Gen.Variant.Razy.15441_d390d9b3d4

by malwarelabrobot on July 24th, 2017 in Malware Descriptions.

Gen:Variant.Razy.15441 (BitDefender), Trojan:Win32/Dorv.A (Microsoft), Trojan.Win32.Inject.azgw (Kaspersky), Trojan.Win32.Inject.cj (v) (VIPRE), Trojan.DownLoader6.7800 (DrWeb), Gen:Variant.Razy.15441 (B) (Emsisoft), BackDoor-EYG (McAfee), Trojan Horse (Symantec), Trojan.Win32.Injector (Ikarus), Gen:Variant.Razy.15441 (FSecure), Win32:Taidoor-D [Trj] (AVG), Win32:Taidoor-D [Trj] (Avast), TROJ_KRYPTK.SMS (TrendMicro), Gen:Variant.Razy.15441 (AdAware), Backdoor.Win32.Simbot.FD, BackdoorSimbot.YR (Lavasoft MAS)
Behaviour: Trojan, Backdoor


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: d390d9b3d406e52434b588965278a100
SHA1: 9a9ed6ab47549cbe85aab210bed7b6a8fe4afc9e
SHA256: eb4ff7114c72eedbbb843cf2634d3a729b4d5415d6a4b0dfb0f5d37c689e37f6
SSDeep: 384:FV9 BstZrq bg2PacWYGqUuN0PWgHY dU65PE7TIr77pe5JRAQy7kQ813Hv:Fr CrXs2C3YKWodAfIr77pe5sQwk7f
Size: 27136 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2010-12-29 09:37:00
Analyzed on: Windows7 SP1 32-bit


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

%original file name%.exe:2712

The Trojan injects its code into the following process(es):

svchost.exe:3404

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:2712 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\4$@2.dat (48 bytes)
C:\%original file name%.exe.tmp1 (1531 bytes)

Registry activity

Dropped PE files

MD5 File path
62a960fdd6643352e7bfb0ac38be3330 c:\%original file name%.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name: Adobe Systems, Inc.
Product Name: Flash? Player Installer/Uninstaller
Product Version: 10,1,53,64
Legal Copyright: Copyright ? 1996-2010 Adobe, Inc.
Legal Trademarks: Adobe? Flash? Player
Original Filename: FlashUtil.exe
Internal Name: Adobe? Flash? Player Installer/Uninstaller 10.1
File Version: 10,1,53,64
File Description: Adobe? Flash? Player Installer/Uninstaller 10.1 r53
Comments:
Language: Russian (Russia)

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 22760 23040 5.09548 4a1a03af852b361e09f870755f1dbbb4
.rdata 28672 996 1024 3.17402 d214cdade079311d21d114ce97e26661
.data 32768 931 512 2.46518 bb0db5816f81debf7d670115338867eb
.rsrc 36864 1136 1536 1.84173 b5ed7b029bc65184d8f3a398fb854e6d

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

No activity has been detected.

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

Web Traffic was not found.

The Trojan connects to the servers at the folowing location(s):

svchost.exe_3404:

.text
`.rdata
@.data
SSh@C@
.lR(0l[
MFC42.DLL
MSVCRT.dll
_acmdln
WinExec
KERNEL32.dll
USER32.dll
ADVAPI32.dll
HttpQueryInfoA
InternetOpenUrlA
HttpSendRequestA
HttpOpenRequestA
WININET.dll
WS2_32.dll
iphlpapi.dll
SHLWAPI.dll
VVV.gov.toh.info
200.115.173.102
regedit.exe /s
~dfds3.reg
Windows Registry Editor Version 5.00
"%s"="%s"
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
WinHttp
%s.tmp1
4$@2.dat
hXXp://%s:%d/%s.php?id=d%s&ext=%s
/%s.php?id=d%s&ext=%s
hXXp://%s:%d/%s.php?id=d%s
%c%c%c%c%c
/%s.php?id=d%s
%%temp%%\%u
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Content-Type: application/x-www-form-urlencoded
HTTP/1.1
X-X-X-X-X-X
01-01-01-01-01-01
%c%c%c%c%c%c.exe

svchost.exe_3404_rwx_00400000_00005000:

.text
`.rdata
@.data
SSh@C@
.lR(0l[
MFC42.DLL
MSVCRT.dll
_acmdln
WinExec
KERNEL32.dll
USER32.dll
ADVAPI32.dll
HttpQueryInfoA
InternetOpenUrlA
HttpSendRequestA
HttpOpenRequestA
WININET.dll
WS2_32.dll
iphlpapi.dll
SHLWAPI.dll
VVV.gov.toh.info
200.115.173.102
regedit.exe /s
~dfds3.reg
Windows Registry Editor Version 5.00
"%s"="%s"
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
WinHttp
%s.tmp1
4$@2.dat
hXXp://%s:%d/%s.php?id=d%s&ext=%s
/%s.php?id=d%s&ext=%s
hXXp://%s:%d/%s.php?id=d%s
%c%c%c%c%c
/%s.php?id=d%s
%%temp%%\%u
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Content-Type: application/x-www-form-urlencoded
HTTP/1.1
X-X-X-X-X-X
01-01-01-01-01-01
%c%c%c%c%c%c.exe


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    %original file name%.exe:2712

  2. Delete the original Trojan file.
  3. Delete or disinfect the following files created/modified by the Trojan:

    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\4$@2.dat (48 bytes)
    C:\%original file name%.exe.tmp1 (1531 bytes)

  4. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2025 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now