MD5: b37155a6fa30018f5b6e2a287d527c91
SHA1: b062a950f860e811652680510d1db4cc615bdce5
SHA256: 3165a85b6496a8bbcb5590169b66c20657e635a6ae4991fb4e5e5ded89264535
SSDeep: 49152:iu0LSVHASxN9aD7sOP93ZPaZRNsa95ZN5Qe:p0mVgSxa872avh
Size: 1802040 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: BorlandDelphi30, MicrosoftVisualCv60SPx, UPolyXv05_v6
Company: no certificate found
Created at: 2001-03-01 23:56:32
Analyzed on: Windows7 SP1 32-bit

Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

%original file name%.exe:1264

The Trojan injects its code into the following process(es):
No processes have been created.

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:1264 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\msiinst.exe (1412 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\msiexec.exe (2203 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\usp10.dll (6308 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\mspatcha.dll (170 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\msi.dll (30555 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\msisip.dll (735 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\cabinet.dll (1635 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\shfolder.dll (242 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\msimsg.dll (16911 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\instmsi.msi (18611 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\sdbapi.dll (1914 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\riched20.dll (8836 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\imagehlp.dll (2498 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\msls31.dll (3719 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\msimain.sdb (2811 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\msihnd.dll (7377 bytes)

Registry activity

The process %original file name%.exe:1264 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"wextract_cleanup0" = "rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\"

Dropped PE files

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name: Microsoft Corporation
Product Name: Windows Installer
Product Version: 2.0.2600.2
Legal Copyright: Copyright (c) Microsoft Corp. 2000
Legal Trademarks:
Original Filename: Msi.dll,MsiHnd.dll,MsiExec.exe
Internal Name: InstMsi.exe
File Version: 2.0.2600.2
File Description: Installer for the Windows Installer
Comments:
Language: English (United States)

PE Sections

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 11
7979d28ebc396fb2efa088cb119eaeef
1c6851f5ae4ead3814a4e87cfccd5898
68b9140d72cbaf6bcf7da13f64f6204f
6040478935547deebb52bdef63fb5b37
d9683945d36869d03c10e620b6f83fd8
2e657cb4950481bf0190b0b67ec3dc68
01f432605e9a01ff825cf42a7cd5de6e
84bf0b916c16717c6036510c6a5ec046
0c7971abce00df8370348648ab60c5a9
ebd4683d779eead92bccf37f22fcf013
df25723d2358067fdc999d60ddc4bcd1

URLs

No activity has been detected.

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

Web Traffic was not found.

The Trojan connects to the servers at the folowing location(s):

.text

`.data

.rsrc

advapi32.dll

advpack.dll

wininit.ini

Software\Microsoft\Windows\CurrentVersion\App Paths

setupapi.dll

setupx.dll

IXPd.TMP

TMP4351$.TMP

FINISHMSG

USRQCMD

ADMQCMD

msdownld.tmp

wextract.pdb

e\setup\iexpress\wextract\obj\i386\wextract.pdb

PSSSSSSh

t8SSh

RegCloseKey

RegOpenKeyExA

RegCreateKeyExA

RegQueryInfoKeyA

ADVAPI32.dll

GetWindowsDirectoryA

KERNEL32.dll

GDI32.dll

ExitWindowsEx

MsgWaitForMultipleObjects

USER32.dll

COMCTL32.dll

VERSION.dll

rundll32.exe %s,InstallHinfSection %s 128 %s

SHELL32.DLL

Software\Microsoft\Windows\CurrentVersion\RunOnce

PendingFileRenameOperations

System\CurrentControlSet\Control\Session Manager\FileRenameOperations

wextract_cleanup%d

%s /D:%s

rundll32.exe %sadvpack.dll,DelNodeRunDLL32 "%s"

Command.com /c %s

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\

33333330

3333333

33333333

PAmsiinst.exe /i instmsi.msi REBOOT=REALLYSUPRESS MSIEXECREG=1 /m /q

msi.dll

msiexec.exe

msihnd.dll

msisip.dll

msimsg.dll

msimain.sdb

msiinst.exe

riched20.dll

usp10.dll

msls31.dll

shfolder.dll

instmsi.msi

imagehlp.dll

cabinet.dll

mspatcha.dll

sdbapi.dll

.dp4?U

*x.eW

,hQ%ux

XDa!%dM

.QKz~

/[Z0.LV

Xurl

I.cn\

~.Baq

I@.lJI

%sQi'B

ho.Bs

$=E.Qw

U%4SU0

(%X&|K

7.skx

I-eP}

6%SY6

[-SBE},

\0.im_

%%uIG%

3.BX$

.Cp(K1

e:%U8

Yd}..fv

i.EO..

.mJD2

n1_F%dtVn

@=.NbO

< .xG

URlM

f]lL%S

Bs1%Cw|=

YR.WS

.gMXx

.Js7,

.jm-Z

wS.PK

_L%4X

$5%F;

Fs<|.ZK

6.sp q

0w_&%f

.lY*z

?5m%F

QEXhq;%c

 .Blp

.FObL

(.UO,

l$.Op

)I%UW

xT%fV

urLNO[

,.ro9

|D%Dq

e.nAy_-D&

%f^Vg,>

2.TPk

vlK.nkkKn

.Tp%l

.AfnX

*.zYa

Y.aADp

N.cP5

..vGj

^B %D\

.NB'/

.Eey4

?{%f"

õfeP"

}q%X[

^.ca]

.Bw_,

\>a.ba^Z'0

Vd.tb

E.nhq

.QoYH

TB.uB

I_q>.hI

dY'A@@6%U7

%dNk 

MsGPO$

&8.sS=

q:%9s

%u.&}

U>.Cv

D>.DU

.ý_

5%SY_

gzc.fC

F.aw_J

^.Nqz

\%F =

XLr.AcK

|=.BR4

XUO%X4

%x1c-L

WÎW

.mBAI

"%So?

E?5K%us

P.egn

yo.ZV

>.JoS?E

Ar.HY<

@$.xY

.fLy^

D%f)su

{.QG"Hl

].SqDs

x#%fy

S%F.}

3%c>aRnP

qq %s<e

h/V%4X

..bw6

_.Rti

?%u@q

%s&Y]{

@.tG4.

.AUbX

 .WMT

[.EUnE

$m.trt`x

%X$^D%

F%F?$

@.Djc

4.SOs*

>CAh%u

vH%S$e,@

?0cexe

.qF`o

.aWp_

)%SJBG

`"| b.gb

M,L%Fw

\-7}2=

R.lRi

-o}:C<V

9X2%D

%8x3v

3:%8XY

4(%0x

#3I%sK:

{.rtZA

Bz.MJv

".Kyc5n

msiinst.exe /i instmsi.msi MSIEXECREG=1 /m /qb !

Pmsiinst.exe /i instmsi.msi REBOOT=REALLYSUPRESS MSIEXECREG=1 /m /q

Please read the following license agreement. Press the PAGE DOWN key to see the rest of the agreement.

CFailed to get disk space information from: %s.

System Message: %s.&A required resource cannot be located. Are you sure you want to cancel?

8Unable to retrieve operating system version information.!Memory allocation request failed.

Filetable full.Ên not change to destination folder.

Setup could not find a drive with %s KB free disk space to install the program. Please free up some space first and press RETRY or press CANCEL to exit setup.KThat folder is invalid. Please make sure the folder exists and is writable.IYou must specify a folder with fully qualified pathname or choose Cancel.!Could not update folder edit box.5Could not load functions required for browser dialog.7Could not load Shell32.dll required for browser dialog.

(Error creating process <%s>. Reason: %s1The cluster size in this system is not supported.,A required resource appears to be corrupted.QWindows 95 or Windows NT 4.0 Beta 2 or greater is required for this installation.

Error loading %shGetProcAddress() failed on function '%s'. Possible reason: incorrect version of advpack.dll being used./Windows 95 or Windows NT is required to install

Could not create folder '%s'

To install this program, you need %s KB disk space on drive %s. It is recommended that you free up the required disk space before you continue.

Error retrieving Windows folder

$NT Shutdown: OpenProcessToken error.)NT Shutdown: AdjustTokenPrivileges error.!NT Shutdown: ExitWindowsEx error.}Extracting file failed. It is most likely caused by low memory (low disk space for swapping file) or corrupted Cabinet file.aThe setup program could not retrieve the volume information for drive (%s) .

System message: %s.xSetup could not find a drive with %s KB free disk space to install the program. Please free up some space and try again.eThe installation program appears to be damaged or corrupted. Contact the vendor of this application.

/C:<Cmd> -- Override Install Command defined by author.

eAnother copy of the '%s' package is already running on your system. Do you want to run another copy?

Could not find the file: %s.

:The folder '%s' does not exist. Do you want to create it?hAnother copy of the '%s' package is already running on your system. You can only run one copy at a time.OThe '%s' package is not compatible with the version of Windows you are running.SThe '%s' package is not compatible with the version of the file: %s on your system.

Installer for the Windows Installer

2.0.2600.2

InstMsi.exe

Msi.dll,MsiHnd.dll,MsiExec.exe

Windows Installer

msiinst.exe_3852:

.text

`.data

.rsrc

MsiExec.exe

MsiExec.exe /regserver /qn

MsiExec.exe /unregserver /qn

msiexec.exe /i instmsi.msi REBOOT=REALLYSUPPRESS MSIEXECREG=1 /m /qb !

msiexec.exe /i instmsi.msi REBOOT=REALLYSUPPRESS MSIEXECREG=1 /m /q

rundll32.exe %s\advpack.dll,DelNodeRunDLL32 "%s"

%s\msiexec.exe /regserver

msi.cat

msi.inf

Microsoft Windows Installer

{2E742517-5D48-4DBD-BF93-48FDCF36E634}

mspatcha.cat

mspatcha.inf

{DCB666AB-5541-44CA-9F7E-B516DF807CAF}

msisip.dll

msiexec.exe

msimsg.dll

msihnd.dll

msi.dll

mspatcha.dll

Successfully opened transform %s.

%d.mst

Wait succeeded for process. Return code was: %d.

RunProcess (%s, %s)

%s : %d.%d.%d.%d

Unable to get version info for %s. Error %d.

InstMsi version of %s is %s than existing.

%s\%s

Unable to determine if instmsi version of %s is newer than the system version. Error %d.

Exiting msiinst.exe with error code %d.

%s TRANSFORMS=:%d.mst

%s TRANSFORMS=:%d.mst %s=%s

%s %s=%s

Found MSI Database: %s

*msi.msi

Invalid operation mode: %d.

ANSI version of the Windows installer is not supported on Microsoft Windows NT.

Running upgrade to MSI from temp files at %s. [Final Command: '%s']

Could not register the Windows Installer from the temporary location. Error %d.

Could not switch to the temporary store. Error %d.

Could not copy over all the files to the temporary store. Error %d.

kernel32.dll

Could not create a run once value for registering MSI from the system directory upon reboot. Error %d.

Temporary files will not be cleaned up. The file advpack.dll is missing from the system folder.

advpack.dll

Could not obtain a temporary folder to store the MSI binaries. Error %d.

Could not create runonce values. Error %d.

Only system administrators are allowed to update the Windows Installer.

Could not obtain the location of the IExpress temporary folder. Error %d.

Could not obtain the system directory. Error %d.

Could not obtain the path to the windows directory. Error %d.

Software\Microsoft\Windows\CurrentVersion\RunOnce

Found unused RunOnce entry : %s

Successfully loaded the specified procedure from %s.

Could not load the specified procedure from %s.

Could not load module %s. Error: %d.

GetWindowsDirectoryA

GetWindowsDirectoryA/W

GetSystemWindowsDirectoryA

GetSystemWindowsDirectoryA/W

Attempting to get function %s.

Could not get temporary installer directory. Error %d.

Unable to create the installer folder. Incorrect version of msi.dll. Error %d.

Attempting to create folder %s.

%s in the package %s installed.

Version of %s in the package is %d.%d.

Version of %s in the system folder is %d.%d.

Found %s.

%s not found.

GetFileAttributes on %s failed with %d.

sdbapi.dll

msimain.sdb

Could not terminate %s.

Successfully terminated %s.

ntdll.dll

Will now attempt to terminate igfxtray.exe and hkcmd.exe, if they are running.

Temporary store located at : %s

%s\InstMsi%d

mscoree.dll

Please contact the application's support team for more information.

GetProcessWindowStation

user32.dll

MsiInst.pdb

RegCloseKey

RegOpenKeyA

ADVAPI32.dll

GetCPInfo

KERNEL32.dll

USER32.dll

ole32.dll

VERSION.dll

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\msiinst.exe

.hkcmd.exe

igfxtray.exe

5.1.2600.27 (xpclnt_qfe(rahulth).020125-2033)

msiinst.exe

Windows

Operating System

5.1.2600.27

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Terminate malicious process(es) (How to End a Process With the Task Manager):
   

   %original file name%.exe:1264

2. Delete the original Trojan file.
   
3. Delete or disinfect the following files created/modified by the Trojan:
   

   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\msiinst.exe (1412 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\msiexec.exe (2203 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\usp10.dll (6308 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\mspatcha.dll (170 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\msi.dll (30555 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\msisip.dll (735 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\cabinet.dll (1635 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\shfolder.dll (242 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\msimsg.dll (16911 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\instmsi.msi (18611 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\sdbapi.dll (1914 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\riched20.dll (8836 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\imagehlp.dll (2498 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\msls31.dll (3719 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\msimain.sdb (2811 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\msihnd.dll (7377 bytes)

4. Delete the following value(s) in the autorun key (How to Work with System Registry):
   

   [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
   "wextract_cleanup0" = "rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\"

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.