 127.0.0.1 | 74.53.201.162 |
| 127.0.0.1 | 66.66.132.220.30 |
| 127.0.0.1 | 66.35.241.92 |
| 127.0.0.1 | 94.23.199.60 |
Rootkit activity
No anomalies have been detected.
Propagation
A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Trojan's file once a user opens a drive's folder in Windows Explorer.
VersionInfo
Company Name:
Product Name:
Product Version:
Legal Copyright:
Legal Trademarks:
Original Filename:
Internal Name:
File Version:
File Description:
Comments:
Language: Language Neutral
PE Sections
| Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
|---|---|---|---|---|---|
| .text | 8192 | 54708 | 54784 | 4.15879 | b437937a3f64a4421f52d38bc19e458d |
| .rsrc | 65536 | 79380 | 79872 | 5.52285 | b21838d515898380cebe7a4b96df2dbc |
| .reloc | 147456 | 12 | 512 | 0.056519 | 59c3604ecede181673268c214e6a6c89 |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Total found: 3
25df01e07564849f04bf4074b994d04a
3437b1300ddf77d3511f915f7721f9c8
5467b1b4dc1ae6f02793446173c3bd0c
URLs
| URL | IP |
|---|---|
| teredo.ipv6.microsoft.com |  157.56.106.189 |
| dns.msftncsi.com | 131.107.255.255 |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
The Trojan connects to the servers at the folowing location(s):
.text
`.sdata
.rsrc
@.reloc
lSystem.Resources.ResourceReader, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet
v2.0.50727
Microsoft.VisualBasic
Syslogger_Stub.My
MyWebServices
SQLiteDataTypes
Keyboard
KeyStructure
CMSNMessengerPasswords
MSNPass
CMSNMessengerPassword
Syslogger_Stub.My.Resources
SQLiteHandler
sqlite_master_entry
Microsoft.VisualBasic.ApplicationServices
WindowsFormsApplicationBase
.ctor
Microsoft.VisualBasic.Devices
.cctor
get_WebServices
m_MyWebServicesObjectProvider
WebServices
System.Windows.Forms
System.Collections
loadCerts
System.Text
GetProcessHeap
sqlite3_open
sqlite3_close
sqlite3_exec
sqlite3_errmsg
sqlite3_prepare_v2
sqlite3_step
sqlite3_column_count
sqlite3_column_name
sqlite3_column_type
sqlite3_column_int
sqlite3_column_double
sqlite3_column_text
sqlite3_column_blob
sqlite3_column_table_name
sqlite3_finalize
SQL_OK
SQL_ROW
SQL_DONE
System.Data
System.ComponentModel
smtp
port
ftpuser
ftppass
ftpurl
ftpst
DeleteMozillaCookies
DeleteMozillaSignons
user32.dll
AntiKeyscrambler
SetWindowsHookEx
KeyDelegate
SetWindowsHookExA
UnhookWindowsHookEx
Keys
System.Collections.Generic
HKEY_CURRENT_USER
KEY_QUERY_VALUE
KEY_ENUMERATE_SUB_KEYS
KEY_NOTIFY
KEY_SET_VALUE
KEY_CREATE_SUB_KEY
KEY_READ
KEY_WRITE
kernel32.dll
advapi32.dll
crypt32.dll
RegOpenKeyEx
hKey
lpSubKey
RegOpenKeyExA
RegEnumKeyEx
RegEnumKeyExA
RegCloseKey
shell32.dll
msidcrl.dll
PassportFreeMemory
m_MSNPass
getMSN75Passwords
DOMAIN_PASSWORD
DOMAIN_CERTIFICATE
DOMAIN_VISIBLE_PASSWORD
lpstrKeyword
strLogin
strPass
m_szLogin
m_szPassword
szLogin
szPassword
get_Password
get_Login
Password
Login
System.Resources
System.Globalization
System.Configuration
opera_salt
key_size
sUrlTemp
sPassTemp
sUrl
sPass
lasturl
LoginData
SQLDataTypeSize
sql_statement
System.CodeDom.Compiler
System.Diagnostics
Microsoft.VisualBasic.CompilerServices
System.ComponentModel.Design
HelpKeywordAttribute
System.Reflection
ContainsKey
InvalidOperationException
System.Runtime.CompilerServices
System.Runtime.InteropServices
System.IO
DllImportAttribute
Crypt32.dll
System.Threading
System.Text.RegularExpressions
mozsqlite3
System.Drawing
get_ExecutablePath
MsgBoxResult
MsgBoxStyle
MsgBox
System.Net.Mail
SmtpClient
System.Net
set_Port
Operators
FtpWebRequest
WebRequest
Microsoft.Win32
Microsoft.VisualBasic.MyServices
System.Collections.ObjectModel
Microsoft.VisualBasic.FileIO
System.Security.Cryptography
set_Key
RegistryKey
OpenSubKey
GetExecutingAssembly
IsKeyLocked
get_ModifierKeys
Syslogger Stub.exe
Syslogger_Stub.Resources.resources
Syslogger_Stub.Form1.resources
8.0.0.0
My.Application
My.Forms
My.Computer
My.WebServices
My.User
System.Windows.Forms.Form
My.MyProject.Forms
4System.Web.Services.Protocols.SoapHttpClientProtocol
3System.Resources.Tools.StronglyTypedResourceBuilder
4.0.0.0
KMicrosoft.VisualStudio.Editors.SettingsDesigner.SettingsSingleFileGenerator
10.0.0.0
My.Settings
4.3.2.1
$92cfe5a8-c556-4a58-8735-4e19116a1afa
_CorExeMain
mscoree.dll
C:\Users\Public\Documents\Visual Studio 2010\Projects\SysLogger Stub\SysLogger Stub\obj\x86\Release\Syslogger Stub.pdb
<assemblyIdentity version="1.0.0.0" name="MyApplication.app"/>
<requestedExecutionLevel level="asInvoker" uiAccess="false"/>
\Google\Chrome\User Data\Default\Login Data
logins
origin_url
password_value
|----------------------------------------|Google Chrome|--------------------------------------------|
Password:
\Mozilla Firefox\
Password:
Mozilla Firefox
---Firefox---
mozcrt19.dll
nspr4.dll
plc4.dll
plds4.dll
ssutil3.dll
sqlite3.dll
mozsqlite3.dll
nssutil3.dll
softokn3.dll
nss3.dll
PK11_GetInternalKeySlot
SELECT name FROM sqlite_master WHERE type IN (
System.Int32
System.Single
System.String
icheck.txt
st.txt
stcheck.txt
|-----------------------------------|Windows Live Messenger|-----------------------------------|
Login:
127.0.0.1 74.53.201.162
127.0.0.1 66.66.132.220.30
127.0.0.1 66.35.241.92
127.0.0.1 94.23.199.60
\Steam\config\SteamAppData.vdf
HKEY_LOCAL_MACHINE\SOFTWARE\Valve\Steam
ClientRegistry.blob
%Documents and Settings%\All Users\Start Menu\Programs\Startup\MSASCui.exe
Windows Defender
MSASCui.exe
errorchecker.txt
\Mozilla\Firefox\Profiles
svchost.exe
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
HDDFile.com
autorun.inf
shellexecute=
Software\Microsoft\Windows\CurrentVersion\Run
keyscrambler
npfmsg
lo.txt
\MSN Messenger\msidcrl.dll
ps:password
<wsse:Password>
</wsse:Password>
PasswordMSN Messenger Service
Password.NET Messenger Service
User.NET Messenger Service
Passport.Net\*
82BD0E67-9FEA-4748-8672-D5EFE5B779B0
Syslogger_Stub.Resources
\Opera\Opera\wand.dat
\Opera\Opera\profile\wand.dat
hXXp://
hXXps://
PTF://
---Opera---
SQLite format 3
Not a valid SQLite 3 Database File
Auto-vacuum capable database is not supported
No supported Schema layer file-format
1.2.3.4
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
%original file name%.exe:1792
- Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
C:\Windows\System32\drivers\etc\hosts (120 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\errorchecker.txt (8 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\MSASCui.exe (673 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender" = "C:\Users\"%CurrentUserName%"\AppData\Local\Temp\MSASCui.exe" - Restore the original content of the HOSTS file (%System%\drivers\etc\hosts):
127.0.0.1 localhost - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
- Reboot the computer.
*Manual removal may cause unexpected system behaviour and should be performed at your own risk.
