Trojan.Generic.12201828_38f89da442

by malwarelabrobot on August 22nd, 2017 in Malware Descriptions.

Trojan.Generic.12201828 (AdAware), Trojan.Win32.Swrort.3.FD, Worm.Win32.AutoIt.FD, WormAutoItGen.YR (Lavasoft MAS)
Behaviour: Trojan, Worm

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

Dynamic Analysis

Static Analysis

Network Activity

Map

Strings from Dumps

Removals

MD5: 38f89da442e94773e05d3585e58d4ab9
SHA1: 5dafee910e14afbbd031a08f46c27bc1f04d4713
SHA256: aed4a5779346d325824d56c138ba896990d4f0ce645a47d7070c06dafd8f7cc5
SSDeep: 49152:QtPV6GxdyW7kK0luRAB2zPbvmxwaIMsIEjnU/PC1I/MOkc:QtjxdyXuGWbmxwagbiHP
Size: 2234648 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2009-11-02 22:24:15
Analyzed on: Windows7 SP1 32-bit

Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

%original file name%.exe:3380

The Trojan injects its code into the following process(es):
No processes have been created.

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:3380 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\WZSE0.TMP\Laser\QuestUtility.exe (12940 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\WZSE0.TMP\Icons\BHL.ico (9 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\WZSE0.TMP\Icons\Athena.ico (16 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\WZSE0.TMP\Icons\refresh.exe (1372 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\WZSE0.TMP\Care360 Downloader.exe (16764 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\WZSE0.TMP\Icons\Help.ico (1716 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\WZSE0.TMP\Setup.exe (17759 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\WZSE0.TMP\logo.jpg (1716 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\WZSE0.TMP\Icons\care360.ico (22 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\WZSE0.TMP\Icons\questc25.ICO (1748 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\WZSE0.TMP\Icons\quest.ico (21 bytes)

Registry activity

Dropped PE files

MD5	File path
805a8d87c685be52537436fb23ae648b	c:\Users\"%CurrentUserName%"\AppData\Local\Temp\WZSE0.TMP\Care360 Downloader.exe
6ab4823731bc853708b44d53aa2cd595	c:\Users\"%CurrentUserName%"\AppData\Local\Temp\WZSE0.TMP\Icons\refresh.exe
f89e0a09e839756855c3b0d6ea6dd031	c:\Users\"%CurrentUserName%"\AppData\Local\Temp\WZSE0.TMP\Laser\QuestUtility.exe
a19fbe02c1501d56c66b5040d02a34c8	c:\Users\"%CurrentUserName%"\AppData\Local\Temp\WZSE0.TMP\Setup.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

No information is available.

PE Sections

Name	Virtual Address	Virtual Size	Raw Size	Entropy	Section MD5
.text	4096	75637	77824	4.50665	cc1d28effbdec11267db3c3abed2d6f4
.rdata	81920	14370	16384	3.45655	0652c0ddd748c5a8a27ed642e547ef6d
.data	98304	59108	8192	1.36808	20a2ded013a4f6e8205f365d604035d4
.rsrc	159744	55100	57344	3.65794	0eb349fc559af897152f990586cac52c
_winzip_	217088	2080768	2080768	5.54231	cebbaa1775994918144081edf80f194a

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

No activity has been detected.

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

Web Traffic was not found.

The Trojan connects to the servers at the folowing location(s):

%original file name%.exe_3380:

.text

`.rdata

@.data

.rsrc

t%SSS

utSSh

diu2.iuu0iua

%sWZSE%d.TMP

WinInit.Ini

WZSFX32.RPT

Internal error: string resource not found: %d

Internal error: string resource too long: %d

%s - %s

.mixcrt

KERNEL32.DLL

mscoree.dll

Please contact the application's support team for more information.

- Attempt to initialize the CRT more than once.

- CRT not initialized

- floating point support not loaded

kernel32.dll

GetProcessWindowStation

USER32.DLL

operator

ShellExecuteExA

SHELL32.dll

USER32.dll

GetWindowsDirectoryA

KERNEL32.dll

GDI32.dll

COMCTL32.dll

GetProcessHeap

GetCPInfo

GetConsoleOutputCP

SI32E.SFX

I:\NMC\WinZipSE\Common\fileid.c

I:\NMC\WinZipSE\Common\dostime.c

I:\NMC\WinZipSE\Common\datetime.c

I:\NMC\WinZipSE\Common\fileinfo.c

I:\NMC\WinZipSE\Common\Wzextra.c

logo.jpg

ownloader.exe

cal\Temp\WZSE0.TMP\logo.jpg

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\WZSE0.TMP\logo.jpg

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\WZSE0.TMP

c:\%original file name%.exe

Unzipping %s

version="3.1.8672.0"

name="WinZipComputing.WinZip.WZSFX"

name="Microsoft.Windows.Common-Controls"

version="6.0.0.0"

publicKeyToken="6595b64144ccf1df"

<requestedExecutionLevel

<supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/>

<supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/>

<asmv3:windowsSettings xmlns="hXXp://schemas.microsoft.com/SMI/2005/WindowsSettings">

</asmv3:windowsSettings>

Setup.exe

Gk.sK^:

.tX3E

.uYxP|K

AhLgN%cq

%FJoA.

z`.xb7]^j

&%F{Q

P<-Fu}

>C%FG

.Yh/$O

*i.qLU

HVC.qo

kK.RW

"ya.IF

.pQU[

.ZwZt

SL0{.nu

.PC[P

k.xg51th

O=%c|

.Epm#

am.iT

u&.LlB

Eudpw

SIM%s

|eœ\g

Cn.HGc

?yh.tv\

-.BhG

q$.qD0

B1a%Sl:

~~%u!

%D!yAQ

2h.mz

B.qtc

Q.R.Sb)

Icons/Athena.ico

Icons/BHL.ico

Icons/care360.ico

\c.lXm

Icons/Help.ico

GS.EH

r1.CB[

tc?%C

#~.Ms|

hTL~8%D

kB]%F

D.ayH

Icons/quest.ico

Icons/questc25.ICO

.zcH..

.qqp2p

}þ,

{.BwIV%

ZAÝ

q%S?k

'.UR:v

URLN9

\$l.fEv

RL.Qy

Icons/refresh.exe

Swñ

c5%CZ

Laser/QuestUtility.exe

Ry`%s

.hvUd

) =.fYw

oq.op

!.ur.2

_D%c#

.%c^5

0Dht>g.iu

bNv.yvV

%u8ou

45K%x

x.Dn}

\R.fZ

.Kl,b

lang.dat

layout.bin

os.dat

T%fP*`

aNÏ

.rqP#

.%D zN

%x%rI|#

mu*( G%D

]p-.RA

I".sj\

%Cm0(

j^%3S

.zbc*}}

'%s$~

V%FTu2o

H0%fO1

.Ql*d

k.pCQ

f.NaM

.CCf z

c .jA

.Sjr6

/k-yq}

û)_

$%C M

.qz&d

.Kiag

%.yDSpN

2*.wG

k%S `%bK@

.uG)1

~.AN3

%d Cv{

;.uyn=&

.OkvE

-OH}(

[.iKe

.ZL- ?7

Qh.bh/

V.rat

bP(d,(

-D})A

j#Z.nuu

.si]v

-.ZYK

.TGps

_sys1.hdr

_user1.cab

w^.kq

J2G.ig

Care360 Downloader.exe

'{p%F

yÔ6J

%.Antc

*F.fT3

^w%Dx

.LV u

.RGOA[\

X.qK2=

vJ%UR

S#l<#,%d=

0p.AuU

/t.UXn

|[J%F

EÝ3h

{{C1.nuZ

B.zQ,M

.Ojm_

.hO*1

g,.iXz

%uK4B%E

R&4.YH(a

Xi`sQL

x(.Of

tgkW%U]z

 (,*.)-{

.mQ\C

ZpBz.QC

//%CRy

.onz_

[SQ.wZk

N_.Jn

/Do-x}X

9LPa.XH "

0Vs8%S

6w.VG

PG%u{

.UKzr'9M

9?÷/2X

ux.IT

la.ES

WinZip Self-Extractor - Password

This self-extracting Zip file is password protected.

Please type the &password:

please re-create the file and try again."Please insert disk %d in drive %s. Please insert last disk of set in drive %s.?No disk or invalid disk in drive.

Please insert disk number %d.]The disk in the drive appears to be

Insert disk number %d.

No password specified

Incorrect password specified

AUTOMThis 32-bit self-extracting Zip file requires Windows 95, 98, NT, 2000 or XP.

Could not run %s.\%s is still running; if you cancel now, temporary files will not be deleted. Cancel anyway?#Error, no command has been defined.

Abort unzip operation?.File %s is in use by the system. Skipping ...

Error %d running command %s#Error changing to "Unzip To" folder(File %s already exists. Overwrite file?

This file is intended for use under Windows 95, 98, NT, 2000, XP or a system with compatible long filename support.

On the version of Windows you are currently running, any long filenames will probably be truncated and improper operation may result.

TEMP= %d file(s) unzipped successfullyHTo unzip all files in %s to the specified folder press the Unzip button.

WinZip is an award-winning Windows archive utility that brings the convenience of Windows to the use of Zip files. WinZip features built-in ZIP and UNZIP and an easy to use drag-and-drop interface. Fully functional evaluation versions of WinZip are available from the WinZip web site: hXXp://VVV.winzip.com

Can't create output file: %s

Unsupported compression methodDZIP damaged: file %s: Bad CRC. Possible cause: file transfer error.9Invalid ZIP header. Possible cause: file transfer error.2Could not create "%s" - unzip operation cancelled.3Error in folder name specified on the command line.

Unzipping %s0Error writing to %s. Possible cause: disk full.CError reading %s. Possible cause: bad disk or file transfer error.8I/O error on file. Possible cause: file transfer error.

To unzip all files in %s press the "Unzip" button. Files will be unzipped to the folder specified in the "Unzip To Folder" field. This folder will be created if it does not exist.

Licensed to %s)NOT LICENSED FOR DISTRIBUTION OF ANY KINDIWinZip

WinZip International LLC hXXp://VVV.winzip.com

registered user of WinZip Self-Extractor %s (%s)

WinZip International LLC (VVV.winzip.com)

unregistered user of WinZip Self-Extractor %s (%s)

WinZip International LLC (VVV.winzip.com)9Drive %s is not a valid drive, unzip operation cancelled.UCannot use command file %s

Windows does not have a program associated to run with it.

Windows. WinZip Self-Extractor cannot process this

this self-extractor fileVThe selected folder contains unsupported

$Invalid command line parameter (%s).

Please save the file %s (created on your desktop) and inform WinZip Computing.

Internet: support@winzip.com

Web: hXXp://VVV.winzip.com

not enough memory(WinZip internal error in file %s line %d.

Current date/time: d/d/d d:d

Module name = %s

Operating System Version %d.d

Windows NT

Windows 95/98

Version %d.%d

Setup.exe_2712:

.text

`.rdata

@.data

.rsrc

@.reloc

SSh8*

PSSSSSSh

Gt.Ht$

t.jGZf;

PSSShl

PVSShl

j.Zf;

;K|s%f

.ku`8iu~fiu

?#%X.y

GetProcessWindowStation

operator

kernel32.dll

oleaut32.dll

RegDeleteKeyExW

advapi32.dll

Error text not found (please report)

operand of unlimited repeat could match the empty string

POSIX named classes are supported only within a class

erroffset passed as NULL

POSIX collating elements are not supported

this version of PCRE is compiled without UTF support

PCRE does not support \L, \l, \N{name}, \U, or \u

support for \P, \p, and \X has not been compiled

this version of PCRE is not compiled with Unicode property support

\N is not supported in a class

WSOCK32.dll

VERSION.dll

WINMM.dll

COMCTL32.dll

MPR.dll

InternetCrackUrlW

HttpQueryInfoW

HttpOpenRequestW

HttpSendRequestW

FtpOpenFileW

FtpGetFileSize

InternetOpenUrlW

WININET.dll

PSAPI.DLL

IPHLPAPI.DLL

USERENV.dll

UxTheme.dll

GetProcessHeap

CreatePipe

GetWindowsDirectoryW

KERNEL32.dll

OpenWindowStationW

SetProcessWindowStation

CloseWindowStation

MapVirtualKeyW

EnumChildWindows

EnumWindows

VkKeyScanW

GetKeyState

GetKeyboardState

SetKeyboardState

GetAsyncKeyState

keybd_event

EnumThreadWindows

ExitWindowsEx

UnregisterHotKey

RegisterHotKey

GetKeyboardLayoutNameW

USER32.dll

SetViewportOrgEx

GDI32.dll

COMDLG32.dll

RegOpenKeyExW

RegCloseKey

RegCreateKeyExW

RegEnumKeyExW

RegDeleteKeyW

ADVAPI32.dll

ShellExecuteW

SHFileOperationW

ShellExecuteExW

SHELL32.dll

ole32.dll

OLEAUT32.dll

GetCPInfo

zcÁ

<t~%S

-.BhG

q$.qD0

B1a%Sl:

~~%u!

%D!yAQ

A.Mut

&.fg#*

.DlL0

<assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" language="*" processorArchitecture="*" publicKeyToken="6595b64144ccf1df"/>

<requestedExecutionLevel level="asInvoker" uiAccess="false"/>

<supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/>

<supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/>

<supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"/>

<supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"/>

> >$>(>=>

5o6q6

6!6%6)6-616

343C3n3v3}3

:&:*:.:2:

4#4'4 4/43474;4

<$<,<4<<<\=

mscoree.dll

combase.dll

- CRT not initialized

- Attempt to initialize the CRT more than once.

- floating point support not loaded

USER32.DLL

>>>AUTOIT NO CMDEXECUTE<<<

CMDLINERAW

CMDLINE

/AutoIt3ExecuteLine

/AutoIt3ExecuteScript

APPSKEY

789:;<=>?

FTPSETPROXY

GUICTRLRECVMSG

GUICTRLSENDMSG

GUIGETMSG

GUIREGISTERMSG

HOTKEYSET

HTTPSETPROXY

HTTPSETUSERAGENT

ISKEYWORD

MSGBOX

REGENUMKEY

SHELLEXECUTE

SHELLEXECUTEWAIT

TCPACCEPT

TCPCLOSESOCKET

TCPCONNECT

TCPLISTEN

TCPNAMETOIP

TCPRECV

TCPSEND

TCPSHUTDOWN

TCPSTARTUP

TRAYGETMSG

UDPBIND

UDPCLOSESOCKET

UDPOPEN

UDPRECV

UDPSEND

UDPSHUTDOWN

UDPSTARTUP

SendKeyDelay

SendKeyDownDelay

TCPTimeout

WINDOWSDIR

AUTOITEXE

HOTKEYPRESSED

%s (%d) : ==> %s.:

Line %d:

Line %d (File "%s"):

%s (%d) : ==> %s:

AutoIt script files (*.au3, *.a3x)

*.au3;*.a3x

All files (*.*)

04090000

%u.%u.%u.%u

0.0.0.0

Mddddd

"%s" (%d) : ==> %s:

\??\%s

GUI_RUNDEFMSG

AUTOITCALLVARIABLE%d

255.255.255.255

Keyword

AUTOIT.ERROR

Null Object assignment in FOR..IN loop

Incorrect Object type in FOR..IN loop

3, 3, 12, 0

HKEY_LOCAL_MACHINE

HKEY_CLASSES_ROOT

HKEY_CURRENT_CONFIG

HKEY_CURRENT_USER

HKEY_USERS

%d/d/d

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\WZSE0.TMP\Setup.exe

AutoIt supports the __stdcall (WINAPI) and __cdecl calling conventions. The __stdcall (WINAPI) convention is used by default but __cdecl can be used instead. See the DllCall() documentation for details on changing the calling convention.

Missing operator in expression."Unbalanced brackets in expression.

Error parsing function call.0Incorrect number of parameters in function call.'"ReDim" used without an array variable.>Illegal text at the end of statement (one statement per line).1"If" statement has no matching "EndIf" statement.1"Else" statement with no matching "If" statement.2"EndIf" statement with no matching "If" statement.7Too many "Else" statements for matching "If" statement.3"While" statement has no matching "Wend" statement.4"Wend" statement with no matching "While" statement.%Variable used without being declared.XArray variable has incorrect number of subscripts or subscript dimension range exceeded.#Variable subscript badly formatted.*Subscript used on non-accessible variable.&Too many subscripts used for an array.0Missing subscript dimensions in "Dim" statement.NNo variable given for "Dim", "Local", "Global", "Struct" or "Const" statement.

0Expected a "=" operator in assignment statement.*Invalid keyword at the start of this line.

Invalid element in a DllStruct.*Unknown option or bad parameter specified.&Unable to load the internet libraries./"Struct" statement has no matching "EndStruct".HUnable to open file, the maximum number of open files has been exceeded.K"ContinueLoop" statement with no matching "While", "Do" or "For" statement.

Invalid file filter given.*Expected a variable in user function call.1"Do" statement has no matching "Until" statement.2"Until" statement with no matching "Do" statement.#"For" statement is badly formatted.2"Next" statement with no matching "For" statement.N"ExitLoop/ContinueLoop" statements only valid from inside a For/Do/While loop.1"For" statement has no matching "Next" statement.@"Case" statement with no matching "Select"or "Switch" statement.:"EndSelect" statement with no matching "Select" statement.ORecursion level has been exceeded - AutoIt will quit to prevent stack overflow.&Cannot make existing variables static.4Cannot make static variables into regular variables.

3This keyword cannot be used after a "Then" keyword.>"Select" statement is missing "EndSelect" or "Case" statement. "If" statements must have a "Then" keyword. Badly formated Struct statement."Cannot assign values to constants..Cannot make existing variables into constants.9Only Object-type variables allowed in a "With" statement.v"long_ptr", "int_ptr" and "short_ptr" DllCall() types have been deprecated. Use "long*", "int*" and "short*" instead.-Object referenced outside a "With" statement.)Nested "With" statements are not allowed."Variable must be of type "Object".1The requested action with this object has failed.8Variable appears more than once in function declaration.2ReDim array can not be initialized in this manner.1An array variable can not be used in this manner.

Can not redeclare a constant.5Can not redeclare a parameter inside a user function.HCan pass constants by reference only to parameters with "Const" keyword.*Can not initialize a variable with itself.$Incorrect way to use this parameter.:"EndSwitch" statement with no matching "Switch" statement.>"Switch" statement is missing "EndSwitch" or "Case" statement.H"ContinueCase" statement with no matching "Select"or "Switch" statement.

String missing closing quote.!Badly formated variable or macro.*Missing separator character after keyword.

Remove it with Ad-Aware

Click (here) to download and install Ad-Aware Free Antivirus.
Update the definition files.
Run a full scan of your computer.

Manual removal*

Terminate malicious process(es) (How to End a Process With the Task Manager):

%original file name%.exe:3380
Delete the original Trojan file.
Delete or disinfect the following files created/modified by the Trojan:

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\WZSE0.TMP\Laser\QuestUtility.exe (12940 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\WZSE0.TMP\Icons\BHL.ico (9 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\WZSE0.TMP\Icons\Athena.ico (16 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\WZSE0.TMP\Icons\refresh.exe (1372 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\WZSE0.TMP\Care360 Downloader.exe (16764 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\WZSE0.TMP\Icons\Help.ico (1716 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\WZSE0.TMP\Setup.exe (17759 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\WZSE0.TMP\logo.jpg (1716 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\WZSE0.TMP\Icons\care360.ico (22 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\WZSE0.TMP\Icons\questc25.ICO (1748 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\WZSE0.TMP\Icons\quest.ico (21 bytes)