MD5: b1f44a7f6d6a115481956524b7630a67
SHA1: f2df5a76cb580cc127fdf6dbc3210c1131087fc7
SHA256: 4983787cec51e1a7c17e80b3281dddac703e51e539b54b7d0ecb9de0e9056f02
SSDeep: 24576:/1/aGLDCM4D8ay0MZo8/8hVvj6har/IEMT9v:wD8ay0MZoFhiT9v
Size: 1010951 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: Mail.Ru
Created at: no data
Analyzed on: Windows7 SP1 32-bit

Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

vjnfk.exe:3624
%original file name%.exe:3864

The Trojan injects its code into the following process(es):
No processes have been created.

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process vjnfk.exe:3624 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\original .exe (1963131 bytes)
C:\config.sys .exe (1963131 bytes)
C:\bootmgr .exe (1963131 bytes)
C:\Boot .exe (1963131 bytes)
C:\Windows .exe (1963131 bytes)
C:\ProgramData .exe (1963131 bytes)
C:\$Recycle.Bin .exe (1963131 bytes)
C:\BOOTSECT.BAK .exe (1963131 bytes)
%Documents and Settings% .exe (1963131 bytes)
C:\%original file name%.exe .exe (1963131 bytes)
C:\totalcmd .exe (1963131 bytes)
C:\Users .exe (1963131 bytes)
C:\XELDZ .exe (1963131 bytes)
C:\autoexec.bat .exe (1963131 bytes)
C:\System Volume Information .exe (1963131 bytes)
C:\marker .exe (1963131 bytes)
%Program Files% .exe (1963131 bytes)
C:\pagefile.sys .exe (1963131 bytes)

The Trojan deletes the following file(s):

C:\Miray (0 bytes)
C:\Mirat (0 bytes)
C:\Mirav (0 bytes)
C:\Miraw (0 bytes)
C:\Mirap (0 bytes)
C:\Mirar (0 bytes)
C:\Miras (0 bytes)
C:\Miral (0 bytes)
C:\Mirao (0 bytes)
C:\Mirai (0 bytes)
C:\Mirak (0 bytes)
C:\Mirad (0 bytes)
C:\Mirae (0 bytes)
C:\Mirag (0 bytes)
C:\Miraa (0 bytes)
C:\Mirab (0 bytes)

The process %original file name%.exe:3864 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\ProgramData\Saaaalamm\Mira.h (960208 bytes)
C:\ProgramData\vjnfk.exe (1020884 bytes)

Registry activity

The process vjnfk.exe:3624 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Microsoft® Windows® Operating System" = "C:\ProgramData\vjnfk.exe"

Dropped PE files

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name: Microsoft Corporation
Product Name: Mira Malware
Product Version: 1.0.0.155
Legal Copyright: Microsoft Corporation
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 1.0.0.155
File Description: Mira Malware
Comments:
Language: English (United States)

PE Sections

Dropped from:

fb35649bd137f156d69ff48182e47750

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 5
4cc1649a00723d63d0df81c2a1288796
68d0729e9ec8ac3eb4c3a8ff854bb0dd
c19ebd1ea2090329ebeadd4c8a5bc2ad
c1ec345b48cd79a404188bb87be4a31f
ac6219f1fd4d9efa720534228989e631

URLs

No activity has been detected.

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

Web Traffic was not found.

The Trojan connects to the servers at the folowing location(s):

.text

`.data

.rdata

@.bss

.idata

C:\ProgramData\vjnfk.exe

Software\Microsoft\Windows\CurrentVersion\Run

Windows

Operating System

%H:%M:%S

%m/%d/%y

-0123456789

%s:%u: failed assertion `%s'

RegCloseKey

RegOpenKeyA

ADVAPI32.DLL

KERNEL32.dll

msvcrt.dll

SHELL32.DLL

SearchProtocolHost.exe_3616:

.text

`.data

.rsrc

@.reloc

ADVAPI32.dll

ntdll.DLL

KERNEL32.dll

msvcrt.dll

USER32.dll

ole32.dll

OLEAUT32.dll

TQUERY.DLL

MSSHooks.dll

IMM32.dll

SHLWAPI.dll

SrchCollatorCatalogInfo

SrchDSSLogin

SrchDSSPortManager

SrchPHHttp

SrchIndexerQuery

SrchIndexerProperties

SrchIndexerPlugin

SrchIndexerClient

SrchIndexerSchema

Msidle.dll

Failed to get REGKEY_FLTRDMN_MS_TO_IDLE, using default

pfps->psProperty.ulKind is LPWSTR but psProperty.lpwstr is NULL or empty

d:\win7sp1_gdr\enduser\mssearch2\common\utils\crchash.cxx

d:\win7sp1_gdr\enduser\mssearch2\search\search\gather\fltrdmn\fltrdaemon.cxx

d:\win7sp1_gdr\enduser\mssearch2\search\common\include\secutil.hxx

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracerhelpers.h

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\mutex.cpp

d:\win7sp1_gdr\enduser\mssearch2\common\include\srchxcpt.hxx

RegDeleteKeyW

RegDeleteKeyExW

8%uiP

Invalid parameter passed to C runtime function.

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracersecutil.h

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracmain.cpp

-d-d-d-d-d-d-d-%d

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracmain.h

</MSG></TRC>

<MSG>

<ERR> 0xx=

<LOC> %s(%d) </LOC>

tid="0x%x"

pid="0x%x"

tagname="%s"

tagid="0x%x"

el="0x%x"

time="d/d/d d:d:d.d"

logname="%s"

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\sysimprs.cxx

SHELL32.dll

PROPSYS.dll

ntdll.dll

RegCloseKey

RegCreateKeyExW

RegOpenKeyExW

RegQueryInfoKeyW

RegEnumKeyExW

ReportEventW

_amsg_exit

MsgWaitForMultipleObjects

SearchProtocolHost.pdb

2 2(20282|2

4%5S5

Software\Microsoft\Windows Search

https

kernel32.dll

msTracer.dll

msfte.dll

lX-X-X-XX-XXXXXX

SOFTWARE\Microsoft\Windows Search

tquery.dll

%s\%s

HKEY_CLASSES_ROOT

HKEY_CURRENT_USER

HKEY_LOCAL_MACHINE

HKEY_USERS

HKEY_PERFORMANCE_DATA

HKEY_DYN_DATA

HKEY_CURRENT_CONFIG

Windows Search Service

<Exception><HR>0xx</HR><eip>%p</eip><module>%S</module><line>%d</line></Exception>

advapi32.dll

WAPI-MS-Win-Core-LocalRegistry-L1-1-0.dll

winhttp.dll

Software\Microsoft\Windows Search\Tracing

Software\Microsoft\Windows Search\Tracing\EventThrottleLastReported

Software\Microsoft\Windows Search\Tracing\EventThrottleState

<MSG>

<LOC> %S(%d) </LOC>

tagname="%S"

logname="%S"

Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11CF-8B85-00AA005B4383}

.\%s.mui

.\%s\%s.mui

%s\%s.mui

%s\%s\%s.mui

Microsoft Windows Search Protocol Host

7.00.7601.17610 (win7sp1_gdr.110503-1502)

SearchProtocolHost.exe

Windows

7.00.7601.17610

SearchFilterHost.exe_3988:

.text

`.data

.rsrc

@.reloc

ADVAPI32.dll

ntdll.DLL

KERNEL32.dll

msvcrt.dll

USER32.dll

ole32.dll

OLEAUT32.dll

TQUERY.DLL

IMM32.dll

MSSHooks.dll

mscoree.dll

SHLWAPI.dll

d:\win7sp1_gdr\enduser\mssearch2\search\search\gather\fltrhost\bufstm.cxx

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\mutex.cpp

RegDeleteKeyW

RegDeleteKeyExW

8%uiP

d:\win7sp1_gdr\enduser\mssearch2\common\include\srchxcpt.hxx

Invalid parameter passed to C runtime function.

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracersecutil.h

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracmain.cpp

-d-d-d-d-d-d-d-%d

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracmain.h

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\sysimprs.cxx

RegCloseKey

RegCreateKeyExW

RegOpenKeyExW

RegQueryInfoKeyW

RegEnumKeyExW

ReportEventW

_amsg_exit

SearchFilterHost.pdb

version="5.1.0.0"

name="Microsoft.Windows.Search.MSSFH"

<requestedExecutionLevel

3 3(30383|3

kernel32.dll

Software\Microsoft\Windows Search

SOFTWARE\Microsoft\Windows Search

HKEY_CLASSES_ROOT

HKEY_CURRENT_USER

HKEY_LOCAL_MACHINE

HKEY_USERS

HKEY_PERFORMANCE_DATA

HKEY_DYN_DATA

HKEY_CURRENT_CONFIG

Windows Search Service

tquery.dll

advapi32.dll

API-MS-Win-Core-LocalRegistry-L1-1-0.dll

<Exception><HR>0xx</HR><eip>%p</eip><module>%S</module><line>%d</line></Exception>

Software\Microsoft\Windows Search\Tracing

Software\Microsoft\Windows Search\Tracing\EventThrottleLastReported

Software\Microsoft\Windows Search\Tracing\EventThrottleState

<MSG>

<ERR> 0xx=

<LOC> %S(%d) </LOC>

tid="0x%x"

pid="0x%x"

tagname="%S"

tagid="0x%x"

el="0x%x"

time="d/d/d d:d:d.d"

logname="%S"

</MSG></TRC>

Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11CF-8B85-00AA005B4383}

.\%s.mui

.\%s\%s.mui

%s\%s.mui

%s\%s\%s.mui

%s\%s

winhttp.dll

Microsoft Windows Search Filter Host

7.00.7601.17610 (win7sp1_gdr.110503-1502)

SearchFilterHost.exe

Windows

7.00.7601.17610

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Terminate malicious process(es) (How to End a Process With the Task Manager):
   

   vjnfk.exe:3624
   %original file name%.exe:3864

2. Delete the original Trojan file.
   
3. Delete or disinfect the following files created/modified by the Trojan:
   

   C:\original .exe (1963131 bytes)
   C:\config.sys .exe (1963131 bytes)
   C:\bootmgr .exe (1963131 bytes)
   C:\Boot .exe (1963131 bytes)
   C:\Windows .exe (1963131 bytes)
   C:\ProgramData .exe (1963131 bytes)
   C:\$Recycle.Bin .exe (1963131 bytes)
   C:\BOOTSECT.BAK .exe (1963131 bytes)
   %Documents and Settings% .exe (1963131 bytes)
   C:\%original file name%.exe .exe (1963131 bytes)
   C:\totalcmd .exe (1963131 bytes)
   C:\Users .exe (1963131 bytes)
   C:\XELDZ .exe (1963131 bytes)
   C:\autoexec.bat .exe (1963131 bytes)
   C:\System Volume Information .exe (1963131 bytes)
   C:\marker .exe (1963131 bytes)
   %Program Files% .exe (1963131 bytes)
   C:\pagefile.sys .exe (1963131 bytes)
   C:\ProgramData\Saaaalamm\Mira.h (960208 bytes)
   C:\ProgramData\vjnfk.exe (1020884 bytes)

4. Delete the following value(s) in the autorun key (How to Work with System Registry):
   

   [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   "Microsoft® Windows® Operating System" = "C:\ProgramData\vjnfk.exe"

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.